sap grc ac5.3 - installation guide
TRANSCRIPT
Installation GuideSAP GRC Access Control 53
Target Audience
n Technology consultantsn Project teams for implementation
PUBLICDocument version 22 ‒ 06072010
Document History
Caution
Before you start the implementation make sure you have the latest version of this document Youcan find the latest version at the following location httpservicesapcominstguidesgt SAPBusinessObjects -gt SAP BusinessObjects Governance Risk Compliance (GRC) -gt Access Control -gtSAP GRC Access Control 53
The following table provides an overview of the most important document changes
Version Date Description
10 2282008 First release of GRC Access Control 53 application including the followingfunctionality Compliant User Provisioning Enterprise Role Management RiskAnalysis and Remediation and Superuser Privilege Management Access Controlruns on a Java application server
20 9302009 Updated content per SP09 Included data mart information
21 12182009 Format conversion
22 672010 Updated content recommendation in Section 51
252 PUBLIC 06072010
Table of Contents
Chapter 1 Introduction 511 Implementation Considerations 512 Naming Conventions 613 Name Changes 6
Chapter 2 Installation Planning 921 Installation Checklists 9
Chapter 3 Installation Preparation 1131 Software Requirements 1132 Documentation Requirements 1333 Host Machine Requirements 1534 Information on the SAP Service Marketplace 16
Chapter 4 Installing the Software 1741 Installing from Downloaded Files or CDs 1742 Installing the Real Time Agent 1743 Running Java Service ProgramManager (JSPM) 1844 Troubleshooting 20
Chapter 5 Post-Installation Configuration 2351 SAP GRC Risk Analysis and Remediation Configuration 2352 SAP GRC Compliant User Provisioning Configuration 2953 SAP GRC Enterprise Role Management Configuration 3154 SAP GRC Superuser Privilege Management 3355 Single Launch Pad 3456 Connecting a Standalone J2EE System to a Server 34
Chapter 6 Post-System Copy Configuration 3761 SAP GRC Risk Analysis and Remediation 3762 UME Activities 3763 SAP GRC Compliant User Provisioning 3864 SAP GRC Enterprise Role Management Configuration 3965 SAP GRC Enterprise Role Management Configuration 39
06072010 PUBLIC 352
Chapter 7 Appendix 4171 SAP GRC Access Control 53 Component Contents 4172 Using the Visual Administrator to Configure an SLD Data Supplier 4273 Configuring the Internet Graphics Server 4374 Using Java Service ProgramManager 44
Chapter A Reference 45A1 The Main SAP Documentation Types 45
452 PUBLIC 06072010
1 Introduction
1 Introduction
SAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting detecting remediating mitigating and preventing access and authorization risk acrossthe enterprise resulting in proper segregation of duties (SoD) lower costs reduced risk and betterbusiness performance The Access Control application includes the following four capabilities
n Risk Analysis and Remediation supports real time compliance to detect remove and preventaccess and authorization risk by preventing security and control violations before they occur
n SAP GRC Compliant User Provisioning automates provisioning tests for SoD risks andstreamlines approvals to unburden IT staff and provide a complete history of user access
n SAP GRC Enterprise Role Management standardizes and centralizes role creation andmaintenance
n Superuser Privilege Management enables users to perform emergency activities outside theirroles as a privileged user in a controlled and auditable environment
SAP GRCAccess Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from ITsystems It identifies and prevents SoD violations from being introduced without proper approval andmitigation by embedding preventive controls into business processes
11 Implementation Considerations
As of SAP NetWeaver Release 2004s Java Support Package Manager (JSPM) is used to implementsupport package stacks Java support packages and to install additional components such as SAP ERPSAP Customer Relationship Management and SAP Supplier Relationship Management
Note
The Software Deployment Manager (SDM) is no longer used however if you have a previous versionof SAP GRC Access Control installed you must uninstall it with the SDM before you can install SAPGRC Access Control 53 For more information see the SAP GRC Access Control 53 Upgrade Guide
If you want to install SAP GRC Access Control 53 in the context of the implementation of anSAP Business Suite or one of its business scenarios you must familiarize yourself with the thatsolutionrsquosMaster Guide before you begin the installation TheMaster Guide is the central document forimplementing SAP Business Suite solutions and scenarios It lists the components and third-party
06072010 PUBLIC 552
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
Document History
Caution
Before you start the implementation make sure you have the latest version of this document Youcan find the latest version at the following location httpservicesapcominstguidesgt SAPBusinessObjects -gt SAP BusinessObjects Governance Risk Compliance (GRC) -gt Access Control -gtSAP GRC Access Control 53
The following table provides an overview of the most important document changes
Version Date Description
10 2282008 First release of GRC Access Control 53 application including the followingfunctionality Compliant User Provisioning Enterprise Role Management RiskAnalysis and Remediation and Superuser Privilege Management Access Controlruns on a Java application server
20 9302009 Updated content per SP09 Included data mart information
21 12182009 Format conversion
22 672010 Updated content recommendation in Section 51
252 PUBLIC 06072010
Table of Contents
Chapter 1 Introduction 511 Implementation Considerations 512 Naming Conventions 613 Name Changes 6
Chapter 2 Installation Planning 921 Installation Checklists 9
Chapter 3 Installation Preparation 1131 Software Requirements 1132 Documentation Requirements 1333 Host Machine Requirements 1534 Information on the SAP Service Marketplace 16
Chapter 4 Installing the Software 1741 Installing from Downloaded Files or CDs 1742 Installing the Real Time Agent 1743 Running Java Service ProgramManager (JSPM) 1844 Troubleshooting 20
Chapter 5 Post-Installation Configuration 2351 SAP GRC Risk Analysis and Remediation Configuration 2352 SAP GRC Compliant User Provisioning Configuration 2953 SAP GRC Enterprise Role Management Configuration 3154 SAP GRC Superuser Privilege Management 3355 Single Launch Pad 3456 Connecting a Standalone J2EE System to a Server 34
Chapter 6 Post-System Copy Configuration 3761 SAP GRC Risk Analysis and Remediation 3762 UME Activities 3763 SAP GRC Compliant User Provisioning 3864 SAP GRC Enterprise Role Management Configuration 3965 SAP GRC Enterprise Role Management Configuration 39
06072010 PUBLIC 352
Chapter 7 Appendix 4171 SAP GRC Access Control 53 Component Contents 4172 Using the Visual Administrator to Configure an SLD Data Supplier 4273 Configuring the Internet Graphics Server 4374 Using Java Service ProgramManager 44
Chapter A Reference 45A1 The Main SAP Documentation Types 45
452 PUBLIC 06072010
1 Introduction
1 Introduction
SAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting detecting remediating mitigating and preventing access and authorization risk acrossthe enterprise resulting in proper segregation of duties (SoD) lower costs reduced risk and betterbusiness performance The Access Control application includes the following four capabilities
n Risk Analysis and Remediation supports real time compliance to detect remove and preventaccess and authorization risk by preventing security and control violations before they occur
n SAP GRC Compliant User Provisioning automates provisioning tests for SoD risks andstreamlines approvals to unburden IT staff and provide a complete history of user access
n SAP GRC Enterprise Role Management standardizes and centralizes role creation andmaintenance
n Superuser Privilege Management enables users to perform emergency activities outside theirroles as a privileged user in a controlled and auditable environment
SAP GRCAccess Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from ITsystems It identifies and prevents SoD violations from being introduced without proper approval andmitigation by embedding preventive controls into business processes
11 Implementation Considerations
As of SAP NetWeaver Release 2004s Java Support Package Manager (JSPM) is used to implementsupport package stacks Java support packages and to install additional components such as SAP ERPSAP Customer Relationship Management and SAP Supplier Relationship Management
Note
The Software Deployment Manager (SDM) is no longer used however if you have a previous versionof SAP GRC Access Control installed you must uninstall it with the SDM before you can install SAPGRC Access Control 53 For more information see the SAP GRC Access Control 53 Upgrade Guide
If you want to install SAP GRC Access Control 53 in the context of the implementation of anSAP Business Suite or one of its business scenarios you must familiarize yourself with the thatsolutionrsquosMaster Guide before you begin the installation TheMaster Guide is the central document forimplementing SAP Business Suite solutions and scenarios It lists the components and third-party
06072010 PUBLIC 552
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
Table of Contents
Chapter 1 Introduction 511 Implementation Considerations 512 Naming Conventions 613 Name Changes 6
Chapter 2 Installation Planning 921 Installation Checklists 9
Chapter 3 Installation Preparation 1131 Software Requirements 1132 Documentation Requirements 1333 Host Machine Requirements 1534 Information on the SAP Service Marketplace 16
Chapter 4 Installing the Software 1741 Installing from Downloaded Files or CDs 1742 Installing the Real Time Agent 1743 Running Java Service ProgramManager (JSPM) 1844 Troubleshooting 20
Chapter 5 Post-Installation Configuration 2351 SAP GRC Risk Analysis and Remediation Configuration 2352 SAP GRC Compliant User Provisioning Configuration 2953 SAP GRC Enterprise Role Management Configuration 3154 SAP GRC Superuser Privilege Management 3355 Single Launch Pad 3456 Connecting a Standalone J2EE System to a Server 34
Chapter 6 Post-System Copy Configuration 3761 SAP GRC Risk Analysis and Remediation 3762 UME Activities 3763 SAP GRC Compliant User Provisioning 3864 SAP GRC Enterprise Role Management Configuration 3965 SAP GRC Enterprise Role Management Configuration 39
06072010 PUBLIC 352
Chapter 7 Appendix 4171 SAP GRC Access Control 53 Component Contents 4172 Using the Visual Administrator to Configure an SLD Data Supplier 4273 Configuring the Internet Graphics Server 4374 Using Java Service ProgramManager 44
Chapter A Reference 45A1 The Main SAP Documentation Types 45
452 PUBLIC 06072010
1 Introduction
1 Introduction
SAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting detecting remediating mitigating and preventing access and authorization risk acrossthe enterprise resulting in proper segregation of duties (SoD) lower costs reduced risk and betterbusiness performance The Access Control application includes the following four capabilities
n Risk Analysis and Remediation supports real time compliance to detect remove and preventaccess and authorization risk by preventing security and control violations before they occur
n SAP GRC Compliant User Provisioning automates provisioning tests for SoD risks andstreamlines approvals to unburden IT staff and provide a complete history of user access
n SAP GRC Enterprise Role Management standardizes and centralizes role creation andmaintenance
n Superuser Privilege Management enables users to perform emergency activities outside theirroles as a privileged user in a controlled and auditable environment
SAP GRCAccess Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from ITsystems It identifies and prevents SoD violations from being introduced without proper approval andmitigation by embedding preventive controls into business processes
11 Implementation Considerations
As of SAP NetWeaver Release 2004s Java Support Package Manager (JSPM) is used to implementsupport package stacks Java support packages and to install additional components such as SAP ERPSAP Customer Relationship Management and SAP Supplier Relationship Management
Note
The Software Deployment Manager (SDM) is no longer used however if you have a previous versionof SAP GRC Access Control installed you must uninstall it with the SDM before you can install SAPGRC Access Control 53 For more information see the SAP GRC Access Control 53 Upgrade Guide
If you want to install SAP GRC Access Control 53 in the context of the implementation of anSAP Business Suite or one of its business scenarios you must familiarize yourself with the thatsolutionrsquosMaster Guide before you begin the installation TheMaster Guide is the central document forimplementing SAP Business Suite solutions and scenarios It lists the components and third-party
06072010 PUBLIC 552
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
Chapter 7 Appendix 4171 SAP GRC Access Control 53 Component Contents 4172 Using the Visual Administrator to Configure an SLD Data Supplier 4273 Configuring the Internet Graphics Server 4374 Using Java Service ProgramManager 44
Chapter A Reference 45A1 The Main SAP Documentation Types 45
452 PUBLIC 06072010
1 Introduction
1 Introduction
SAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting detecting remediating mitigating and preventing access and authorization risk acrossthe enterprise resulting in proper segregation of duties (SoD) lower costs reduced risk and betterbusiness performance The Access Control application includes the following four capabilities
n Risk Analysis and Remediation supports real time compliance to detect remove and preventaccess and authorization risk by preventing security and control violations before they occur
n SAP GRC Compliant User Provisioning automates provisioning tests for SoD risks andstreamlines approvals to unburden IT staff and provide a complete history of user access
n SAP GRC Enterprise Role Management standardizes and centralizes role creation andmaintenance
n Superuser Privilege Management enables users to perform emergency activities outside theirroles as a privileged user in a controlled and auditable environment
SAP GRCAccess Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from ITsystems It identifies and prevents SoD violations from being introduced without proper approval andmitigation by embedding preventive controls into business processes
11 Implementation Considerations
As of SAP NetWeaver Release 2004s Java Support Package Manager (JSPM) is used to implementsupport package stacks Java support packages and to install additional components such as SAP ERPSAP Customer Relationship Management and SAP Supplier Relationship Management
Note
The Software Deployment Manager (SDM) is no longer used however if you have a previous versionof SAP GRC Access Control installed you must uninstall it with the SDM before you can install SAPGRC Access Control 53 For more information see the SAP GRC Access Control 53 Upgrade Guide
If you want to install SAP GRC Access Control 53 in the context of the implementation of anSAP Business Suite or one of its business scenarios you must familiarize yourself with the thatsolutionrsquosMaster Guide before you begin the installation TheMaster Guide is the central document forimplementing SAP Business Suite solutions and scenarios It lists the components and third-party
06072010 PUBLIC 552
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
1 Introduction
1 Introduction
SAP GRC Access Control is an enterprise application that provides end-to-end automation fordocumenting detecting remediating mitigating and preventing access and authorization risk acrossthe enterprise resulting in proper segregation of duties (SoD) lower costs reduced risk and betterbusiness performance The Access Control application includes the following four capabilities
n Risk Analysis and Remediation supports real time compliance to detect remove and preventaccess and authorization risk by preventing security and control violations before they occur
n SAP GRC Compliant User Provisioning automates provisioning tests for SoD risks andstreamlines approvals to unburden IT staff and provide a complete history of user access
n SAP GRC Enterprise Role Management standardizes and centralizes role creation andmaintenance
n Superuser Privilege Management enables users to perform emergency activities outside theirroles as a privileged user in a controlled and auditable environment
SAP GRCAccess Control supports companies in complying with Sarbanes-Oxley and other regulatorymandates by enabling organizations to rapidly identify and remove authorization risks from ITsystems It identifies and prevents SoD violations from being introduced without proper approval andmitigation by embedding preventive controls into business processes
11 Implementation Considerations
As of SAP NetWeaver Release 2004s Java Support Package Manager (JSPM) is used to implementsupport package stacks Java support packages and to install additional components such as SAP ERPSAP Customer Relationship Management and SAP Supplier Relationship Management
Note
The Software Deployment Manager (SDM) is no longer used however if you have a previous versionof SAP GRC Access Control installed you must uninstall it with the SDM before you can install SAPGRC Access Control 53 For more information see the SAP GRC Access Control 53 Upgrade Guide
If you want to install SAP GRC Access Control 53 in the context of the implementation of anSAP Business Suite or one of its business scenarios you must familiarize yourself with the thatsolutionrsquosMaster Guide before you begin the installation TheMaster Guide is the central document forimplementing SAP Business Suite solutions and scenarios It lists the components and third-party
06072010 PUBLIC 552
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
1 Introduction12 Naming Conventions
applications that are required by each business scenario and refers to the appropriate installation andupgrade guides It also defines the installation sequence for the business scenarios
12 Naming Conventions
In this documentation the following naming conventions apply
Variables Description
ltSAPSIDgt SAP system ID in uppercase letters
ltsapsidgt SAP system ID in lowercase letters
ltDBSIDgt Database system ID in uppercase letters
ltdbsidgt Database system ID in lowercase letters
ltJSPM_INSTDIRgt Installation directory for the SAP installation toolJSPM
ltINSTDIRgt Installation directory for SAP system
ltCD-DIRgt Directory on which a CD is mounted
ltOSgt Operating system name within a path
ltinstallation_CDgt The CD from which you are installing
The following examples show how the variables are used
Example
n Log on as user ltsapsidgtadm and change to the directory usrsapltSAPSIDgt If your SAP systemID is C11 log on as user c11adm and change to the directory usrsapC11
n Change to the directoryltCD-DIRgtUNIXltOSgt If the CD is mounted on sapcd1 and youroperating system is AIX change to sapcd1UNIXAIX_64
13 Name Changes
The names of the SAP GRC Access Control 53 components have changed from the previous releaseSee the table below for the new names
Previous Name SAP GRC Access Control 53 Name
Compliance Calibrator SAP GRC Risk Analysis and Remediation
Access Enforcer SAP GRC Compliant User Provisioning
652 PUBLIC 06072010
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
1 Introduction13 Name Changes
Previous Name SAP GRC Access Control 53 Name
Role Expert SAP GRC Enterprise Role Management
Firefighter SAP GRC Superuser Privilege Management
06072010 PUBLIC 752
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
This page is left blank for documentsthat are printed on both sides
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
2 Installation Planning
2 Installation Planning
21 Installation Checklists
This guide describes the four phases for installing your SAP system planning preparationinstallation and post-installation configurationYou can use the following checklists to track your installation progress Follow the steps sequentiallyand check off each item as you complete it
Installation Planning Checklist
Acquire and read the documentation required for this installation
Acquire and read the required SAP Notes that are mentioned in this guide before you startthe installation
Verify that you have the hardware required for this installation
Installation Preparation Checklist
Download the files to be installed or
Obtain the installation CD
Installation Process Checklist
Run JSPM to install the components
Post-Installation Checklist
Configure the installation as described in Chapter 5 Post-Installation Configuration
06072010 PUBLIC 952
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
This page is left blank for documentsthat are printed on both sides
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation
3 Installation Preparation
31 Software Requirements
SAP GRC Access Control communicates with multiple systems Therefore we recommend that youuse HTTPS communication protocol for secure communications You install the following softwareby either downloading the files or by using a CD that SAP supplies
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service (SAP IGS) R Used for graphsthat display onmanagement reports
Enterprise Portal RO Enterprise Portal is anoptional componentof SAP NetWeaver70 (2004s) SP 12It is required ifyou install theEnterprise Portal RTA(VIREPRTA00_0sca)
VIRCC00_0sca ‒ SAP GRC Risk Analysis and RemediationVIRAE00_0sca - SAP GRC Compliant User ProvisioningVIRRE00_0sca - Enterprise Role Manager VIRFF00_0sca -Superuser Privilege Management
R These files containthe four SAP GRCAccess Control 53capabilities All arerequired
VIRSANH and VIRSAHR R These are the SAPGRC Access ControlReal Time Agent(RTA) componentsYou install one or bothof them depending onwhether or not youhave SAP_HR installedon your system
06072010 PUBLIC 1152
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation31 Software Requirements
Software Files RequiredOptional Comment
VIREPRTA00_0sca O The Enterprise PortalRTA which residesin this file must beinstalled to enabledata extraction forSAPGRCRiskAnalysisand Remediation andSAP GRC CompliantUser Provisioning Ifyou install this fileyou must also installthe Enterprise PortalNetWeaver 70 SP 12
VIRACLP00_0sca OR The Single launchpad is an optionalcomponent Howeverit is required if youplan to use the datamart functionalityFormore informationsee SAP Note 1369045AC Data Mart DesignDescription The RARcomponent is alsorequired for datamart usage Werecommend thatyou install the fileon the same databaseinstance where RARresides
VIRACCNTNTSAR R SAP GRC AccessControl contentfile Contains themaster data forpost-installationconfiguration
The following prerequisites must be met for SAP ERP systems that integrate with SAP GRC AccessControl 53 Real Time Agents (RTAs)
If your SAP ERP system is at release The support pack level must be at
46C SAP BASIS Support Pack Stack level 44 SAP Note1246567
470 SAP BASIS Support Pack Stack level 26 SAP Note1247785
1252 PUBLIC 06072010
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation32 Documentation Requirements
If your SAP ERP system is at release The support pack level must be at
04 SAP BASIS Support Pack Stack level 9 SAP Note1252111
60 SAP BASIS Support Pack Stack level 6 SAP Note1247361
32 Documentation Requirements
You need the SAP RTA Installation Notes for the installation
PrerequisitesThis section lists the SAP Notes that you need for your installation Read them before you startinstalling because they contain the most recent implementation information as well as anycorrections to this installation documentation
Note
You can find the current version of each SAP Note on the SAP Service Marketplace atservicesapcomnotes
You use a different set of SAP Notes depending on whether or not you have SAP_HR on your systemRefer to the tables to determine the SAP Notes for your system
If SAP_HR is Installed
SAP Note Number Title Description
1133162 Install Delta Upgrade on SAP R346C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon an SAP R3 46C system
1133164 Install Delta Upgrade on SAP R3Enterprise 47
Use this information wheninstalling any SAP GRC AccessControl application on an SAP R3Enterprise 47 system
1133166 Install Delta Upgrade on SAP ECC500
Use this information wheninstalling any SAP GRC AccessControl application on an SAPECC 500 system
1133168 Install Delta Upgrade on SAP ECC60
Use transaction SAINT to installan add-on on Release SAP ERPCentral Component ECC 600 (SAPECC 600)
06072010 PUBLIC 1352
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation32 Documentation Requirements
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
If SAP_HR is Not Installed
SAP Note Number Title Description
1133161 Install Delta Upgrade onSAP_BASIS 46C
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationon your SAP_BASIS 46C system
1133163 Install Delta Upgrade onSAP_BASIS 620
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 620 system
1133165 Install Delta Upgrade onSAP_BASIS 640
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson your SAP_BASIS 640 system
1133167 Install Delta Upgrade onSAP_BASIS 700
Use this information wheninstalling or upgrading any SAPGRC Access Control applicationson an SAP_BASIS 700 system
Support Pack Notes
SAP Note Number Description
1168120 Risk Analysis and Remediation Support Pack
1168121 Superuser Privilege Management Support Pack
1168183 Enterprise Role Management Support Pack
1452 PUBLIC 06072010
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation33 Host Machine Requirements
SAP Note Number Description
1168508 Compliant User Provisioning Support Pack
1174625 Access Control 53 Java Support Pack Installation
1281775 Installing Access Control Java Support Packages
33 Host Machine Requirements
The host machine must meet the following requirements
Requirement Type Requirement
Hardware Requirements n Machine = Server basedn Dual Processors = 24‒32 GHz or fastern RAM = 4 GBn Hard Disk = 40 GB Minimum (120 GB
Recommended)
NoteFor hard disk capacity 40 GB is adequate Howeverdepending on how many users and requests youprocess SAP GRC Access Control 53 can consume40 GB of storage in approximately one year Oncethe drive is full you need to either archive thedata or migrate to a larger drive For this reasonwe recommend that you install SAP GRC AccessControl 53 on a drive of at least 120 GB or larger
Software Requirements Operating Systemsn Windows 2000 Servern Windows 2000 Advanced Servern Windows 2003 Server (StandardEnterpriseWeb)n Red Hat Linux Enterprise Server 50n UnixJava Runtime Environment = JRE version 14WebApplication server = SAPWeb Application Server 700 ‒ SP12 or above withJavaJ2EE Stack
06072010 PUBLIC 1552
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
3 Installation Preparation34 Information on the SAP Service Marketplace
Requirement Type Requirement
Configuration Requirements In addition to the basic hardware and softwarerequirements the SAP GRC Access Control 53installation also requires certain configurationsettings After you have completed installing read thechapter Post-Installation Configuration [external document]and follow the steps to configure SAP GRC AccessControl 53
Memory Settings To ensure that the SAP GRC Access Control 53installation does not encounter an out-of-memorycondition you must set your memory parametersYou do this using the Configuration Tool that isinstalled along with SAP NetWeaver 70 (2004s) SP12The command you use to launch the ConfigurationTool depends on your operating systemn If you are running the Unix or Linux operating
systems use usrsapltSIDgtDVEBMGS00j2eeconfigtoolconfigtoolsh
n If you are running the Windows operating systemuse usrsapJSAJC00j2eeconfigtoolconfigtoolbat
1 In the Configuration Tool navigate to the serverinstance for which you wish to set the memoryparameters and select the server by its servernumber
2 Under the General tab add or change memoryparameters as required For more information onmemory settings see SAP Note 723909
34 Information on the SAP Service Marketplace
Go to the SAP Service Marketplace for information on the following topics
Description Internet Address
SAP Notes servicesapcomnotes
Released platforms servicesapcomplatforms
Technical infrastructure ‒ configuration scenariosand related aspects such as security load balancingavailability and caching
servicesapcomti
Network infrastructure servicesapcomnetwork
System sizing servicesapcomsizing
Front-end installation servicesapcominstguides
Security servicesapcomsecurity
1652 PUBLIC 06072010
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software
4 Installing the Software
41 Installing from Downloaded Files or CDs
You may install SAP GRC Access Control 53 either from CDs that you obtain from SAP or from filesthat you download from the SAP Service Marketplace If you want to install from CDs obtain theCDs from SAP If you want to download the files follow the steps below
Procedure
1 Go to the SAP Service Marketplace at servicesapcom2 Under SAP Support Portal select Software Download3 In the left navigation bar click Download to expand the menu4 Click Installations and Upgrades to expand the menu5 Click Entry by Application Group6 Click SAP Solutions for Governance Risk and Compliance7 Click SAP GRC Access Control8 Click SAP GRC Access Control9 Click SAP GRC Access Control 5310 Click Install and Upgrade11 Select the platform for your server12 Select the appropriate database component for your installation13 Select SAP GRC Access Control 53 and click Add to Download Basket14 Follow the online systemrsquos instructions to complete the download process
Note
For more information about the individual SAP GRC Access Control 53 files that are contained inthe download see the SAP GRC Access Control 53 Component Contents [page 41]
42 Installing the Real Time Agent
The SAP GRC Access Control Real Time Agent (RTA) is in the VIRSANH and VIRSAHR files Youinstall one or both of the files depending on whether or not you have the SAP_HR componenton your system
06072010 PUBLIC 1752
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software43 Running Java Service Program Manager (JSPM)
n If SAP_HR is installed first install the file VIRSANH 53 RTA and then install VIRSAHR 53 RTAEven if SAP HR is not used if it is installed VIRSAHR must be installed
Note
You must also install all support packages for VIRSANH and VIRSAHR
n If SAP_HR is not installed only install VIRSANH 53 RTA
Note
You must also so install all support packages for VIRSANH
Caution
Do not install VIRSAHR on a system that does not have SAP_HR
Once you have downloaded the files to install SAP GRC Access Control 53 place them in a specificfolder so the JSPM installer can find them Copy the sca files to usrsaptransEPSin Once you havedone this you are ready to begin installing SAP GRC Access Control 53
43 Running Java Service Program Manager (JSPM)
This section tells you how to run JSPM to install one or more SAP instances
Note
JSPMmust be run as ltsidgt adm user In versions prior to 53 SAP GRC Access Control used theSoftware Deployment Manager (SDM) to install and uninstall the software components As ofversion 53 SAP GRC Access Control uses Java Service Package Manager (JSPM) to install (deploy inJSPM terms) but it still uses SDM to uninstall
PrerequisitesYou have downloaded the SAP GRC Access Control 53 installation files and placed them in the JSPMInbox in the directory usrsaptransEPSin
ProcedureLaunch the JSPM which is found in the following directory usrsapltSIDgtltCDgtj2eeJSPMgobatJSPM scans the directory that contains the installation files (usrsaptransEPSin) Using the JSPMInstaller follow the steps below
1 Select Package Type Click New Software components Click the radio button to specify the systemrole and whether or not the system is under NWDI Click Next
1852 PUBLIC 06072010
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software43 Running Java Service Program Manager (JSPM)
2 Specify Queue Select the software components that you want to install from the table belowYou install them in the order in which they occur in the table
Software Files RequiredOptional Comment
SAP NetWeaver 70 (2004s) SP 12 R None
SAP Internet Graphics Service(SAP IGS)
R SAP IGS is included in SAPNetWeaver and is used for graphsthat display on managementreports
Enterprise Portal RO Enterprise Portal is an optionalcomponent of SAP NetWeaver 70(2004s) SP 12 It is required if youinstall the file VIREPRTA00_0sca
VIRCC00_0sca ‒ SAP GRC RiskAnalysis and RemediationVIRAE00_0sca - SAP GRCCompliant User ProvisioningVIRRE00_0sca - Enterprise RoleManagerVIRFF00_0sca - SuperuserPrivilege Management
R These files contain the fourSAP GRC Access Control 53capabilities All are requiredFor more information aboutpost-installation configurationsee the Post-Installation Configuration[external document] chapter
VIRSANH and VIRSAHR R These are the SAP GRC AccessControl Real Time Agent (RTA)components You install oneor both of them depending onwhether or not you have SAP_HRinstalled on your system Formore information see the SoftwareRequirements [page 11] section
VIREPRTA00_0sca O The Enterprise Portal RTAwhich resides in this file must beinstalled to enable data extractionfor SAP GRC Risk Analysis andRemediation and for SAP GRCCompliant User Provisioning Ifyou install this file you mustalso install the Enterprise PortalNetWeaver 70 SP 12
06072010 PUBLIC 1952
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software44 Troubleshooting
Software Files RequiredOptional Comment
VIRACLP00_0sca O The Single launch pad is anoptional component However itis required if you plan to use thedata mart functionality The RARcomponent is also required fordata mart usage We recommendthat you install the file on thesame database instance whereRAR resides No additionalpost-configuration is needed Formore information see the SingleLaunch Pad [page 34] section
VIRACCNTNTSAR R SAP GRC Access Control contentfile It contains themaster data forpost-installation configuration
3 Click Next4 Check the Queue Monitor the installation5 Finished
Repeat this procedure for each of the four SAP GRC Access Control 53 capabilities and for the Singlelaunch pad The Single launch pad acts as a home page for SAP GRC Access Control 53 Fromhere you can launch any of the four capabilities
44 Troubleshooting
If an error occurs the first step in troubleshooting is to look at the JSPM logs to see what went wrongThe logs are stored in the directory usrsapltSIDgtltCIgtj2eeJSPMlog Use the Logs tab in the JSPMwindow to view the logs There are two kinds of JSPM logs
n LOG - contain log messagesn OUT amp ERR ‒ contain standard output and error streams from external processes
Using the JSPM Log Viewer
You have the option of using a standalone log viewer that you launch with the log viewer scriptin usrsapltSIDgtltCIgtj2eeadminlogviewer-standalone Launch the script then choose File Add aFile gt and browse for the desired log file You may need to select All Files in the file type filter toview the files For more information about the standalone log viewer see the Logviewer_Userguidepdfin the same directory
Tips for Troubleshooting in JSPM
The primary causes of problems in JSPM are
2052 PUBLIC 06072010
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software44 Troubleshooting
n J2EE engine runs out of memoryn The J2EE engine administrator password has been changedn JSPM hangs during deployment
You can use the following SAP Notes to help research installation issues
SAP Notes Concerning Installation Problems
Note Title
129813 NT Problems due to address space fragmentation
736462 Problems increasingXmx onWindows 32 bit platforms
861215 Recommended Settings for the Linux onAMD64EM64T JVM
851251 SAP NetWeaver 2004s Installation on UNIX Java -JSPM sapstart cannot be found
723909 Java VM settings for J2EE 63064070
709140 Recommended JDK and VM Settings for theWebAS63064070
764417 Information for troubleshooting of the SAP J2EEEngine 640
870445 SAPJup J2EE Engine Password Does Not Change Afteran Upgrade
701654 Deployment aborts due to wrong J2EE Engine logininformation
891895 JSPM required disk space
893946 SunJCE provider inconsistency
904074 Broken deployment check versions of deployedcomponents
903609 CAF 7 0 SP5 Deployment problem over SP4 usingJSPM
710966 DEPLOY_LOCK error during upgrade
739190 Timeout when starting or stopping the J2EE engine
What To Do If the Installation Is Interrupted
If for any reason the installation is interrupted (by a power failure for instance) you must restartthe installation process
What To Do If the Installation Does Not Complete Successfully
If installation did not complete successfully select the View Logs tab in the JSPMGUI and read the errormessages to determine what failed and what you need to do to correct the problem Once you havecorrected the problem run the installation process again
06072010 PUBLIC 2152
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
4 Installing the Software44 Troubleshooting
The most common problem with installs is that not enough disk space is available A full install ofSAP GRC Access Control 53 takes approximately 200MB If this space is not available the installaborts You must then make enough space available and re-run the installation
Completing the Installation
Once the installation is finished you get a message in JSPM saying that the installation is complete
2252 PUBLIC 06072010
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration
5 Post-Installation Configuration
51 SAP GRC Risk Analysis and Remediation Configuration
Once you have installed SAP GRC Risk Analysis and Remediation you must perform the followingprocedures before you can use it
1 Create SAP Java Connector (JCo) Connections to the backend2 Import model data and metadata for each JCo destination using the SAP NetWeaver Content
Administrator that is included in the Web Dynpro tools3 Create an SAP User Management Engine (UME) role and assign it to a user4 Create aMaster User Source5 Start the background job daemon
Creating JCo Connections to Backend SystemsIn order for SAP GRC Risk Analysis and Remediation to communicate you must establish one ormore backend server connections You can connect to as many as
n Three SAP Risk Analysis and Remediation 53 RTA backend SAP HR systemsn Three SAP GRC Risk Analysis and Remediation 53 RTA non-HR backend systems such as SAP
Customer Relationship Management SAP Product Lifecycle Management and SAP SupplyChain Management
n Fifteen SAP GRC Risk Analysis and Remediation Real-Time Agents (RTAs)
To connect multiple backend systems to your installation you establish a separate JCo destinationthat includes model data and metadata for each of those systems
Note
The first HRMODEL and METADATA files in the following table do not include an instance number(01) Make sure you observe this naming difference when you set up your JCo destinations
06072010 PUBLIC 2352
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
JCo Destinations for SAP GRC Risk Analysis and Remediation Systems
To Connect Use These JCo Destinations
An SAP GRC Risk Analysis and Remediation 53 RTAto an SAP_HR backendConnection limit Three systems
VIRSAHR_MODEL amp VIRSAHR_METADATAVIRSAHR_01_MODEL amp VIRSAHR_01_METADATAVIRSAHR_02_MODEL amp VIRSAHR_02_METADATA
An SAP GRC Risk Analysis and Remediation 53 RTAto a non-HR SAP backendConnection limit Three systems
VIRSAR3_01_MODEL amp VIRSAR3_01_METADATAVIRSAR3_02_MODEL amp VIRSAR3_02_METADATAVIRSAR3_03_MODEL amp VIRSAR3_03_METADATA
An SAP GRC Risk Analysis and Remediation 53 RealTime Agent (RTA)Connection limit Fifteen systems
VIRSAXSR3_01_MODEL amp VIRSAXSR3_01_META-DATAVIRSAXSR3_02_MODEL amp VIRSAXSR3_02_META-DATAVIRSAXSR3_15_MODEL amp VIRSAXSR3_15_META-DATA
SAP GRC Access Control 53 gives you the option of setting up SAP JCo connections or AdaptiveRemote Function Call (RFC) connections
Note
For information on how to configure Adaptive RFCs and SAP JCo connections see the SAP GRCAccess Control 53 Configuration Guide under Defining Connectors for Risk Analysis and Remediation
Importing Connector DataAfter you install SAP GRCRisk Analysis and Remediation youmust import model data andmetadatafor each backend connection that you establish Before you import model data and metadata yoursystem administrator must verify that your ABAP system
n Is configured in the System Landscape Directory (SLD)n Has a default logon groupn Can be accessed by the J2EE system services file
To import connector model data and metadata
1 Open an internet browser and enter the following address httpltserver_namegt50000indexhtml
Example
http104812221053000indexhtmlThe SAP NetWeaver Startup page appears
2 In the SAP NetWeaver Web Application Server window clickWeb Dynpro3 UnderWeb Dynpro Tool Applications click Content Administrator4 In the User Management Engine logon window enter your user ID and password TheWeb Dynpro Content
Administrator window appears
2452 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
5 ClickMaintain JCo Destination
Note
If the buttons Create JCo Destination andMaintain JCo Destination are not enabled the SLD Bridgehas not been properly configured
The JCo Destination Details page appears
Caution
While performing the following steps do not rename the SAPGRCRisk Analysis and Remediationmodel data and metadata files This causes the connectors that you create to not function
6 From the JCo Destination Details list menu in the right pane locate the data file that corresponds tothe backend system that you are connecting to Click CreateUse the information provided in Table 1 to select the JCo Destination model data or metadata forthe backend system(s) that you want to connect
7 Enter the client number for the backend system (this must match the information you enteredwhen you configured the SLD)
8 Click Next The Create New JCo Destination J2EE Cluster pane appears
Note
Perform Steps 6 through Step 20 twice for each backend system that you plan to connect once toimport the connector MODEL DATA file and once to import the connector METADATA file
9 Select the local J2EE engine or select your remote J2EE engine from the dropdown menu ClickNext
10 Select the appropriate option for the type of data you are generating and then import the datan For METADATA files select the Dictionary Meta Data option Then import the metadata by
enabling the Dictionary Meta Data option under the heading Data Typen For MODEL data files select the Application Data option Then import the model data by
enabling the Application Data option under the heading Data Type11 Click Next
Caution
Select the correct Connection Type for the data you are importing Otherwise your system couldfail when performing a risk analysis
12 From theMessage Server dropdown menu select the backend system for this connectionTheMessage Server dropdown menu lists servers that have been defined as SLD Data Suppliers inthe System Landscape Directory If the server you want to connect to does not appear in thisdropdownmenu use the Visual Administrator tool to verify the server configuration in the SLD
06072010 PUBLIC 2552
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
13 In the Logon Group dropdown menu select the default logon group14 Click Next
Note
When you are configuring model data (the second time) there is a dropdown menu that allowsyou to select Authentication Method The UserPassword is the only supported setting for this option
15 In the Name and Password fields enter the user name and password for the backend system that thisSAP GRC Risk Analysis and Remediation installation will use
16 Click Next17 Verify the information that you have entered and click Finish
Note
When configuring data in Step 15 do not change the Language setting English is the onlysupported language for SAP GRC Risk Analysis and Remediation Version 53
18 After the process has completed scroll down (if necessary) to verify that you received a messagestating that the connection has been successfully created Even if the connector status shows agreen light you still need to test the connector to verify that it is functional
19 For the connector you have just created click Test The message at the bottom of the windowindicates whether the test was successful If the test is unsuccessful click the Log Viewer tab to viewinformation about where the connection problem occurs
20 Locate the model data for the system that you are installing and create a JCo destination for it byfollowing the instructions provided in Steps 6 through Step 20
Importing Risk Analysis and Remediation RolesOnce you have completed the installation procedures described above and restarted the NetWeaverJ2EE server SAP GRC Risk Analysis and Remediation is installed and running However before youcan use it you must import user roles and create an initial user account
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the SAP GRC AccessControl 53 download from the SAP Service Marketplace (servicesapcom) and are also included in theinstall CD in the file VIRACCNTNT_0sar For more information about the roles and how to usethem see the SAP GRC Access Control 53 Security Guide
You use UME to import the Risk Analysis and Remediation user roles
To import Risk Analysis and Remediation user roles
1 Start the UMEUse a Web browser to connect to and log into the SAP NetWeaver J2EE
2652 PUBLIC 06072010
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
2 Click Import3 Browse to the directory into which you extracted the Risk Analysis and Remediation installation
file4 Select cc_ume_rolestxt5 Click Upload
Create a userIf you need to create an administrative user use the UME
Assign the administrative role to a userUse the following procedure to assign the administrative role to a user
1 In the left navigation pane of the UME window click Roles2 In the Get dropdown list select Role3 Enter VIRSA_CC and click Go to display the Roles List In the Roles List find and select the
VIRSA_CC_ADMINISTRATOR role4 Click the Assigned Users tab and then clickModify to assign that role to your user5 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned the Risk Analysis and Remediation administrative privilegesThe administrative role has now been assigned to the user you selected
Test your installationOnce you have completed your data and user setup you are ready to test your installation
Log on to SAP GRC Risk Analysis and RemediationFollow the steps below to log on to SAP GRC Risk Analysis and Remediation
1 Enter the following address into your web browserhttpltserver_namegt5ltinstancegt00webdynprodispatchersapcomgrc~ccappcompComplianceCalibratorWhere server_name is the name of your J2EE system instance is the instance of your J2EEengineExample http 104812221053000webdynprodispatchersapcomgrc~ccappcompComplianceCalibrator
2 Enter the account information for the user you created and click Logon
Note
If the administrator using this account is also assigning JCo destinations you can add the SAPbuilt-in administrator role to provision the user account for setting up connectors
The SAP GRC Risk Analysis and Remediation main screen appears showing the Informer tab Becausedata has not yet been pulled into the system the graphic display shows a broken pie chart andindicates a Graphics Rendering Problem
06072010 PUBLIC 2752
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration51 SAP GRC Risk Analysis and Remediation Configuration
Importing error messagesYou must copy the error message file CC53_MESSAGEStxt that is shipped with the product to alocal directory and then import it into SAP GRC Access Control 53 using the following menu pathConfiguration -gt Utilities -gt Import
Note
Be sure to confirm the override
Configuring your J2EE connectorsIn order to communicate to backend systems using the connectors that you created duringinstallation you must configure them for SAP GRC Risk Analysis and Remediation Formore information see the SAP GRC Access Control 53 Configuration Guide which is located atservicesapcominstguides -gt SAP Solution Extensions -gt SAP Solutions for GRC -gt SAP GRC Access Control -gt SAPGRC Access Control 53
Defining a Master User SourceThe Master User Source is the system that you want SAP GRC Risk Analysis and Remediation 53 touse for user ID e-mail address and other account information that is used for audit reporting When youdefine a Master User Source the JCo connectors that you created do not appear in the dropdownmenu until you have refreshed the web browserUse the following procedure to define a Master User Source for your SAP GRC Risk Analysis andRemediation 53 installation
1 From the SAP GRC Risk Analysis and Remediation 53 Configuration tab select Define MasterUser Source
2 Click the Configure System option
Note
Using the UME as a Master User Source is not currently a supported configuration
3 From the Select System dropdown menu select the connector for the system that SAP GRC RiskAnalysis and Remediation 53 accesses for user information
4 Click Save
The status bar indicates whether or not the connection was successful Once you have configured theconnectors you must start the background job daemon before you can perform background taskssuch as risk analysis
Note
Whenever you restart the Java engine you must also restart the background job daemonInstructions for starting this background job are provided in the next section
2852 PUBLIC 06072010
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Configuring the Background Job DaemonApply SAP Note 999785 to configure the background job daemon and restart the J2ee Engine serverTo monitor the background job daemon enter the following addresses into your web browserhttpltserver_namegtltportgtsapCCBgStatusjsphttpltserver_namegtltportgtsapCCADStatusjspWhere server_name is the J2EE application server name port is 5ltxxgt00xx is the J2EE instanceFor example if the J2EE instance were 35 then the port assignment would be 53500
52 SAP GRC Compliant User Provisioning Configuration
The configuration procedures in this chapter are all required and are listed sequentially Performthem in the order that they appear SAP GRC Compliant User Provisioning post-installationconfiguration includes
n Importing the SAP GRC Compliant User Provisioning Roles (formerly Access Enforcer Roles)n Assigning the SAP GRC Compliant User Provisioning Admin Role to the Administratorn Importing Initial SAP GRC Compliant User Provisioning Configuration Data
Importing SAP GRC Compliant User Provisioning Roles
Once you have completed the installation and restarted the SAP NetWeaver J2EE server SAP GRCCompliant User Provisioning 53 is installed and running Before you can use it however you mustimport user roles and create an initial user account The first step is to use UME to import the SAPGRC Compliant User Provisioning user roles
To import SAP GRC Compliant User Provisioning user roles
1 Start the UME Use a Web browser to connect to and log on to SAP NetWeaver J2EE2 Click Import3 Browse to the directory into which you extracted the SAP GRC Compliant User Provisioning
installation file4 Go to the folder ACROLES5 Select AE_ume_rolestxt6 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 components are bundled in the downloadfrom the SAP Service Marketplace (servicesapcom) and are also included in the install CD in thefile VIRACCNTNT_0sar
06072010 PUBLIC 2952
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration52 SAP GRC Compliant User Provisioning Configuration
Assigning the Administrator Role
Once you have imported or manually created the SAP GRC Compliant User Provisioning user rolesyou must define the SAP GRC Compliant User Provisioning administrator You use this administratorrole to perform certain tasks to create other administrators and users and to assign roles to themThe SAP GRC Compliant User Provisioning administrator has permission to perform any task in SAPGRC Compliant User Provisioning At some point in the future you might decide to create otherusers with the same permissions and perhaps to delete this initial administrator
To assign the SAP GRC Compliant User Provisioning Admin Role to a User
1 Start the UME2 In the Get dropdown list select Role3 Enter AE and click Go to display the Roles list In the Roles list find and select the AEADMIN role
click the Assigned Users tab and then clickModify to assign that role to your user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned SAP GRC Compliant User Provisioning administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Compliant User Provisioning Youdo this from within SAP GRC Compliant User Provisioning
To import SAP GRC Compliant User Provisioning configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtAE
Where hostname = the name or IP address of the system on which NetWeaver runs portnumber =the port on which SAP GRC Compliant User Provisioning has been configured to listen Thedefault is 50000
Example
if the SAP GRC Compliant User Provisioning server resides on host 104812221050000 and it hasthe default port number the correct URL would be http 104812221050000AE You see theinitial SAP GRC Compliant User Provisioning screen
3 Click User Login to display the Login screen Use the user name and password for the SAP GRCCompliant User Provisioning admin user that you just created
4 Click the Configuration tab5 In the navigation pane click Initial System Data6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Compliant User Provisioning installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Compliant
User Provisioning content pane click Import The files that you import are
3052 PUBLIC 06072010
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
n AE_init_append_dataxml - select the Append optionn AE_init_clean_and_insert_dataxml - select the Clean and Insert option
53 SAP GRC Enterprise Role Management Configuration
The configuration procedures in this chapter are all required and listed sequentially Perform themin the order they appear SAP GRC Enterprise Role Management post-installation configurationincludes
n Importing the SAP GRC Enterprise Role Management rolesn Assigning the ERM Admin Role to the administratorn Importing Initial SAP GRC Enterprise Role Management configuration datan Connecting a Standalone J2EE System to the remote SAP Server
Importing SAP GRC Enterprise Role Management Roles
Once you have completed the installation procedures and restarted the SAP NetWeaver J2EE serverSAP GRC Enterprise Role Management is installed and running However before you can use it youmust import user roles and create an initial user account The first step is to use UME to import theSAP GRC Enterprise Role Management user roles
To import SAPGRC Enterprise Role Management user roles
1 Start the UME Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server Onthe Index page click User Management Log into the UME
2 Click Import3 Go to the directory into which you extracted the SAP GRC Enterprise Role Management
installation files and using any text editor open the file re_ume_rolestxt (This file is available fromthe Best Practices section of the SAP Help at helpsapcom) Select and copy the entire contentsof the file
4 Go back to the UME and then in the blank area paste the contents of re_ume_rolestxt5 Click Upload
Note
Predefined roles for SAP GRC Access Control 53 capabilities are included with the software andare also included in the install CD in the file VIRACCNTNT_0sar
Defining the Administrator
Once you have imported the SAP GRC Enterprise Role Management user roles you must define theinitial SAP GRC Enterprise Role Management administrator You use this user to perform certaintasks to create other administrators and users and to assign roles to them The SAP GRC EnterpriseRole Management administrator has permission to perform any task in SAP GRC Enterprise Role
06072010 PUBLIC 3152
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration53 SAP GRC Enterprise Role Management Configuration
Manager At some point in the future youmay decide to create other users with the same permissionsand perhaps to delete this initial administrator
To assign the SAP GRC Enterprise Role Management admin role to a user
1 Start the UME Use a Web browser to connect to and log on to the NetWeaver J2EE server On theIndex page click User Management Log into the UME
2 In the Get dropdown list select Role3 Enter RE and click Go to display the Roles list In the Roles list find and select the RE Admin role
click the Assigned Users tab and then clickModify to assign that role to the specified user4 In the Available Users pane type the user name in the Get field and click Go Select the user who is
being assigned RE Administrative privileges
Importing Configuration Data
The final task is to import initial configuration data for SAP GRC Enterprise Role Management Thisdata is the default out-of-the-box system data that is pre-packaged with SAP GRC Enterprise RoleManagement and is a minimal set of data that it requires to function properly You import this datafrom within SAP GRC Enterprise Role Management
To import SAP GRC Enterprise Role Management configuration data
1 Using a Web browser connect to the SAP NetWeaver J2EE server2 Type the application URL in your internet browser httplthostnamegtltportnumbergtREn hostname = the name or IP address of the system on which NetWeaver runsn portnumber = the port on which SAP GRC Enterprise Role Management has been configured to
listen The default is 50000
Example
If the SAP GRC Enterprise Role Management server resides on host 1048122210 and has the portnumber 50000 the correct URL would be http 104812221050000REThe initial SAP GRC Enterprise Role Management page appears
3 Click User Login to display the Login screen Use the user name and password of the REAdmin user youjust created
4 Click the Configuration tab5 Click the Configuration tab6 In the content pane click Browse and navigate to the directory into which you extracted the SAP
GRC Enterprise Role Management installation files7 In the Browse window double-click the appropriate xml file and then in the SAP GRC Enterprise Role
Management content pane click Import The files that you import aren RE_init_clean_and_insert_dataxml select the Clean and Insert optionn RE_init_append_dataxml select the Append option
3252 PUBLIC 06072010
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration54 SAP GRC Superuser Privilege Management
n RE_init_methodology_dataxml select the Append option This step is only required for a freshinstallation or if you want to reload the default process that was originally shipped with SAPGRC Enterprise Role Manager
54 SAP GRC Superuser Privilege Management
The configuration procedures detailed in this chapter are all required and are listed sequentiallyPerform them in the order in which they appear SAP GRC Superuser Privilege Managementconfiguration includes
n Creating the SAP GRC Superuser Privilege Management Administratorn Assigning the Administrator Role to the administrator user
Creating the Administrator Role
To create the SAP GRC Superuser Privilege Management administrator role
1 Use your Web browser to connect to and log in to the SAP NetWeaver J2EE server on the Indexpage click User Management
2 In the Get dropdown list select Role and then select Create Role3 Enter FF_ADMIN as the role name and enter a short description on the General Information tab For
more information about the permissions needed for this role see the Security Guide4 Select the desired Action tab and then search for all the SAP GRC Superuser Privilege Management
-related UME actions by entering FF in the Get field Choose Get5 Choose Select All and then choose Add6 Choose Save
Assigning the Administrator Role to a User
Once you have imported the SAP GRC Superuser Privilege Management administrator role youmustconfigure a user to be the initial administrator and assign the administrator role to this user This usermust perform certain tasks such as create other administrators and users and assign roles to themThe administrator has permission to perform any task in SAP GRC Superuser Privilege ManagementAt some point you may create other users with the same permissions and delete this initialadministrator
To assign the administrator role to a user
1 Start the UME Use a Web browser to connect to and log in to the SAP NetWeaver J2EE server Onthe Index page click User Management
2 In the Get dropdown list select Role3 Enter FF and click Go to display the Roles list In the Roles list find and select the FF_ADMIN
role click the Assigned Users tab and then clickModify to assign that role to your specified user
06072010 PUBLIC 3352
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration55 Single Launch Pad
4 In the Available Users pane type the user name in the Get field and click Go Select the user who isbeing assigned the SAP GRC Superuser Privilege Management administrator privileges
5 Choose Save6 Verify that you can access the component using the URL below
httplthostnamegtltportgtwebdynprodispatchersapcomgrc~ffappcompFirefighter
55 Single Launch Pad
No additional steps are required to configure the Single launch pad The Single launch pad is anapplication that allows you to initiate the four SAP GRC Access Control 53 capabilities from acommon home page You can get the URL for Single launch pad from SAP NetWeaver 70 (2004s) SP12 once the SAP GRC Access Control 53 installation is complete and the capabilities are configuredUntil you have assigned users to each capability their links in Single launch pad are grayed out Tostart the Single launch pad follow these steps
Procedure
1 Log in to the J2EE server as an administrator2 Click theWeb Dynpro link3 Click the Content Administrator link4 Under the Browse tab find the application name sapcomgrc~acappcomp5 Expand the tree view of the application and click AC6 In the right panel click the Run button A new window is launched and you can get the URL
which is in the following formathttpltserver namegt5ltinstancegt00webdynprodispatchersapcomgrc~acappcompAC
56 Connecting a Standalone J2EE System to a Server
If you are performing a standalone J2EE system installation you must connect it to the backend SAPserver Use the following procedures to connect your J2EE system to a remote SAP server
Note
The following steps are for Windows installations For UNIX installations open your etcservices filewith a text editor and add an entry as described in Step 2 below Also add the following entry sapgw003300tcp You do not need to restart your UNIX system after performing this procedure
3452 PUBLIC 06072010
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
5 Post-Installation Configuration56 Connecting a Standalone J2EE System to a Server
Procedure
1 Open the Windows services file in a text editor such as WordPad Use the following path and filename cWINDOWSsystem32driversetcservices
2 Add an entry in the services file in the following format sapmsltsap_sidgt36ltinstancegttcpn sapmsmdash identifies the SAP message servicen sap_sidmdash identifies the name of your SAP server (always uppercase)n 36mdash identifies the standard message port for SAPn instancemdash identifies the SAP server instance number
n tcpmdash identifies the message protocol
Example
sapmsSNW 3600tcp
3 Add the following entry sapgw00 3300tcp
Note
Do not forget to terminate each line (including the last one) with a CR (carriage return) whenyou edit the services file
4 Save your changes and close the services file5 Restart Windows
For more information regarding the services file see SAP Notes 723562 and 52959 This completes SAPGRC Superuser Privilege Management configuration SAP GRC Superuser Privilege Managementis now running and ready for use The next step is to integrate SAP GRC Enterprise Managementand SAP GRC Compliant User Provisioning for role approval For more information see sectionIntegrating for Role Approval in the SAP GRC Access Control Integration chapter of the SAP GRC Access Control53 Configuration Guide
06072010 PUBLIC 3552
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
This page is left blank for documentsthat are printed on both sides
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
6 Post-System Copy Configuration
6 Post-System Copy Configuration
If you have used system copy to install SAP GRC Access Control 53 use the information in thissection to confirm the configuration information is correctly maintained
61 SAP GRC Risk Analysis and Remediation
Verify the following configuration information
n Ensure all the JCos reference the new JCo namesn Ensure the Workflow Service URL references the new server address
n On the Configuration page gt Custom tab ensure all the server addresses reference the newserver address
62 UME Activities
After a system copy and refresh the connectors are normally not set Verify the followingconfiguration information
1 Verify JCo information for VIRSAXSR3_01_METADATA is set to the new servern General datal ERP system client (for example change from 000 to 800 ‒ to matches the ERP client)l JCO Pool Configuration (for example set to 50 for the pool size 100 max connections)l Connection Timeout (for example from 10 ms to 900000 ms)l MaximumWaiting Time (for example from 20 ms to 900000 ms)
n bull J2EE Clusterl Accept locall Connection Typel For metadata ‒ select dictionary meta datal For model ‒ select application data
n Application Server Connectionl Systeml Logon group (for example lsquoSPACErsquo)l All other default data
n bullSecurityl Name ‒ must match the name in the ERP (with appropriate access)
06072010 PUBLIC 3752
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
6 Post-System Copy Configuration63 SAP GRC Compliant User Provisioning
l Password ‒ must match password for the user in ERP (need to have same userpasswordfor all adaptorsconnectors for AC suite)
2 On the main screen click Test to validate the User ID password and connection information
Note
If you do not connect verify that the Logon Group (for example lsquoSPACErsquo) is a defined user groupon the ERP system Use Transaction SMLG
3 Verify the following for VIRSAXSR3_01_MODELn Test each JCo Destination and JCo Metadatan Test the JCo Model
4 Verify the JCos and references to the backend references the new Host Name and Gateway5 Verify the adaptor is working with the Risk Analysis and Remediation Server
a) Log on to the Risk Analysis and Remediation Server select the Configuration tab and selectSAP Adapter
Note
If the Icon (square) is colored Red and not Green select it to activate it
b) Verify the Host Name and Gateway is correctc) Verify that the Program ID is the same as the Program ID on the backend ERP RFC Destination
63 SAP GRC Compliant User Provisioning
Verify the following configuration information
n The Risk Analysis web service URI references the new server addressn The Mitigation service URI references the new server addressn The Application Server Host references the connector information or the new servern The Exit URIs for all the workflow types reference the new servern TheURI for the CustomApprover Determinator references the host name for the newweb service
64 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
3852 PUBLIC 06072010
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
6 Post-System Copy Configuration65 SAP GRC Enterprise Role Management Configuration
65 SAP GRC Enterprise Role Management Configuration
Verify the following configuration information
n Ensure all web service URIs reference the new server information
n Ensure the Application Server Host for the Connectors references the new connector
06072010 PUBLIC 3952
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
This page is left blank for documentsthat are printed on both sides
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
7 Appendix
7 Appendix
71 SAP GRC Access Control 53 Component Contents
n Enterprise Portal - VIREPRTA00_0scal grc~ccsapeprtasdal grc~aeeprtasdal grc~ccsapeprtasda
n Single launch pad - VIRACLP00_0SCAl grc~acappcompsdal grc~acdmdbsda
n SAP GRC Risk Analysis and Remediation - VIRCC00_0SCAl grc~ccxsyswssdal grc~ccxsyssodwssdal grc~ccxsysejbearsdal grc~ccxsysdbsdal grc~ccxsysbgearsdal grc~ccxsysbehrsdal grc~ccxsysbesdal grc~ccxsysactionwssdal grc~ccumesdal grc~cclibsdal grc~ccappcompsda
n SAP GRC Compliant User Provisioning - VIRAE00_0SCAl grc~aewsejbearsdal grc~aewfrqwsejbearsdal grc~aeumesdal grc~aelibsdal grc~aeearsdal grc~aedictsda
n SAP GRC Enterprise Role Management - VIRRE00_0SCAl grc~reworkflowexitwsearsdal grc~reumesdal grc~rejarslibsdal grc~reintflibsdal grc~reearsdal grc~redictionarysda
06072010 PUBLIC 4152
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
7 Appendix72 Using the Visual Administrator to Configure an SLD Data Supplier
l grc~reapprswsearsdan SAP GRC Superuser Privilege Management - VIRFF00_0SCAl grc~ffumesdal grc~ffextsdal grc~ffdbsdal grc~ffappcompsda
72 Using the Visual Administrator to Configure an SLD DataSupplier
Use the following procedure to configure the System Landscape Directory (SLD)
Procedure
1 Execute the Visual Administrator tool script or batch file For more information see the VisualAdministrator Tool Scripts and Batch Files table in the Configuring the Internet Graphics Server [page 43] sectionfor the path and file name
2 Select an SAP J2ee Engine from the connection screen and click Connect3 Enter the password for the J2EE administrator4 Expand the navigation menu under your J2EE server name then expand the Services list item5 Click SLD Data Supplier6 Click the HTTP Settings tab7 Enter the host name and port number for the J2EE engine then enter the user name and password for your
system connection
Caution
Do not enter the Fully Qualified Domain Name for the SLD server Enter the host name only andmakesure that the host is registered in the Domain Name Service (DNS)
Example
The SLD uses port 5ltinstancegt00 where instance is the J2EE engine instance If the J2EE instancewere 35 then the SLD message port assignment would be 53500
8 Click Save9 Click the CIM Client Generation Settings tab10 Enter the same host port and user information that you entered in Step 7 above11 Click Save12 Click the Supplier (data transfer) icon at the top of the pane to transfer your information to the SLD
server A dialog box displays the message Trigger SLD data transfer13 Click Yes A dialog box informs you that the data has been transferred successfully
4252 PUBLIC 06072010
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
7 Appendix73 Configuring the Internet Graphics Server
73 Configuring the Internet Graphics Server
The Internet Graphics Server (IGS) is included with your NetWeaver software You configure the IGSURL using the Visual Administrator tool
Procedure
1 Launch the Visual Administrator tool by executing the script or batch file for your operatingenvironment The name and location of the file that you use to launch the Visual Administratordepend on your operating environment as shown in the tablen SAP_SID is the system ID for your SAP servern instance is the instance ID of your J2EE engine
Visual Administrator Tool Scripts and Batch Files
Operating Environment Directory Path File Name
UNIX with Java only usrsapltSAP_SIDgtJCltinstancegtJ2eeadmin
Exampleusrsapsap_system1JC00J2eeadmin
Gosh
UNIX with Java and ABAP add-on usrsapltSAP_SIDgtDVEBMGSltinstancegtJ2eeadmin
Exampleusrsapsap_system1DVEBMGSJ2eeadmin
Gosh
Windows with Java only cusrsapltSAP_SIDgtJCltin-stancegtj2eeadmin
Examplecusrsapsap_system1JC00j2eead-min
Gobat
Windows with Java and ABAPadd-on
cusrsapltSAP_SIDgtDVEB-MGSltinstancegtj2eeadmin
Examplecusrsapsap_system1DVEB-MGSj2eeadmin
Gobat
2 Under the Services item in the (left) navigation pane click Configuration Adapter
06072010 PUBLIC 4352
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
7 Appendix74 Using Java Service Program Manager
3 Under the Display Configuration tab expand theWeb Dynpro navigation list item Expand sapcom thenexpand tc-wd~disprwda Click the Edit Mode (pencil) icon that is above the navigation list A dialog boxwarns that you are about to enter Edit Mode and requests you to confirm that you want to proceed
4 Click Yes5 In the navigation menu list double-click Property sheet default The Change Configuration window
appears6 In the Name column click the IGSUrl list item7 In the Custom field enter the IGS server name and port number using the format
ltserver_namegtltportgt wheren server_name is the name of your IGS servern port is the IGS server port in the format 4ltinstancegt80 The default port assignment is 40080
8 Click Apply custom and then click OK9 Exit the Visual Administrator
74 Using Java Service Program Manager
1 Open the JSPM folder which is located at [drive]usrsapA29JC29j2eeJSPM2 Launch JSPM by clicking on the file Gobat3 Select New Software Components and click Next4 Select the software components that you wish to deploy and click Next5 Verify that you have selected the correct software and click Next6 JSPM installs the software you selected and displays the messageUpdate of deployed components in progress7 When JSPM has finished deploying the software click Exit The system displays the message
Deployment has finished
4452 PUBLIC 06072010
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
A Reference
A Reference
A1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software
Figure 1 Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAPrsquos terminology database It contains SAP-specific vocabulary in over 30 languages aswell as many glossary entries in English and German
n Target groupl Relevant for all target groups
n Current versionl On SAP Help Portal at httphelpsapcom Additional Information Glossary (direct
access) or Terminology (as terminology CD)l In the SAP system in transaction STERM
06072010 PUBLIC 4552
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
A ReferenceA1 The Main SAP Documentation Types
SAP Library is a collection of documentation for SAP software covering functions and processes
n Target groupl Consultants
l System administratorsl Project teams for implementations or upgrades
n Current versionl On SAP Help Portal at httphelpsapcom (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels A collective security guide is available for SAP NetWeaver This documentcontains general guidelines and suggestions SAP applications have a security guide of their own
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcomsecurityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution It lists the requiredinstallable units for each business or IT scenario It provides scenario-specific descriptions ofpreparation execution and follow-up of an implementation It also provides references to otherdocuments such as installation guides the technical infrastructure guide and SAP Notes
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The installation guide describes the technical implementation of an installable unit takinginto account the combinations of operating systems and databases It does not describe anybusiness-related configuration
n Target groupl Technology consultantsl Project teams for implementations
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform One of its main functions is the configuration of business and IT scenarios It containsCustomizing activities transactions and so on as well as documentation
4652 PUBLIC 06072010
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Solution consultants
l Project teams for implementationsn Current versionl In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP systemThe Customizing activities and their documentation are structured from a functional perspective(In order to configure a whole system landscape from a process-oriented perspective SAP SolutionManager which refers to the relevant Customizing activities in the individual SAP systems is used)
n Target groupl Solution consultants
l Project teams for implementations or upgradesn Current versionl In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver and precedes the solution operations guide The manual refers users to the tools anddocumentation that are needed to carry out various tasks such as monitoring backuprestoremaster data maintenance transports and tests
n Target groupl System administrators
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The solution operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks
n Target groupl System administratorsl Technology consultantsl Solution consultants
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of anSAP solution It provides scenario-specific descriptions of preparation execution and follow-up of anupgrade It also refers to other documents such as the upgrade guides and SAP Notes
06072010 PUBLIC 4752
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
A ReferenceA1 The Main SAP Documentation Types
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
The upgrade guide describes the technical upgrade of an installable unit taking into accountthe combinations of operating systems and databases It does not describe any business-relatedconfiguration
n Target groupl Technology consultantsl Project teams for upgrades
n Current versionl On SAP Service Marketplace at httpservicesapcominstguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG)
n Target groupl Consultants
l Project teams for upgradesn Current versionl On SAP Service Marketplace at httpservicesapcomreleasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
4852 PUBLIC 06072010
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
Typographic Conventions
Example Description
ltExamplegt Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system for example ldquoEnter your ltUser Namegtrdquo
ExampleExample
Arrows separating the parts of a navigation path for example menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
httpwwwsapcom Textual cross-references to an internet address
example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note for example SAP Note 123456
Example n Words or characters quoted from the screen These include field labels screen titlespushbutton labels menu names and menu options
n Cross-references to other documentation or published works
Example n Output on the screen following a user action for example messagesn Source code or syntax quoted directly from a programn File and directory names and their paths names of variables and parameters and
names of installation upgrade and database tools
EXAMPLE Technical names of system objects These include report names program namestransaction codes database table names and key concepts of a programming languagewhen they are surrounded by body text for example SELECT and INCLUDE
EXAMPLE Keys on the keyboard
06072010 PUBLIC 4952
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +4918 0534 34 34F +4918 0534 34 20
wwwsapcom
copy Copyright 2010 SAP AG All rights reserved
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG The information contained herein may be changed without prior noticeSome software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft CorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise ServerPowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipesBladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIXIntelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registeredtrademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web ConsortiumMassachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implementedby NetscapeSAP R3 xApps xApp SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP productsand services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world All other product and service names mentioned are thetrademarks of their respective companies Data contained in this document serves informational purposes only Nationalproduct specifications may varyThese materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies(ldquoSAP Grouprdquo) for informational purposes only without representation or warranty of any kind and SAP Group shall notbe liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services if any Nothing hereinshould be construed as constituting an additional warranty
This document was created using stylesheet 2007-12-10 (V72) XSL-FO V51 Gamma and XSLT processor SAXON 652from Michael Kay (httpsaxonsfnet) XSLT version 1
5052 PUBLIC 06072010
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
DisclaimerSome components of this product are based on Javatrade Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited as is any decompilation of these componentsAny Javatrade Source Code delivered with this product is only to be used by SAPrsquos Support Services and may not be modified oraltered in any way
Documentation in the SAP Service MarketplaceYou can find this document at the following address httpservicesapcominstguides
06072010 PUBLIC 5152
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +4918 0534 34 34F +4918 0534 34 20wwwsapcom
copy Copyright 2010 SAP AG All rights reservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may bechanged without prior notice