tips and tricks to manage and administer your sap access...

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.

Tips and Tricks to Manage and Administer Your SAP Access Control and SAP Process Control 10.1 Systems

Mohan Kommanaboina KPMG

1

In This Session

• Gain detailed insight into both technical aspects as well as realistic compliance

scenarios within SAP Process Control (PC) and SAP Access Control (AC). Explore:

SAP GRC overview and technical architecture

Important pre- and post-installation steps of SAP Process Control and SAP Access

Control 10.x

Configuration strategies for SAP Process Control and SAP Access Control

SAP Access Control and SAP Process Control integration key features

SAP GRC background jobs

Troubleshooting tips to quickly resolve any issues

• Walk through 10.x technical critical issues, bugs, support packs, tips and tricks, and

examine what is required to establish GRC functionality

2

What We’ll Cover

• SAP GRC overview and technical architecture

• Important pre- and post-installation tasks

• Technical overview of SAP GRC configuration

• Key configuration tasks during the design phase

• SAP Access Control and SAP Process Control integration features

• Critical technical issues, bugs, support packs, etc.

• Troubleshooting tips

• Wrap-up

3

SAP GRC Overview

GRC

Process Control and

Risk Management

Access Control

GTS and NfE

Fraud and Audit

Management

Ensure effective controls and

ongoing compliance

Management of Access

Risks and Prevention

of Fraud

SAP Sanctioned Party List

Efficient and

effective Fraud

Management

Retain and increase

Enterprise value and take

advantage of opportunities

4

SAP GRC Overview (cont.)

GRC Versions VIRSA 4.x GRC 5.x GRC 10.x

Platform ABAP Java ABAP

Naming Conventions Compliance Calibrator (CC) Risk Analysis and

Remediation (RAR) Access Risk Analysis (ARA)

Firefighter (FF) Superuser Privilege

Management (SPM)

Emergency Access

Management (EAM)

Access Enforcer (AE) Compliance User

Provisioning (CUP)

Access Request

Management (ARM)

Role Expert (RE) Enterprise Role Management

(ERM)

Business Role Management

(BRM)

5

SAP GRC Overview and Technical Architecture

Source: SAP Master Guide

6

What We’ll Cover








• Wrap-up

7

Important Pre- and Post-Installation Tasks

Step Key Tasks for GRC 10.x AC/PC/RM Pre- and Post-Installation Steps

1 Client Setup – Copy Client from 000

2 Download and Install GRC Software GRCFND_A and Plug-ins

GRCPINW and GRCPIERP

3 Activate GRC Applications in Clients

4 Activate SAP Internet Communication Framework (SICF)

5 Set Up SAP Business Workflows

6 Set Up emails using t-code SCOT

7 Set Up time zone settings in SPRO

8

Important Pre- and Post-Installation Tasks (cont.)

Step Key Tasks for GRC 10.x AC/PC/RM Pre- and Post-Installation Steps

8 Set Up the initial user in the ABAP system

9 Activate Business Configuration (BC) sets using t-code SCPR20

10 Activate Common Workflows Tasks for AC/PC/RM

11 Create and Maintain Connectors, Connection types, and Groups

to SAP Systems

12 Maintain Plug-in Settings

13 Maintain Data Sources

14 Configure and Maintain Configuration in SPRO

15 Setup Synchronizing Jobs and schedule Background Jobs

9

Important Pre- and Post-Installation Tasks Demo

• Demo description

10

What We’ll Cover








• Wrap-up

11

Step 1: Set Up the Initial GRC Client in the New System

• Perform a complete copy from client 000 to your target client (e.g., client 100) using copy

parameter “SAP_ALL” profile

This is a leading practice for SAP GRC and the preferred method for new systems

• Verify the client copy using the “Client Copy/Transport Log Analysis” tool from the

SAP menu

12

Step 2: Install GRC Software and Plug-Ins

• Install GRC software component GRCFND_AV1100 – GRC Foundation ABAP V1100

From SAP Software Distribution Center on SAP Service Marketplace or CD

• Install or upgrade GRC the following plug-ins:

GRCPINW – This plug-in is used for non-HR functions in SAP Access Control. In SAP

Process Control and Risk Management, it is used for continuous monitoring.

GRCPIERP – This plug-in is used for HR functions in SAP Access Control and Process

Control (optional)

13

Step 3: Activate the Applications in the SPRO (IMG)

14

Step 4: SICF Activation

• Activate, at a minimum, the following SAP Internet Communication Framework (SICF) service notes

using t-code SICF:

/sap/bc/nwbc

/sap/public/bc/icons

/sap/public/bc/icons_rtl

/sap/public/bc/webicons

/sap/public/bc/pictograms

/sap/public/bc/myssocntl

/sap/public/bc/webdynpro

/sap/public/bc/webdynpro/mimes

/sap/public/bc/webdynpro/adobeChallenge

They become inactive by default after

installation or SP upgrade

15

Step 5: Set Up SAP Business Workflows

• Steps: IMG GRC General Settings Workflow Perform Automatic Workflow

Customizing and Perform Task-Specific Customizing

16

Step 6: Email Setup

• Set up SMTP connection to company’s email gateway and schedule the mail send job

Use t-code SCOT

• User’s email address must be maintained in the user’s records (SU01)

17

Step 7: Specify Time Zone Settings

• Use steps in IMG SAP NetWeaver® General Settings Time Zones Maintain

System Settings

18

Remediation View

• Graphically identifies the access risk violations and allows users to make informed decisions. You can:

Take remediation action directly from the results of user-level access risk analysis

Initiate a workflow to update user or role authorization assignments, validity dates, and mitigate access

This will save the business users a lot of time making decisions during the SOD review since they no

longer have to download the report and analyze the results

19

Remediation View (cont.)

GRC AC 10.1 runs

smoothly on IE 9 and

Chrome. New features

such as remediation

view and simplified

access request

mandatorily need IE 9

and Chrome.

Remediation view will

run in SAP Access Risk

Analysis only when an

SAP Gateway

connection is

established. Configure

SAP Gateway as per

the GRC AC 10.1

installation guide.

• By selecting the icon you can assign mitigation to the risk or rule

• You can also remove the role. If you select this option, a Change

Account Access Request is automatically created for removal of the

role from the user.

20

What We’ll Cover








• Wrap-up

21

Business Configuration (BC) Set Activation

• A Business Configuration set is a set of customizing settings

• Business Configuration sets are an official implementation toolset used to simplify the

customization process

Accessible across the system landscape

Some are delivered with GRC suite 10.1 that need to be activated

• Transaction SCPR20 performs the activation in Development “Config” client

Transports will be created and move these transports up the landscape (QA, Pre-Prod,

and Prod)

New rules are loaded

All initial configuration is loaded

Loading is client-specific

22

Business Configuration (BC) Set Activation (cont.)

• Activated Access Control and Process Control BC sets

23

Activate Common Workflow Tasks for PC and AC

• Go to transaction PFTC and select the type and task as shown below

• Repeat the process for each item

24

Connector Setup — RFC Connections

• Set up RFC connections to the plug-in systems, such as the ERP system

The name of the connector will be critical!

• Use transaction SM59 or SPRO IMG Create connectors

25

Connector Setup — Maintain Connector Settings by Integration Scenarios

• Set up the connector assignment for each of the integration scenarios

• Connector must be added to the scenarios or the functionality will not work

• Must perform all 5 scenarios’ setup for PC and AC

Automatic Monitoring (AM) scenario belongs to PC

26

Connector Setup — Maintain Connector Settings

• Other important common configuration settings for PC and AC are shown below

• You must make sure these are properly maintained and set up accordingly to utilize

respective functionalities

27

Background Jobs for Access Control

Technical Name Job Name Frequency

GRAC_PFCG_AUTHORIZATION_SYNC Authorization Sync F – Weekly

GRAC_REPOSITORY_OBJECT_SYNC Repository Object Sync I – Hourly

F – Weekly

GRAC_ACTION_USAGE_SYNC Action Usage Sync F – Daily

GRAC_ROLE_USAGE_SYNC Role Usage Sync F – Daily

GRAC_SPM_LOG_SYNC_UPDATE Firefighter Log Sync F – Hourly

GRAC_SPM_WORKFLOW_SYNC FireFighter Workflow Sync F – Daily

GRAC_SPM_SYNC EAM Master Data Sync F – Daily

GRAC_BATCH_RISK_ANALYSIS User/Role/Profile Batch Risk Analysis F – Weekly

28

What We’ll Cover








• Wrap-up

29

AC and PC Integration Benefits

• This integration provides various benefits, including:

Unified master data – decrease the total cost of ownership and provides more

consistent data across the system landscape

Shared application roles – no redundancy in control and risk owners

Full cycle remediation process – end-to-end compliance across GRC processes

• The following master data is shared between AC and PC for the release 10.0 integration

scenario

Organizations

Business Processes

Business Sub-Processes

Controls

30

Enabling Local PC Controls

• This block diagram provides an overview of the steps required to enable local Process

Control controls for assignment as mitigating controls in Access Control

Assign Owners

as Monitors and

Approvers

Assign Monitor

and Approver

(Org Unit)

Select

Compliance Org

Unit

Select Process/

Sub-process

(Org Unit)

Select PC Local

Control (Org

Unit)

Assign

Mitigation

Control ID

Assign Access

Risks

Assign

Approver and

Monitor

31

What We’ll Cover








• Wrap-up

32

Tips for Common GRC Issues

• Email issues

You can check the SMTP settings by sending a test mail through (SBWP) “SAP

Business Workplace”

If the entry is coming under SOST for this test mail, then there is an error with GRC

email configuration settings; otherwise, it is purely an issue with SMTP settings

• File import issues

Check input file for:

Proper formatting

Mandatory fields filled

Illegal or junk characters

UTF-8 format

33

Tips for Common GRC Issues (cont.)

• Rule import issues

View rule file in advanced editors to check if the file is corrupted or has any junk data

• Sync improvement

New BAdI has been added to filter the repository sync

SAP Note 1960807

34

Tips for Common Workflow Issues • Mandatory post-installation configuration

Ensure GRC_MSMP_CONFIGURATION BC set has been enabled

Perform automatic workflow customizing

Perform task-specific customizing

Activate event linkage

Define number ranges for access requests

Assign connectors to the PROV integration scenario

• Stuck requests, unknown stage, or path issues

Verify post-installation steps for deactivated tasks

Check WF-BATCH user for authorization or validity issues

Check SLG1 logs and ST22 for errors during time period

Refer to SAP Note 1649156 – Role not found in role search on Access Request Screen

35

Tips for Common Workflow Issues (cont.) • “No agent found.” Check the following:

Approver in role definition is in upper case as in GRCACUSER table

Agent rule is correctly assigned in MSMP

If you have system line item, ensure routing rule is enabled for the system

For BRF+ Agent rules, simulate to verify agent results

• For additional log information, use transaction GRFNMW_DEBUG_MSG to set MSMP

message log levels

Once set, you can use transaction GRFNMW_DBGMONITOR_WD to check detailed logs

• If you still can’t find the root cause, follow SAP Note 1624069 to get more logs at file level

Make sure that you deactivate the debug logs once the problem is resolved, otherwise

you may run into issues with disc space

36

Tips for Firefighter Job Issues

• Time out while retrieving change log issues

Implement SAP Notes 1930470, 1962440 to improve the performance for change log

retrieval

Archive CDHDR and CDPOS table if possible

Create indexes if required

EAM does not support mass transaction activity

• To retrieve missing FF logs:

Run report GRAC_EAM_TASK_TIMESTAMP_UPDATE to change the timestamp to

current time

Refer to SAP Note 1953302

Run report GRAC_EAM_LOG_SYNC_TIMEBASED to retrieve the missing logs

Refer to SAP Notes 1934127 and 1966752

37

Tips for Firefighter Job Issues (cont.)

• Consolidated log is missing or workflow request not

created:

Apply SAP Note 1775432 if time zone is different in plug-in system

If the GRC system has plug-in components installed, then both the SAP system time

zone (STZAC) and Operating System time zone must be the same

Check ST22 for any dumps in GRC and plug-in systems

Apply SAP Note 1855037 to get extra debug logs

Refer to SAP Note 1967403 for Firefighter Log and Review Workflow issues

38

Tips for Risk Analysis Performance Issues

• Batch risk analysis

Define Critical Roles and Profiles (SAP_ALL/SAP_NEW)

Verify configuration parameter “Ignore Critical Roles and Profiles” is set to YES

Exclude unnecessary objects such as expired, unused objects, administrators, super

users

Run DB statistics and rebuild indexes if applicable for violation tables

Make sure you have the parallel background jobs configured

If parameter 2023 “Is actual removal of role allowed” is set to NO, then running Batch

Risk Analysis in offline mode (parameter 1027 as YES) is not mandatory

39

Tips for Risk Analysis Performance Issues (cont.)

• Ad hoc risk analysis

Avoid running for all objects or a large number of objects

Run as background job if you want to run more than a few users

Clean up the temporary violations tables periodically (SAP Note 1744331)

Download ad hoc risk analysis reports in background (SAP Note 1792254)

Remediation View is for identifying the risk quickly and remediating it. Always run for

specific user and risk to get better results (SAP Note 2035538).

• Risk analysis from ARQ

Users with large numbers of authorizations may take some time or may even time out

Risk analysis from the Access Request screen can now be scheduled in the

background (SAP Note 2089776)

40

Tips for Risk Analysis Performance Issues (cont.) • Transport Issues

Deleted rules are not transported

Make sure that the rules are deleted before transporting the changed rules from source

system

Make sure that the document objects are activated before transport

Make sure all the transports are released before applying support packs

Always move the first created transport before moving the second when both share

any prerequisite notes or any correction instructions

41

Tips for Risk Analysis Performance Issues (cont.)

• Connector

Make sure that the connector name is meaningful and without any special characters

(PRDCLNT100)

• Role Upload File

Authorization source is mandatory while importing files with composite and single

roles

• Access Request

There is no way to remove access request from tables

Use cancel request program to abort hanging requests or erred out requests due to

any workflow issues

Notification variables like SUBMISSION, PROVISIONING are not modifiable

42

Technical Critical Issues, Bugs — Some Critical PC Issues

Process Control Issues Description Resolution

PC Workflow Issue When an exception is found in a report it

needs to go to the issue owner. However, it is

not being forwarded to the Issue Owner.

SPRO Workflow Option, Maintain Event

Queue Settings

Organization and Sub process

Delimit error

Some sub-processes within organizations tab

are not opened up due to delimit error.

Executed t-code PP01 and

GRFN_STR_CHANGE t-codes to update the

valid date for these sub-processes.

Assessment tab issue No quick links appears on tab. Instead the

message “500 SAP Internal Server error”

returns.

SPRO GRC General Settings Maintain

Authorization for Application Links Auth.Mode

Entity Level Authorization

Manual Test Plans missing steps The test steps of test plan in PC10.1 cannot

maintained in more than one language.

After the GRC SP-14 implementation the

program

GRPC_UPLOAD_HRP5327_TO_HRP5355

must be executed only once to copy all existing

test steps from old database table HRP5327 to

new database table HRP5355. Refer to SAP

Note 1949265.

43

Technical Critical Issues, Bugs — Some Critical PC Issues (cont.)

Process Control Issues Description Resolution

Unable to remove control from sub-

process during assignment

When assigning a sub-process/control to a

facility, all controls within a sub-process are

assigned; option to “Remove” controls is no

longer available.

SPRO GRC Shared Master Data Settings

Activate the Risk Harmonization Feature. Add

the parameter “Risk_Sync” and check the

Activate.

“Valid From” date is not correct at

sub-process level

When assigning a Sub-process to an

organization the validity of assigned Sub-

process is not correct.

SAP Note 2076809

The report header not exporting After GRC PC 10.1 upgrade, when we export

the reports to Excel, headers are missing.

SPRO IMG SAP NETWEAVER UI

TECHNOLOGIES SAP LIST VIEWER(ALV)

Maintain Webdynpro ABAP Specific Settings

Service for Generating Print Version – ADS-

Adobe Document Services Standard Export

Format – Excel (in MHTML Format)

44

Technical Critical Issues, Bugs — Some Critical AC Issues

Access Control Issues Description Resolution

Internet Explorer Limitation for

GRC 10.x

GRC AC 10.1 runs smoothly on IE 9 and

Chrome. New feature like Remediation view

and simplified access request mandatorily

need IE9 and Chrome.

Configure SAP Gateway as per the GRC AC 10.1

installation guide “ACPCRM_10-1_INSTALL”

Unable to get user level risk

violation count in GRC 10.1 ARA

User-level risk violation count is incorrect. Go to SE80 and then click on MIME repository.

There you can find 2 applications, ORM and SAP,

then navigate to the below path.

Click on SAP BC WEB Dynpro SAP

Public GRC AC Dashboard

Risk_Analysis_user_level.

Case Sensitive Due to case-sensitive functionality, you are

unable to search the user IDs, roles, etc.

Configuration parameter 1022 – Connector for

which Object IDs may be maintained case-

sensitive needs to be deleted.

In decentralized firefighting

firefighter is not able to perform

firefighter logon

When the firefighter tries to log in using

firefighter ID then a login window opens up.

The Firefighter ID session does not start.

Apply SAP Note 1944417.

45

Technical Critical Issues, Bugs — Some Critical AC Issues (cont.)

Access Control Issues Description Resolution

EAM Runtime Error due to time of

the database server is not correct

Time Zone issue for EAM logs. Configure SAP Gateway as per the GRC AC

10.1 installation guide “ACPCRM_10-

1_INSTALL”

Unable to get user-level risk

violation count in GRC 10.1 ARA

User-level risk violation count is incorrect. Database server time zone need to be same as

GRC and ECC Target systems.

Case Sensitive Due to case-sensitive functionality, you are

unable to search the user IDs, roles, etc.

Configuration parameter 1022 – Connector for

which Object IDs may be maintained case-

sensitive needs to be deleted.

Decentralized logging issue Parameters missing in target system. For decentralized EAM, the following parameters

(1000, 1001, and 4010) need to be configured in

target system to overcome decentralized logging

issues.

Long Text Role will not Import with Long Text. Issues resolved by t-code SE75 and creating

GRC Text Object and assigned correct Text IDs.

46

What We’ll Cover








• Wrap-up

47

Self-Check-Out Options

• The fastest solution will always be the one you find yourself

• SAP GRC has various outlets that you can use to try to solve issues on your own:

Product Documentation

SAP Notes, Knowledge Base Articles, and xSearch

SAP Community Network (SCN)

Quick reference guides

How-to documents

Meet the Expert sessions

• There are also various tools which you can use to help troubleshoot GRC product issues,

such as:

Checking error logs and ST22

SLG1 log filters

Automated Notes Search (ANST) tool/PANKS functionality

48

Product Documentation

• Available on the SAP Service Marketplace at https://service.sap.com/support *

• Includes the following for all GRC products:

• Installation Guides

• Migration Guides

• Master Guides

• Configuration Guides

• Upgrade Guides

• Security Guides

• Operation Guides

• GRC Product Availability

Matrix

* Requires login credentials to the SAP Service Marketplace

https://service.sap.com/support



49

SAP Notes, Knowledgebase Articles (KBAs), and xSearch

• SAP Notes typically contain corrections to code-related issues

• KBAs contain non-code-related solutions to help resolve issues

• xSearch is similar to Google search where multiple repositories are included in the

search engine

Be as detailed as possible when entering your search criteria. Copy and paste

error messages, ABAP dumps, etc.

50

SAP Community Network

• You can find information related to SAP products, features, and processes on the SAP

Community Network (SCN) site. You can also collaborate and communicate with SAP

users and experts around the world.

http://scn.sap.com/welcome

• SCN contains a GRC-specific community which has:

Discussion forums: This is a great place for bouncing “how-to” questions off

consultants and other GRC users

How-to guides: Numerous guides that provide detailed instructions for some of the

more difficult areas of GRC

http://scn.sap.com/community/grc



51

How to Check Error Logs and ST22 • Before logging a ticket with SAP, check SLG1 and ST22 transactions in the GRC system

and plug-in systems if the issue is relevant to the plug-in

• Filter the logs using the object and sub-object in SLG1

If you do not know the exact object or sub-object, you can use GR* in the object field

• To get the exact error messages quickly, use time restriction to capture logs instead of

running the report for the whole day

• In some cases, like workflow, you may not see the dump in screen, but logged in ST22

• Take the exact error message and search for any notes, KBAs

• For ABAP dumps, go to “how to correct the error section” to get the exact string to

search

52

SLG1 Log Filters

• Use Object and Subobject filters to retrieve the relevant logs

53

SLG1 and ST22 Live Demo

• Demo description

54

Automated Notes Search Tool (ANST)

• Use ANST, SAP’s new automated notes search tool, to find SAP Notes for the following

scenarios:

Errors for which an SAP Note with ABAP corrections exists

Errors caused by customer code

Errors caused by incorrect customizing

• Valid for your system and Support Packages level

• ANST returns only the notes relevant for the replicated process

• ANST is not only for users with a high degree of technical expertise

• ANST is also a debugging tool, as it helps identify the relevant ABAP objects for a

program without previous knowledge of the process

• You can also search notes directly from ST22 dump

55

Backward Compatibility for Access Control and Process Control 10.0

• The backward compatibility of GRCFND_A V1000 for SAP Access Control and SAP

Process Control starts with Support Pack 10 and 12 respectively

• Until SP10 and 12, both GRCFND_A and plug-ins GRCPINW and GRCPIERP needed to be

one the same level

In other words, once the plug-ins are on SP10 and 12, the GRC add-on GRCFND_A can

upgraded to SP12 or higher without upgrading the plug-ins

56

Backward Compatibility for Access Control and Process Control 10.0 (cont.)

• The backward compatibility works both ways as long as GRCFND_A and GRCPI* add-ons

are on at least support pack 10 (for SAP Access Control) and support pack 12 (for SAP

Process Control)

Refer to SAP Note 1821368 for more information

• GRC Foundation is compatible with the following NetWeaver Plug-in versions:

GRCFND_A GRCPINW and GRCPIERP

702 702, 730, 731, 740

731 702, 730, 731, 740

740 702, 730, 731, 740

57

What We’ll Cover








• Wrap-up

58

Where to Find More Information

• https://service.sap.com/support *

Various GRC guides and Product Availability Matrix

• https://support.sap.com

Perform specific searches for SAP Notes, Knowledge Base Articles, and more

• http://scn.sap.com/welcome

Information related to SAP products, features, and processes

Collaborate and communicate with SAP users and experts around the world

• http://scn.sap.com/community/grc

Discussion forums and how-to guides

* Requires login credentials to the SAP Service Marketplace


https://support.sap.com/

https://support.sap.com/



59

7 Key Points to Take Home

• Hands-on experience is one of the best ways to learn SAP Access and Process Control

setup and configuration

• Understanding the details of post-installation will lead to a successful implementation

• Plan for the big picture and think holistically as an integrated platform, not just single

product and today’s top priorities

• Tips and lessons learned from the experts will save time

• Doing it yourself builds knowledge and confidence in the GRC product

• Select the right consultants, not just the least expensive; be sure to validate references,

remembering that GRC ≠ PC experience

• Backward compatibility was introduced as of AC 10.0 SP10 and PC 10.0 SP12

60

Your Turn!

How to contact me:

Mohan Kommanaboina

Email: [email protected]

Please remember to complete your session evaluation

61

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Disclaimer

This presentation is intended solely for informational and educational purposes of conference attendees. KPMG LLP is not endorsing nor recommending the products or solutions discussed in this

presentation.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely

information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without

appropriate professional advice after a thorough examination of the particular situation.

tips and tricks to manage and administer your sap access...

Documents