Ac Configuration V1 PDF

Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
POST INSTALLATION:..................................................................................................................................... 3
Step: 001 > Configuring RFC Destination ...................................................................................................... 3
Step: 002 > Active the application in the client ............................................................................................ 6
Step: 003 > Activating the Services ............................................................................................................... 7
Step: 004 > Perform Automatic Workflow Configuration ............................................................................ 8
Step: 005 > Define Business Process & Sub Business Process ...................................................................... 9
COMMON CONFIGURATION: ...................................................................................................................... 10
Step: 006 > Activating BC Sets .................................................................................................................... 11
Step: 007 > Maintain Connectors to Connection Type ............................................................................... 13
Step: 008 > Maintain Connection Settings.................................................................................................. 17
Step: 009 > Maintain Connector Settings ................................................................................................... 20
Step: 010 > Maintain Configuration Settings .............................................................................................. 21
Step: 011 > Maintain Mapping for Actions and Connector Groups............................................................ 23
Step: 012 > Maintain Access Control Owners & other Nominations:......................................................... 24
Step: 013 > Synchronization Jobs................................................................................................................ 29
ACCESS RISK ANALYSIS: ............................................................................................................................... 33
Step: 014 > Create & Maintain Rule Set, Function ID & Risk ID .................................................................. 33
Step: 015 > Generate SoD Rules ................................................................................................................. 39
Step: 015 > Downloading SoD Rules ........................................................................................................... 41
Step: 016 > Uploading SoD Rules ................................................................................................................ 44
Step: 018 > ARA: Run User Risk Analysis..................................................................................................... 45
Step: 019 > ARA: Batch Risk Analysis .......................................................................................................... 48
Step: 020 > ARA: Mitigation Configuration ................................................................................................. 52
EMERGENCY ACCESS MANAGEMENT: ........................................................................................................ 57
Step: 021 > Prerequisite-Maintain Connection Setting .............................................................................. 60
Step: 022 > Prerequisite-Maintain Configuration Settings ......................................................................... 60
Step: 023 > Prerequisite: Create Users and Roles & Maintain in Access Control Owners ......................... 61
Step: 024 > Assign Owner to FFID ............................................................................................................... 64
Step: 025 > Assign FFID to Controller and firefighters ................................................................................ 66
Step: 026 > Create a Reason Code .............................................................................................................. 68
Step: 027 > Firefighter log Synchronization ................................................................................................ 69
Step: 028 > Working of FFID execution by firefighter................................................................................. 70
Sirish Vetcha, Consultant - GRC 10.0 1 of 166

Step: 029 > FFID Reports Execution ............................................................................................................ 71

ACCESS REQUEST MANAGEMENT: ............................................................................................................. 72
Step: 030 > Prerequisite: Create Owners in GRC Server, User and Role in Backend:................................. 73
Step: 031 > Prerequisite: Maintain Connection Settings ............................................................................ 75
Step: 032 > Prerequisite: Maintain Configuration Settings ........................................................................ 75
Step: 033 > Prerequisite: Configure Number Ranges & Activate ............................................................... 76
Step: 034 > Prerequisite: Maintain Provision Settings ............................................................................... 77
Step: 035 > Maintenance of Define Request types – MSMP Process IDs ................................................... 79
Step: 036 > Maintain MSMP Workflow ...................................................................................................... 80
Step: 037 > Find the working of ARM Configuration .................................................................................. 94
BRF+: Business Rule Framework ............................................................................................................... 100
Step: 051 > Generate MSMP Rules for Processes..................................................................................... 102
Step: 052 > Define Business Rule Framework - Execute T-Code BRF+ ..................................................... 105
Step: 053 > Mapping BRF+ Application with MSMP Workflow: ............................................................... 118
BUSINESS ROLE MANAGEMENT................................................................................................................ 125
Step: 038 > Requirements > Maintain Connectors to Connector Group:................................................. 126
Step: 039 > Requirements > Maintain Connection Settings: .................................................................... 128
Step: 040 > Requirements > Maintain Mapping for Actions and Connector Groups: .............................. 129
Step: 041 > Requirements > Maintain Connector Settings:...................................................................... 129
Step: 042 > Requirements > Activate Business Configuration BC-Sets: ................................................... 130
Step: 043 > Requirements > Maintain Configuration Settings: ................................................................ 130
Step: 044 > Requirements > Create Users & assign as Access Owners: ................................................... 131
Step: 045 > Maintain Role type Settings: .................................................................................................. 133
Step: 046 > Requirements > Define Business Process & Sub Business Process: ...................................... 136
Step: 047 > Specify Naming Convention: .................................................................................................. 137
Step: 048 > Define Role Attributes: .......................................................................................................... 138
Step: 049 > Maintain MSMP Workflow: ................................................................................................... 144
Step: 050 > Role Methodology: ................................................................................................................ 152

POST INSTALLATION:
After completing the installation process by basis consultants with software in GRC server & Plugins at
Backend server
GRC Consultant starts his initial tasks called as Post Installation & Pre Implementation by creating the
backend server and maintaining connection settings by activating required applications.
Step: 001 > Configuring RFC Destination
Information We are creating logical backend system which will be connected through RFC connection
from GRC server. Therefore we can say that the backend server is a RFC destination.
RFC connection should always be created in CAPS only.
T-Code SM59
Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Execute Create Connectors
Get the IP Address of the target host and fill at field “Target Host”.
For practice purpose give the same IP address of server we are working.
To get the IP Address Go To “Run” button at windows Start button
Give command “CMD”
Dos Window will be opened.

Give the command “IPCONFIG” & Press Enter
Find the current server IP address and note down the server name

Go to the Path in SAP system

Expand ABAP Connectors
Under “RFC Connections” Click ICON of Create
RFC Destination: XXXXXXX (Give Logical Backend system Name)
Connection Type: 3 – “ABAP Connection”
Give this server name example 200.200.200.200 at “Target Host” & enter
Now find the Target Host fills with India.Server.Com &
IP address field will fill automatically with 200.200.200.200
SAVE

Test the creation of destination by Clicking “Connection Test”
Find below result:
Then Click Remote Logon:
Find below screen

Step: 002 > Active the application in the client
Information GRC have 3 applications in it and have to activate as agreed with the client
AC – Access Control
PC – Process Control
RM – Risk Management
T-Codes
Path Go to SPRO
SAP Reference IMG
General Settings
Execute Active Applications in Client
Click “New Entries”
Select required applications from drop down at 3 different rows
TICK all the selected applications under “ACTIVE” & SAVE
GRC – AC
GRC – PC
GRC – RM

Step: 003 > Activating the Services
Information Here we activate HTTP services. This is used for access Portal, NWBC and Web dynpro
Screens.
T-Codes SICF
Path
Provide Hierarchy Type as SERVICE – HTTP Service through help & Execute
Select required Host under Virtual Hosts/ Services Maximizing “Default_host”

Option available to select
Default Host/ SAP/ GRC/ NWBC/ AC/ PC
Recommended to select SAP
(Please don’t double click. Just Select)

Select “SERVICE/ HOST” Tab at Menu

Select Activate
Step: 004 > Perform Automatic Workflow Configuration
Information We 5 events related to workflow and all should be in Green Tick Mark. Each event has the
sub events and should ensure all these are also in green.
T-Codes

Path Go to SPRO
SAP Reference IMG
General Settings
Workflow
Execute Perform automatic workflow customizing
Step: 005 > Define Business Process & Sub Business Process
Information The business processes are already given by SAP. The Sub processes are to be created by
us as per the client requirement. If the client don’t provides then consider the business
process only as sub process and maintain the same because maintaining the sub process is
mandatory.
T-Codes
Path Go to SPRO
SAP Reference IMG
Access Control
Execute Maintain Business Process & Sub Process

Select required Business Process for which we propose to maintain Sub Business Process
Example take FI00 & Double click Business Subprocess
Click New Entries
Give the Sub Business Process as below & SAVE
COMMON CONFIGURATION:
If we don’t maintain all integration scenarios for the connector, then system will through a dump when
we try to login with firefighter ID, using GRAC_SPM or GRAC_EAM transaction.
Fix it at Maintain Connection Settings in common component settings.

Step: 006 > Activating BC Sets
Information Maintain BC Sets. These Business Configuration sets are to be maintained in a perfect
sequence.
List of BC Sets to be maintained are:

APPLICATION BUSINESS CONFIGURATION SET
GRC_MSMP_Configuration
WORKFLOW GRC_MSMP_Sample_Conf
GRC_MSMP_STD_Conf
GRAC_RA_Ruleset_Common
GRAC_RA_Ruleset_SAP_APO
GRAC_RA_Ruleset_SAP_Basis
ACCESS RISK
GRAC_RA_Ruleset_SAP_NHR
ANALYSIS
GRAC_RA_Ruleset_SAP_R3
GRAC_RA_Ruleset_SAP_ECCS
GRAC_RA_Ruleset_SAP_HR
EMERGENCY
ACCESS GRAC_SPM_Criticality_ Level
MANAGEMENT
GRAC_Access_Request_Req_Type
ACCESS REQUEST GRAC_Access_Request_Priority
MANAGEMENT GRAC_Access_Request_APPL_Mapping
GRAC_Access_Request_EUP
GRAC_Role_MGMT_Landscape
BUSINESS ROLE GRAC_Role_MGMT_Methodology
MANAGEMENT GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity
T-Codes SCPR20
Path
Go to BC Set field
Use help level

Give GRC* for 3 workflow related BC sets & GRAC* for other access control related BC Sets
Select the required BC Set

Click Activation Button
Click to continue
Windows activation option will be opened

Under overwrite data: 1st time select overwrite & next time onwards select do not overwrite
Under select activation mode select Expert mode
Analyze the other options to know more.
Step: 007 > Maintain Connectors to Connection Type
Information Here we maintain 2 important configarations:

1. Define Connection Type: The connector created by us in the 1st step is the backend
server & here we are defining the connector type whether it is SAP or LDAP or EP
(Enterprise Portal) etc.

2. Create Connector Group & Add our connector to the Group: Connector Group is
created and we can add the backend servers to this group. It is suggested to use the
connector groups given by GRC - SAP_BAS_LG, SAP_APO_LG, SAP_R3_LG, SAP_CRM_LG,
SAP_HR_LG, SAP_SRM_LG etc.
Here we suggest use the sap given connector groups instead of creating new one. If any
customizing is required to do then copy the connector group and can customize.
Further we can activate the actions at connector group level instead of each connector.
These connector groups are especially useful while doing function mass maintenance.
(Adding one function in multiple systems) We can also generate rules for multiple systems
using a connector group.
T-Codes
Path Go to SPRO
SAP Reference IMG
Maintain Connectors and Connection Types
After creating connectors > we have to say what type of connection we connect at backend.
Connection type is the type of backend system. Types of backend we use is SAP for IDM we will select
Web Services.

Select the required back end type: Let’s take SAP

Select “SAP-SAP System”
Double Click “Define Connectors”
Fill as below:
Target Connector: Use help and select already created connector
Connection Type: Use help & select SAP as we have taken backend as SAP
Source Connector: Give here also the Target Connector name only
Logical Port: Give here also the target connector name only
Max No. of BG WP: Background work in progress > Give 3 here
SAVE
Double Click Define Connector Group

Give Connector Group Name, Connector Group Text, Type & SAVE

Select created connector group & double click Assign Connectors groups to Group type:
Here we are defining type of connector group. The type is LOGICAL GROUP.
Select from drop down & SAVE.

Now again select the connector group & double click Assign Connectors to Connector Groups
Click New Entries
Give the Target Connector using help level and mention connector type as SAP & SAVE
Step: 008 > Maintain Connection Settings
Information Here we activate different integration scenarios called work areas and assign them to
connector.
We have 4 work areas
AUTH: Authorization Management – Related to ARA
PROV: Provisioning – Related to ARM

SUPMG: Super User Privilege Mgmt. – Related to EAM

ROLMG: Role Management – Related to BRM
T-Codes
Path Go to SPRO
SAP Reference IMG
Execute Maintain Connection Settings
Use help and select a work area & Click Continue

Double click Scenario Connector Link

Give Target Connector from help level & after selecting just press enter
Find connection type & text prefills automatically & SAVE
If require to find the Scenario Connection type link Select given work area & double click “Scenario-
Connection type Link”
Find the interface used for connection type

Step: 009 > Maintain Connector Settings
Information Till now we have created a connector & mentioned the connection type is SAP assigned
the connector to a connector group. Now, we maintain the connecter type that is the
server environment whether it’s a Development or Testing or Production. The connector
we created in the 1st step is to be maintained its environment now.
If we use the connector for Role Management it should be development because any role
is to be created in development first. Later it will move to testing and production
If the connector is related to ARA we have to maintain the Production as the users are
maintained in the production server
The ideal way of connection at the time of development will be as below:

ARA: EAM: ARM: BRM:
GRD PRD GRD PRD GRD PRD GRP DEV
GRQ PRD GRQ PRD GRQ PRD GRP TEST
GRP PRD GRP PRD GRP PRD GRP PRD
Many companies maintaining the GRD, & GRT in same server with different client & GRP
in separate server
We have complete discussion on this in project document
Path SPRO
SAP Reference IMG
Access Control
Maintain Connector Settings
Target Connector is selected using help
Application Type is the connector type – SAP

Environment for which we are connected now in backend > DEV/ PRD/ TST
Tick PSS > Password Self Service & SAVE
Here we maintain Development
We have also a provision to maintain attributes for this version.
Find the application types GRC supports:
Step: 010 > Maintain Configuration Settings
Information In this step we will set the parameters for the access control components. This
parameter will define the behavior of the systems or respective module.
E.g. Default risk level when running a risk analysis, default rule set, user type etc. In EAM
we can maintain the maximum issuance days of FFID access to the user etc.
Path SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control

Maintain Configuration Settings

Example of Maintained Parameters:
Parameter Group Parameter ID Parameter Value Priority Description
Risk Analysis 1023 02
Risk Analysis 1024 *
Risk Analysis 1025 GLOBAL
Risk Analysis 1026 A
Risk Analysis 1027 NO
Workflow 1061 NO
Workflow 1062 NO
Workflow 1113 WF-BATCH
Workflow 3022 21
Workflow 3023 5
Emergency Access Management 4000 1
Emergency Access Management 4001 30
Emergency Access Management 4002 YES
Emergency Access Management 4010 SAP_GRC_SPM_FFID
UAR Review 2004 011
UAR Review 2005 007
UAR Review 2006 Manager
UAR Review 2007 YES
Risk Analysis - Access Request 1071 NO
Risk Analysis - Access Request 1072 NO
Role Management 3003 AC10.0
Role Management 3004 PRD
Role Management 3005 NO
Access Request Role Selection 2031 YES
Access Request Role Selection 2036 NO
Access Request Role Selection 2038 NO
Access Request Default Roles 2009 NO
Access Request Default Roles 2011 REQUEST
SOD Review 2016 010
SOD Review 2017 009
SOD Review 2018 MANAGER

SOD Review 2019 YES

SOD Review 2023 NO
Assignment Expiry 2041 10
Access Request Training 2024 WS
Verification
Elaborate discussion on each Parameter group with open option in attachment:

AC - Parameters.xlsx
Step: 011 > Maintain Mapping for Actions and Connector Groups
Information The connector-group we are using has various connectors in it like HR backend server,
Non-HR backend server, BI backend server, Development, Testing, Production, etc.
We use GRC server to maintain many things at backend. Like create a role through role
methodology from GRC server. Here the role created through GRC server will push the
role from GRC server to targeted backend server. The targeted backend for this purpose
should be development because the role is to be created always in development, and
after testing in quality it moves to production.
For this purpose we keep development as default in the connector group for Action Role
Generation.
GRC gives us actions and for each action we can map our default connector-backend
server among the connectors available in Connector Group.
The actions GRC provided is:
- Role Generation
- Role Risk Analysis
- Authorization Maintenance
- Provisioning
- HR Trigger
T-Code
Path Go to SPRO
SAP Reference IMG
Access Controls
Execute Maintain Mapping for Actions and Connector Groups
Click New Entries

Update the group status as below:
Connector Group: Select the Connector Group using help
Activate: Tick activation
Application Type: Select 01-SAP & display as 1
SAVE

Find the created connector group with other list

Select the created connector group as seen in above screen shot &
Double click “Assign default connector to connector group” available in the left side pan.
Then Click New Entries
Provide the information as below:
Connector Group: Select above connector group with help
Action: Select one after another
0001: Role Generation
0002: Role Risk Analysis
0003: Authorization Maintenance
0004: Provisioning
0005: HR Trigger
Update Target Connector using help
Tick default
SAVE
Step: 012 > Maintain Access Control Owners & other Nominations:
Information GRC provides compliance business process. That is all the activities related to Role, User,
Emergency access and other access administrations are run in a designed workflow with
approvals and documents all the process as it is.
Example: If the management decides with its audit committee in the board that all the
authorities provided to the end users through accesses follow standard approval process

making officers at different levels responsible. GRC helps in the governance of

executing the agreement had with audit committee. If the client is having 50000
employees and average 10 roles to each one means half a million accesses are provided to
the end users. GRC ensures that all the accesses 100% follow certain approval process by
user’s manager, role owner (authorization approver), security etc. in assigning them.
As we maintain all the roles, emergency accesses, SoD risks, Critical risks, etc. in GRC
server we make certain officers responsible for these as owners.
These owners list is provided by the client as per there design. We have to configure them
later in different places as agreed with the clients. Before placing them we have to
mention them in the Access Owners which we do now.
All these owners, monitors, controllers are created as users through SU01 in GRC server
and to be assigned with certain SAP predefined roles as mentioned in below table. They
may have access in different backend servers. But, they are the end users there.
a. Fire Fighter ID Owner: Will be approving the FFID access to user

b. Fire Fighter ID Role Owner: Will be approving the FFID role changes
c. Risk Owner: Will be maintaining the particular risk impacts by t-codes combination
d. Role Owner: Will be owner to maintain the role & approves the changes to the role
e. Mitigation Monitors: Will monitor & controls the implementation of controls for risk
f. Mitigation Approvers: Will approve the implementation of control to mitigate risk for a risk ID
g. Fire Fighter ID Controllers: Monitors and controls a FFID & maintains particular FFID
h. Fire Fighter Role Controllers: Maintains FFID role & approves the changes to role
i. Point of Contact: Uses on escape conditions & escalations etc.
j. Security Lead: Head of security & GRC team uses on any major changes for approval
k.
For details of role description etc. please use the attached file: ACCESS_OWNERS_R
OLES_V1.xlsx
Prerequisites: Create the users in GRC server and assign below roles to them:
PLATFORM OWNER TYPE ROLES TO BE ASSIGNED IN GRC

EAM FFID Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FFID Role Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS

SAP_GRAC_SPM_FFID
SAP_GRC_FN_BASE
ARA Risk Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_REPORTS
SAP_GRAC_RISK_OWNER
SAP_GRC_FN_BASE
BRM Role Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_DESINER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_USER
SAP_GRC_FN_BASE
ARA Mitigating SAP_GRAC_BASE
Monitors SAP_GRAC_NWBC
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_REPORTS
SAP_GRC_FN_BASE
ARA Mitigating SAP_GRAC_BASE
Approvers SAP_GRAC_NWBC

SAP_GRAC_REPORTS
SAP_GRC_FN_BASE
EAM FFID Controllers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRAC_SPM_FFID
SAP_GRC_FN_BASE
EAM FF Role SAP_GRAC_BASE
Controllers SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRAC_SPM_FFID
SAP_GRC_FN_BASE
GENERAL Point of Contact SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRC_FN_BASE
GENERAL Security Lead SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRAC_ALERTS
SAP_GRAC_REPORTS
SAP_GRAC_RULE_SETUP
SAP_GRAC_SETUP
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_ADMIN
SAP_GRAC_SUPER_USER_MGMT_CNTRL

SAP_GRC_FN_BASE
Let us assign the users also who requires the special roles to be assigned at the same time
as 1 activity:
EAM FFID User SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_END_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BASE
ARA Access Req. End SAP_GRAC_ACCESS_REQUESTER
User SAP_GRAC_BASE
SAP_GRAC_END_USER
SAP_GRAC_NWBC
SAP_GRC_FN_BASE
Path NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Access Control Owners 

Click “CREATE”
Give the User name at “Owner” field, whom we have decided to maintain.
Here we also can maintain for Group created in SAP & even LDAP
Select (through TICK) which type of owner we proposed to assign in the list.
Fill the comments with information as per best practice SAVE & CLOSE

_____________________________________________________________________________________
Step: 013 > Synchronization Jobs
Information GRC is a central administrator of all the backend servers which works for and with data of
backend servers - roles, users, there accesses etc. Therefore the data synchronization plays very
important activity in GRC.
We have various synchronizations where each one syncs different data from backed.
I) Authorization SYNC:
We use this synchronization job to sync authorization master data from the backend servers and store it
in the GRAC repository.
If this program is not executed, we cannot add any T-Code to the functions or we will not see any
authorization object details in functions.
Authorization Object, Authorization Object clauses, authorization level values, authorization level
transactions, & SU24 settings are synchronized through this activity.
Plain master data like which authorization object have which fields, which T-Code has which
authorization object will sync
This synchronization updates data of the following:

Resource Sync: Permissions, resources, and descriptions for authorization objects.
Action Sync: Descriptions for actions and permissions and resources for authorization objects.
Resource Class Sync: Permissions and resources for authorization object classes and their relationships
Resource extension: Organization level, activities level, and descriptions for resource extensions.
Default SU24
Values Sync: Default authorization object and field values for actions.

Authorization sync is suggested to do once every day in nonpeak hours
Authorization Sync can be done through 3 methods:

1) Through executing the Program as given below
Program: GRAC_PFCG_AUTHORIZATION_SYNC
This program is to be run through SA38 or SE38.
This program can be schedules on weekly basis or as per the client requirement
2) Through T-Code as given below

T-Codes: GRAC_AUTH_SYNC
3) Through Path as given in the path below

Path: Go to SPRO
SAP Reference IMG
Access Controls
Synchronization Jobs
Execute Authorization Sync
The connector fields can be * (all) or can select individual backend server
Fill the Connector: Using Help
II) Repository Object Synchronization:

Here it synchronizes data of Profiles, Roles & Users with its relationships (profiles to roles & roles to
users) from backend and legacy systems and stores in GRAC repository.
This activity allows us to select from the following synchronization options:
Profile Sync : This is required to sync for the SoD risk analysis of profiles
Role Sync : This is required for the SoD risk analysis of the roles
User Sync : This is required for the SoD risk analysis of the users
On selection of synchronization Jobs as required – PROFILE/ ROLE/ USER
Find the Logic:
If we select Profile only profiles will be selected & synchronizes
If we select Roles observe that Profiles also will get automatically selected. This is because all the roles
contain profiles and Profiles can exist without roles and roles exist with profiles so automatically gets
selected. To run risk analysis of the role Profile generation is enough role generation is not required.
When we select User both role and profile will be selected automatically. This is because GRC have tasks
with users have assigned with roles only. Users with no assignment of roles are not required to GRC as

no activities exist for them. One of the important activity is to run the risk analysis of the users for which
this data is required.
Full Sync Mode is advised to do once every 24 hours at nonpeak hours.

Incremental Sync Mode: Incremental synch job is executed on hourly basis that is 24 times per day.
Repository Object Sync can be done through 3 methods:

1) Through executing the Program as given below
Program: GRAC_REPOSITORY_OBJECT_SYNC
This program is to be run through SA38 or SE38.
This program can be schedules on weekly basis or as per the client requirement
2) Through T-Code as given below

T-Codes: GRAC_REP_OBJ_ SYNC
3) Through Path as given in the path below

Path: Go to SPRO
SAP Reference IMG
Access Controls
Synchronization Jobs
Execute Repository Object Synchronization
The connector fields can be * (all) or can select individual backend server
III) Action Usage Synchronization:

Using this job we can synchronize the action or transaction usage data from back end system to GRAC
repository. Action usage data is the data related to the user executed transactions.
This is required as audit information of emergency access management.
Suggested to sync once every day in non-peak hours
Action Usage Synchronization can do through 3 methods:

1) Through executing the program as given below:

Program: GRAC_ACTION_USAGE_SYNC
2) Through T-Code as given below:

T-Code: GRAC_ACT_USAGE_SYNC
3) Through path as given below:

Path: SPRO
SAP Reference IMG
Access Control
Synchronization jobs
Connection Usage Synchronization
Give the Connector as Blank or * if all the backend servers are required
Give the Users as * or A* to Z*
IV) Synchronize Role Usage Sync:

We can sync the role usage data from back end server to GRAC repository. T-Codes used from roles & its
frequencies by users are synchronized here.
Suggested to sync once every day in non-peak hours
Role Usage Synchronization can done through 3 methods:
1) Through executing the program as given below:
Program: GRAC_ROLE_USAGE_SYNC
2) Through T-Code as given below:

T-Code: GRAC_ROLE_USAGE_SYNC
3) Through path as given below:

Path: SPRO
SAP Reference IMG
Access Control
Synchronization jobs
Role Usage Synchronization

ACCESS RISK ANALYSIS:

One of the important activities of GRC is providing the risk analysis report including SoD risk and critical
risk of Users, Roles & Profiles.
The factors of this are:
1) Data of users and there accesses to different roles and profiles in the roles with list of t-codes and its
authorizations. All the data from backend server is synchronized mainly through repository object sync.
2) Rule set and its maintenance in GRC Server
We have seen the synchronization information in step 13 under common configuration and let’s see the
rule set related information and configuration with reports in ARA
We cover:
 Customizing of Current Rule Set

 Creation of New Rule Set
 Maintenance of all Rule Sets
 Run Risk Analysis
 Create & Maintain Mitigation ID
 Assign & Maintain Risk Owner, Mitigation Monitor & Mitigation Approver
 Reports
Step: 014 > Create & Maintain Rule Set, Function ID & Risk ID
Information This is the transporting rules between GRC System. Here we generate rules for all risks.
Eg: Add - VA01, VA02 in a function ID #1 & VB01, VB02 in another function ID #2
Risk #001 exists in combination of Function1 & 2.
System will generate rules in each risk with different combinations of t-codes from both
the function IDs.
VA01 + VB01 = Risk1 > Rule1
Set of all these rules is a Rule Set. Global is the rule set given by GRC.
If customization is required it’s suggested to copy & customize Global rule set.
Customizing includes:
1) Creating or maintaining Function ID by with T-Codes in it
2) Creating or maintaining Risk ID with combinations of different function IDs
3) Generating the risk after making the changes
1st Create Rule ID:

T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Rule Sets
Create

Give New Rule Set ID Name, Description & Save
2nd Create Function ID:

T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Functions
Create

Give name of the Function ID as per naming convention

Give Business Process, Analysis Scope to be given as Single System.
Provide description
Under Action > Click Add
Provide Back end system from which we extract the T-Codes to maintain in function ID
Action: T-Codes to be provided under the function ID and Press Enter

Find t-code description updated automatically
Status to be ACTIVE
Press Add button to add New T-Code

To control from authorization object level use Permission Tab

SAVE
In the same way > Create another Function ID with other t-codes

3rd Create Risk ID:

T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Access Risks
Create
Give: Risk ID, Risk Type, Business Process, Description, Risk Level, & Status.
Fill: Description of Risk and Suggested Control Objective
Risk Level: Exists 4 levels of risks: High, Medium, Low and Critical
Critical is the system level risk and others are Business Process risks
Add: Select Function IDs

Select Rule Set ID in the Rule Sets tab & SAVE
Provide the Risk Owners created in step 12

SAVE
_____________________________________________________________________________________
Step: 015 > Generate SoD Rules
Information The risk ID we have created in the step 13 are to be generated now.
This will generate rules in the risk we have created.
Please refer the explanation of rule set to find more information
T-Code
Path SPRO
SAP Ref IMG
Access Control
Access Risk Analysis
SoD Rules
Generate SoD Rules
Provide the Risk ID for which we require to generate rules.
Also can give the range of Risk IDs by using the fields From & To
Execute
Find the message generated at bottom of the screen as below:

Also can generate the rules through NWBC:

Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Maintenance  Access Risks
Select the created Risk ID & Click Generate Rules & Select Foreground
Confirm the Risk ID created for combination of function ID
Rules get generated and find 2 hyperlinks to see the rules generated:
Action Rules contains combination of T-Codes between 2 function IDs in the risk ID
Permission Rules contains combination of authorizations between 2 function IDs in the risk ID

Inside the “View Action Rules” find the details in below screen:
Find 1 Risk ID having 2 Rule Ids with 2 Function Ids with its T-Codes in it
We have a Function ID #1 with 1 T-Code-PFCF & Function ID #2 with 2 T-Codes-SCC1 & SU01
Risk ID created with the combination of these 2 function IDs
Find the rules generated with the t-codes combination between 2 function IDs 1 X 2 = 2 rules
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SCC1
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SU01
If we go to the “View Permission Rules” find the extra columns Resource & its extension – Auth. Obj.
_____________________________________________________________________________________
Step: 015 > Downloading SoD Rules
Information The information of the rule set is maintained in 9 separate files having relationship
between each other. This is to provide flexibility like maintenance certain risk IDs in 2 or
more rule sets etc.
The downloaded file can be opened through word pad. All the files contain the
information in 2 languages English & German.
1) Business Process: Business process maintained in the GRC server will be downloaded here with its
Code, Language & Description.
These include all the business processes irrespective of predefined by SAP as well as created.
Find the attached actual file downloaded:

Find the example below:

BP Code Language Description
AM EN Account Maintaining
AP00 DE APO
AP00 EN APO
BS00 EN Basis
BS00 DE Basis
CA00 EN Cross Application
CA00 DE Zusammengesetzte Anwendung
CR00 DE CRM
CR00 EN CRM
EC00 EN Consolidating
EC00 DE Konsolidierung
FI00 DE Finanzwesen
FI00 EN Finance
HR00 DE HR and Personalabrechnung
HR00 EN HR and Payroll
MM00 EN Materials Management
MM00 DE Materialwirtschaft
PM00 EN Plant Maintenance
PM00 DE Instandhaltung
PR00 DE Beschaffungsprozess
PR00 EN Procure to Pay
SD00 DE Auftragsabwicklung
SD00 EN Order to Cash
SR00 EN EBP and SRM
SR00 DE EBP and SRM
2) Function: Function IDs with its description and its SoD status as “S” will be downloaded here in
English and German.
Attached the downloaded file:
3) Function Business Process: This file gives us the information of existing function ID with its Business
Process ID.
Attached the downloaded file:
4) Function Actions: List of T-Codes in each function will be presented in this file.
5) Function Permissions: List of auth. objects in each function will be presented in this file.

6) Rule Set: Rule Set name is down loaded here in both the languages English & German,
Attached here the file downloaded:
7) Risk: Report of Risk ID with combination of Function ID1 & Function ID2 and its Business Process is
generated.
Attached here the file downloaded:
8) Risk Description: Risk ID with its risk description in 2 languages English, & German are downloaded.
Attached here the file downloaded.
9) Risk Rule Set Relationship: Risk ID with rule set name is downloaded. This shows that which risk ID
belongs to which rule set.
Attached here the file downloaded.
T-Code
Path SPRO
SAP Ref IMG
Access Control
SoD Rules
Download SoD Rules
Give the backend server i.e. created connector in 1st step

Give the path of destination with file name against each report gets downloaded.
Execute
Find 9 files downloaded in the destination as given by us above.
The files are down loaded which can be opened through WordPad and observe that the report don’t
maintain any headings. To have detailed explanation on each report refer above information provided
by us and also can refer sample files attached at each level.
Please find the analysis done by us on Global Rule set in attached file here: RULESET_ANALYSIS.
xlsx

Step: 016 > Uploading SoD Rules
Information After downloading the existing SoD rules from GRC system we can make required
changes in the downloaded 9 files and here we will upload again by providing the path
to the file. We can overwrite the existing SoD rules in GRC or also can add this to the
existing rules.
As per the best business practices we suggest always to Add/ Append instead of
overwrite.
T-Code
Path SPRO
SAP Ref IMG
Access Control
SoD Rules
Upload SoD Rules
As the way we followed in download SoD rules,
We give the backend server i.e. created connector in 1st step.
Give the source of each file prepared to upload in all 9 fields. Upload the changed document as required
“Append” Append is adding these uploaded rules to the existing rules in SAP GRC suit.

“Overwrite” Overwrite is erasing existing rules in the SAP GRC suit and existence of these uploaded
rules.
Execute
_____________________________________________________________________________________
Step: 018 > ARA: Run User Risk Analysis

Information Here we find how to generate risk analysis for User at basic level.
We will provide the inputs at the screen of NWBC path mentioned below and find the
different options of report and format we get below.
T-Code
Path NWBC  SAP_GRC_NWBC  Access Management  Access Risk Analysis  User

Level
Provide the input to the screen:
System : Give created connector in 1st Step
User : Give the User name using search
+ : Use ‘+’ after User to run for one more user
User Group : Give the group if want to run for user group (Here don’t select & ‘-‘)
+ : Use ‘+’ after User Group to run for one more User Group
Risk Level : Select the sensitivity of the risk we want to run – Select All
Rule Set : Select the rule set from drop down
+ : Use ‘+’ after Rule Set to give one more rule set
User Type : Give Dialog or any other user type as required from drop down
Report Options : At initial stage select ‘Action Level’ & ‘Permission Level’
Run : Select ‘Run in Foreground’
We can make it as a variant & can select this when we want to run at same values

Report gets generated & you can find the option we can use at basic level report:
Expand top header ‘Analysis Criteria’ and find the selected options above
We can change the report from Action (t-code) level to Permission (Auth. Obj.) level
We can change the report format as Summary, Detail, Management Summary, & Executive Summary
Option 1) Action Level Report & Summary Format:

Option 2) Action Level Report & Detail Format: Function ID & Role/ Profile is provided
Option 2) Permission Level Report & Detail Format: Auth Obj its extension & values also provided here
Option 3) Management Summary is very simple report at top level with hyperlink to details level:

Option 3) Executive Summary is very simple report at top level with hyperlink to details level:
This is generally used by executives who work on maintaining to find the risks ID with list of conflicts:
_____________________________________________________________________________________
Step: 019 > ARA: Batch Risk Analysis
Information Batch risk analysis is the risk analysis which will run in more number of Users, Roles,
and Profiles & HR Objects. This can be schedules as a background process. Generally
this is used for Reports and Analysis. This is executed on daily basis which will be part
of MIS on SoD. This will be running in nonpeak hours.
T-Code
Path SPRO
SAP Ref IMG
Access Control
Batch Risk Analysis
Execute Batch Risk Analysis
Give the Job Name
Give Server Name
If the analysis is running at daily basis > Run at Incremental mode
If the analysis is running at initial stage > run at Full mode
Give the Rule set to take as source for finding the risks
Under Object Section:
Can give * at User, Role, Profile, & HR Object fields
Tick> Action Level

Tick> Permission/ Critical Action/ Critical Permission Level

Tick> Critical Role/ Profile Level
Execute
Can go to SM37 and check the recent jobs performed.

The other way to find the status of recent background jobs and its report is explained below:
To find out the status of the report as well as to open the background report:
Path SPRO
SAP Ref IMG
Access Control
Batch Risk Analysis
Monitor Batch Risk Analysis
Provide the Job Name:
Execute
Find the job name displayed with its status:

If it says In Process > Wait till it gets complete
Use the same path & process till here & find the status as Successfully Completed
Double click the line item with Job Name

Find the Package Data displayed

Double Click the displayed line item
Find the below report generated

List of users have risk with System. User name is under the column ‘SOD Object’:

Step: 020 > ARA: Mitigation Configuration
Information Access is not suggested to approve when risk exists to user based on the roles he have.
In this condition manager or role owner who ever approves the access to user should
take below actions:
Remediate: Removing the role creating conflict
Mitigation: Risk exists can be justified & can be mitigated through a compensating control.
Therefore GRC have given the provision to systematize the mitigating controls with ID,
its owner and controller. This will be in execution under Process Control platform.
After finding the risks in ARA for a user or role or a profile the manager can assign
mitigating control at the same screen by just clicking button ‘MITIGATE’
For this we have to configure the mitigating controls which will be discussed now.
Prerequisites of Mitigating Control Configuration:

1. Create Mitigating Owner through SU01 and assign required roles

2. Create Mitigating Monitor through SU01 and assign required roles
3. Assign the above 2 in Access Control Owners under Access Owners in Setup Tab of NWBC
4. Create Organization Structure Hierarchy
5. Define Mitigating Control ID
6. Activate workflow
First 3 steps were done in Step 11 where we have created all owners, assigned required
roles, and maintained in Access Control owners at NWBC
4: Create Organizational Hierarchy:
Create Root Organizational Hierarchy:
Information The access control owners maintained in step 12 includes mitigating approvers and
mitigating controllers. Now we have to assign them here as mitigating approver &
mitigating monitor while creating the mitigating ID. Before going ahead with this activity
we have to also assign them in the organization hierarchy either standard or risk org not
at root org level but at child org level. This will reflect in the process control activities.
To find the organizational Hierarchy HR t-codes PPOSE & PPOME also can be used.
T-Codes
Path SPRO
SAP Ref IMG
Shared Master Data Settings
Create Root Organizational Hierarchy
Against Organizational view: we get 2 options
002 – Standard Hierarchy and 003 – Risk Hierarchy
For the purpose to maintain mitigating configuration we select
003 – Risk Hierarchy
Against Root Organization Unit & Child Organization Unit
Give the names as per the naming convention
Ensure you validate the From Date as required.
EXECUTE

Find the below message at the bottom of the screen:
Add Mitigating Control Monitor & Approver to the Organizational Hierarchy:

Create Organizational Hierarchy > Risk Hierarchy
Path NWBC  SAP_GRAC_NWBC  Setup  Organizations  Organizations
Select ‘Risk Hierarchy’ against View
Maximize the required Root Org where we have to maintain
Select the Child Org opened after Maximizing.
Click Open
Go to the Owners Tab

Add Owner & SAVE

Create Mitigating Control ID
Path NWBC  SAP_GRAC_NWBC  Setup  Mitigating Controls  Mitigating Controls
Click: ‘Show Quick Criteria Maintenance’ & find the fields in it

Click: ‘Create’
Fill the Mitigating Control ID, Name, Description, Process, Notes &
Click Organization:

After General Tab Go to Access Risks Tab

Click ‘Add Row’
1st Provide the Risk ID for which we created this mitigating ID through help & Click ‘Start Search’

The Rule ID with description is updated & Go to Owners tab:
Go to the owners tab>

Click Add Row: At Name use help & select the Approver & Select Approver at Assignment Type
Click Add Row: At Name use help & select the Monitor & Select Monitor at Assignment Type
_____________________________________________________________________________________
EMERGENCY ACCESS MANAGEMENT:

In GRC 10.0v Centralized Emergency Access is introduced which we don’t have in GRC 5.3v.
This feature centralizes firefighting and administration across all systems. New workflow provides an
auditable process for tracking log report approval.
This reduces the efforts required to grant and provision emergency access to multiple systems.
Provides a structured, documented process around emergency access
Access Control centralizes firefighter access and administration, enhances provisioning and introduces
automation to the log review process.
Unifies all AC capabilities on a standardized ABAP platform, offering enterprise supportability, granular
security, transport and archiving.
In GRC 10, from support pack 10 onwards SAP also provided decentralized fire fighting

1545511 is the note number SAP have given to prevent firefighter IDs direct login to backend systems.
This makes extra check while logging.
If we don’t maintain all integration scenarios for the connector, then system will through a dump when
we try to login with firefighter ID, using GRAC_SPM or GRAC_EAM transaction.
Fix it at Maintain Connection Settings in common component settings.
In 5.3, firefighter is separately created for each ERP and the navigation controller is also created in
sequence for each firefighter. In GRC 10 we have a solution of centralized emergency access. Here all
the ERPs are connected to GRC system and in it all the participants are created where a single GRC
system is sufficient for all the backend ERPs.
Participants in EAM are:
 Fire Fighter: User requesting emergency access, who executes transactions through FFID access
 Fire Fighter ID: User ID with elevated privileges. It can be only be accessed in GRC server using
transaction GRAC_SPM or GRC_EAM
 Fire Fighting: Act of using a firefighter ID. The execution activity taken place through firefighter ID
 Owner: User responsible for firefighting ID and the assignment of controlling and firefighting.
 Controller: Reviews and approves. If necessary the log files generated by a firefighter.
 Reason Code:
 Reporting:
2 types of firefighting applications exist in GRC 10:

ID Based fire fighter: The fire fighter ID created in the remote system will be assigned to the user in the
GRC system either manually or via an access request. The fire fighter accesses their assigned FFID in the
GRC server using the SAP GUI and transaction GRAC_SPM. The fire fighter ID for all remote systems
assigned to the fire fighter will be accessed from this transaction.
Role based Fire fighter: The fire fighter role created in the remote system will be assigned to the user in
the GRC server. The fire fighter directly logs in to the remote system using their user ID and performs
the activities which are provided in the user’s role and fire fighter role assigned to the user.
We have to configure the type of EAM in AC parameters at IMG - Maintain configuration settings under
AC. The Parameter group is EAM & Parameters ID is 4000. The value is to be selected either ID or Role.
Only one application type can be configured at a given time.
It is recommended to use ID based fire fighter application and so far it was found no clients used role
based firefighter.
Architecture:
The main application runs in the GRC server. It is possible to maintain the user assignments for all
systems using NWBC or the portal.
Provisioning of emergency access also can be done via access requests (workflow)
The web interface facilitates the following:
Firefighter ID/ FF Role Owner Maintenance
Firefighter ID/ FF Role Controller Maintenance
Reason Code maintenance (System Specific)
Firefighter ID/ FF Role assignment to Firefighter, Owner, Controller
Firefighter access is done centrally using the GRC server. Firefighters will log on to the GUI backend and
execute transaction GRAC_SPM. Firefighter IDs for emergency access for all systems assigned to the user
will display.

Step: 021 > Prerequisite-Maintain Connection Setting
Information Refer Step 8 of Common Configuration. Select integration scenario SUPMG and then
select target connector in which the integration scenario SUPMG needs to activate.
At scenario connector link after selecting the target connector press enter and find the
connection type & description updating automatically as they are assigned to target
connector at step 7 Maintain connector to Connection type.
Step: 022 > Prerequisite-Maintain Configuration Settings
Information Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter group 6-
“Emergency Access Management” which contains 14 Parameter IDs with different values in ID.
ID: 4000 – As discussed in introduction above select the EAM type. Recommended ID type
ID: 4001 – FFID validation of each assignment to user default days mention here & not max
ID: 4002 – On assigning the FFID an E-Mail will be issued immediately if selected YES here
ID: 4003 – Able to retrieve change log made to FFID if selected YES here
ID: 4004 – Able to retrieve system log made by firefighter if selected YES here
ID: 4005 – Able to retrieve Audit log if selected YES here
ID: 4006 – Able to retrieve OS Command log if selected YES here
ID: 4007 – If log report executed immediately notification will be sent if YES here
ID: 4008 – When Firefighter logs in a notification will be sent immediately if YES here
ID: 4009 – Log report execution notification will sent if YES here
ID: 4010 – The role mentioned here is mandatory role to be assigned to FFID in backend
SAP given the predefined role SAP_GRAC_SPM_FFID
ID: 4012 – Audit log will be forwarded in workflow either to any user or only controller
ID: 4013 – If required FFID owner can request access for his owned FFID as firefighter
ID: 4014 – If required FFID controller can request for his controlled FFID as firefighter

Step: 023 > Prerequisite: Create Users and Roles & Maintain in Access Control Owners
Information Refer Step 12 of Common Configuration of creating & maintaining the below:
 Create end user to act as firefighter who gets mapped to FFID

 Create FFID in back end system as a service user
 Create FFID owner in the GRC system
 Create FFID controller in the GRC system
Refer Step 12 to assign required roles to above.

FFID Owner & Controller created above are to be maintained in Access Control Owners list
FFID in the backend should be assigned with below roles:

Mandatory Role: SAP_GRAC_SPM_FFID the same is to be mentioned in parameter ID 4010
Functional Role: we also need to assign extra authority or wide roles for the FFID in the back end system.
SAP_ALL profile is not required to assign. As the FFID is created business processes wise, for each
business processes we can create a single business role which can be assigned to FFID. This business role
works like composite role carrying all the roles in it.
Create FFID Owner 01>
Create FFID Controller 01>

Create FFID in Backend server>

Create End User for Firefighter >
Maintaining above as Access Control Owners:

Synchronize first to get the created above FFID participants in NWBC – Repository Sync.
Information FFID Owner & Controller are maintained in Access Control Owners under Access Owners.
The same is explained in Step No 12 in Common Configuration.
Path NWBC  SAP_GRAC_NWBC  Setup  Access Owners  Access Control Owners
Click Create, Give FFID owner name & tick FFID Owner repeat for controller

Step: 024 > Assign Owner to FFID
Information :
Path: NWBC  SAP_GRAC_NWBC  Setup  Super User Assignment  Owners

Click ‘Assign’
A New screen gets opened and Go to help at ‘Owner ID’, Select owner & Click OK
Below screen gets generated & click ‘Add’

Provide FFID by selecting from help option, Select through Arrow & Click OK
Provide comments & it resembles as below- Click ‘SAVE’, Now owner assigned for FFID
Step: 025 > Assign FFID to Controller and firefighters
Information The Firefighter ID is assigned to a firefighter who can perform the activities in the back
end system. Multiple fire fighters can be assigned to a single firefighter ID. But, one
firefighter only can login at a time.
Controllers are also assigned to the FFID for tracking and auditing the firefighter.
Path NWBC  SAP_GRAC_NWBC  Setup  Super User Assignment  Firefighter IDs
Click Assign button > Firefighter ID assignment window gets opens

Use help at Firefighter ID field and find new window gets pens with list of available FFIDs
Select the required FFID from latest window and Click OK
Find the field fills with FFID & system also gets filled automatically

Then Go to Firefighter tab & Click Add

Use help under Firefighter User ID
Select the end user from the list eligible to be the firefighter as per the roles assigned to those users
Then Click OK
Find the screen fills like below and provide comments.

Observe the default valid days came from current date to 30 days which we provided in parameters
group EAM & ID 4001 as 30 days to take as default which is not max. Here we can increase if required.
Now maintain controller through Controller Tab:

Click ADD
Use help and update Controller ID
Select the concern controller & Click OK
Controller name updates automatically
At Notification we find the option of either E-Mail or Workflow or Log Display > Select one
This we maintained at parameters group EAM at ID 4008 to send notification
Provide comments

SAVE
Final Screen resembles as below:
Step: 026 > Create a Reason Code
Information Ac Company will always run on policy as objective as possible. Here the companies can
design the usage of emergency access for particular reasons only.
Example: A company can have the strategy of business continuity plan and as a part of
action points in it they can make a policy to maintain the roles to old employee in the
department which are assigned to new user in 1st month to complete the month end
process smoothly. This reason code is created & the firefighter can select this reason while
using the FFID
Path NWBC  SAP_GRAC_NWBC  Setup  Super User Maintenance  Reason Codes

Click CREATE > New window get open >
Give the Reason code as per the naming convention
Status to be ACTIVE
Under System Click ADD
Select system using help
Find other fields in the table with description gets updated automatically
Give description & SAVE

Step: 027 > Firefighter log Synchronization
Information We need to schedule the firefighter log synchronization job as per the client requirement.
Recommended to run every 15 minutes
The same can be run through a T-Code: GRAC_SPM_LOG_SYNC
To the run through program: GRAC_SPM_LOG_SYNC_UPDATE
More details about synchronization can find at Step 13 of Common Configuration
Path SPRO
SAP Ref IMG
Access Control
Synchronization
Firefighter Log Synch
Provide Connector as *
Execute

Step: 028 > Working of FFID execution by firefighter
Information Login through Firefighter ID
Execute the T-Code GRAC_SPM
Find the Used ID & system etc.

Click ‘Logon’, New window gets opened, Give the reason code: From drop down,
Give the Description of requirement of FFID
Enter the list of actions that proposed to Perform & Click TICK

Observe the Screen displays with Start SAP Easy Access:
_____________________________________________________________________________________
Step: 029 > FFID Reports Execution
Information Reports available with regards to Emergency Access Management are discussed below:
Consolidated Log Report: This report provides the information of different logs:
Transaction Log: Captures transaction execution from transaction STAD.
STAD is a transaction code which allows checking the activities of users. It calculates the
resource usage of individual transactions for ABAP systems and provides a detailed
analysis of a transaction and the dialog steps. The selection criteria include user,
transaction, program, task type, start date, and start time.
The statistical record contains detailed information about:
Proportions of response time, Database accesses, memory usage, RFC calls

Path NWBC  SAP_GRAC _NWBC  Reports & Analytics  Emergency Access Management
Reports 
SoD Conflict Report for FFIDs Results:
_____________________________________________________________________________________
ACCESS REQUEST MANAGEMENT:

Here we learn the configuration of Access request management where business user raises the request
to provide access of to create user. Through workflow manager will approve and while approving the
manager can run the risk analysis where it got synchronized. Later role owner & security will approve
then role or user auto provisioning is done.
MSMP workflow is also discussed in this chapter with SAP predefined process IDs. Please refer step
number 35 for details.
Information Access Control Compliant User Provisioning functionalities:

Initiator: Will be at Stage 1

Standard Path: Stage 2 to Stage N

Provisioning: Optional
At detour path the standard Path starts from Stage 1 & Provisioning is again Optional
Stage: Stage appearance a step or one action item in process flow
Path: Path defines the sequence of stages which needs to be executed
Initiative: Initiative selects the path based on the condition defined in it.
Detour Path: This path will be executed based upon a condition in a stage in the standard path. Detour
path will not have initiator
Differences in terminology between the versions 5.1/ 2/ 3 and 10.0 of SAP BO

Initiator  Initiator Rule
CAD (Custom Approver Determinator)  Agent Rule
Detour  Routing Rule
Path  Path
1 process ID can have multiple request types:

Access requestor: Create request, Change Request etc
Function Approval: Update function, Delete function etc
One initiator rule is able to trigger multiple paths based on the rule result value
At step 35 we discussed different process IDs available for multiple workflows with different request
types.
For each request type we can select process ID with different paths and as per the initiator request the
path is decided.
SAP provides default process ID. But, when 2 different stages pattern requires for 2 different paths ew
can customized accordingly. We can select any provided process ID or can copy the existing process ID
and can customize. But, we cannot create a new process ID.
Step: 030 > Prerequisite: Create Owners in GRC Server, User and Role in Backend:
Create below users in GRC server who will be the part of approval group.
 Manager to approve at 1st stage for New & Change user. Only stage for Lock & Unlock user
 Role owner to approve at 2nd stage for New & Change user. Maintain in Access owners & Role
owners
 Security to approve at 3rd stage for New & Change user. Maintain in Access owners
The above users are to be assigned with below standard roles. (Use all roles if you copy the users)

SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ROLE_MGMT_DESINGER
SAP_GRC_FN_ALL
SAP_GRC_FN_BASE
Example of Users to create:

BS_GRACMGR01
BS_GRRLOWN01> Assign in Access owners

As Role Owner in Access Control Owners &
Role Owners as Role Approver & Role content owner
BS_GRACSEC01 > Assign in Access owners as Security

Step: 031 > Prerequisite: Maintain Connection Settings
Information : Refer Step 8 of Common Configuration. Select integration scenario PROV and then select
target connector in which the integration scenario PROV needs to activate.
At scenario connector link after selecting the target connector press enter and find the connection type
& description updating automatically as they are assigned to target connector at step 7 Maintain
connector to Connection type.
Step: 032 > Prerequisite: Maintain Configuration Settings
Information : Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter groups:
PG5-Workflow: Contains 20 Parameter IDs with different values in each ID.
PG9-Risk Analysis Access Request which contains 3 Parameter IDs with values in each ID

Step: 033 > Prerequisite: Configure Number Ranges & Activate
Create Number Ranges:

Information : To provide request numbers to access request, mitigating request etc. we need to
maintain number range. This number range will be used by workflow to provide a request number when
we submit a request.
T-Code SNRO
Path SPRO
SAP Ref IMG
Access Control
User Provisioning
Maintain Number Range intervals for Provisioning Requests
Select object using help: For workflow GRACREQNO

Click Number Range button & Click change intervals.
Click Interval & fill the details in new window & click enter
Then SAVE

Activate Number Range:
Information
T-Code
Path SPRO
SAP Ref IMG
Access Control
User Provisioning
Define Number Ranges for Provisioning Requests
Click New Entries
Give the ID of Number range created & SAVE
Press ‘Activate’ Radio button & SAVE
Step: 034 > Prerequisite: Maintain Provision Settings
Information Here we are configuring the values to be considered in the access request management
while provisioning.
An auto provisioning is done based on the values we provide here.
Example: Whether the user can raise request for access to a new role and when this new
role is assigned automatically by the system, Access to SAP by creating the user etc.
Path SPRO
SAP Ref IMG
Access Control
User Provisioning
Maintain Provisioning Settings
Select Maintain Global Provisioning at Dialog Structure

Select
Role Provisioning Type: Direct
Direct – If we are not using HR structured authorizations
Indirect – If we are not using HR structured authorizations
Under Indirect 
Job
Position
Organization Type
Combined – If we are using direct and indirect role assignments
Auto Provisioning: Auto Provisioning at the End of the Request is recommended
Create User if does not exist: Tick both Change User Action & Assign Role Action
Account Validation Check: Maintain Warning and not error
Role Assignment: TICK Provisioning effective immediately
Old Role Delimit Duration: This will be used in HR structural organizations where a person changes
position within the organization to be deactivated in how many YEARS | MONTHS | DAYS
Password expiry in days or accesses or none and maintain values in next field
Deactivate password checkbox if we are using Single Sign On – Activate
Email Status – Send Password If YES maintain the period in seconds to password visible.

Step: 035 > Maintenance of Define Request types – MSMP Process IDs
Information We have to configure the workflow and predefined workflows are provided by SAP GRC
from which we can use the suitable one.
Before going ahead with configuring the Multi Source Multi Path-MSMP workflow, we
have to ensure that all the workflow related BC sets are activated.
Workflow related BC sets are 3 in numbers and have the naming as GRC_MSMP_XXXX
Please refer Step 6 Activating BC Sets in common configuration.
With regards to Access Request SAP GRC provides us a workflow process ID
SAP_GRAC_ACCESS_REQUEST for different activities from which we activate required
activities.
Total process IDs provided by SAP GRC are:
SN MSMP Process ID Description
1 SAP_GRAC_ACCESS_REQUEST Access request Approval Workflow
2 SAP_GRAC_ACCESS_REQUEST_HR Access request Approval for HR OM Objects Workflow
3 SAP_GRAC_CONTROL_ASGN Control Assignment Approval Workflow
4 SAP_GRAC_CONTROL_MAINT Mitigation Control Maintenance Workflow
5 SAP_GRAC_FIREFIGHT_LOG_REPORT Fire Fighter Log Report Review Workflow
6 SAP_GRAC_FUNC_APPR Function Approval Workflow
7 SAP_GRAC_RISK_APPR Risk Approval Workflow
8 SAP_GRAC_ROLE_APPR Role Approval Workflow
9 SAP_GRAC_SOD_RISK_REVIEW SOD Risk Review Workflow
10 SAP_GRAC_USER_ACCESS_REVIEW User Access Review Workflow
Standard Actions provided under each process ID are given below:

1. Create User
2. Change Users

3. Delete User
4. Lock User
5. Unlock User
6. Assign Object
7. Super User Access
8. Create & Lock User
9. Change & Lock User
10. Change & Unlock User
11. User Defaults
12. Retain
13. Remove
We can select required process ID and the actions we want to activate under each process ID here.
There are 10 Process IDs with 13 actions in MSMP processes given by SAP GRC.
We also can customize the workflow but not required. We can create more paths in each process ID
using BRF+ which will be discussed in the last session.
List out the actions required to activate under each ID.
Path SPRO
SAP Ref IMG
Access Control
User Provisioning
Define Request Type
Step: 036 > Maintain MSMP Workflow
Information
Path SPRO
SAP Ref IMG
Access Control
Workflow for Access Control
EXECUTE Maintain MSMP Workflow
A window will open to configure MSMP workflow:

We have to maintain configuration in all 7
Process Global Settings:

Select required Process ID ‘SAP_GRAC_ACCESS_REQUEST’ & Click ‘Display/ Change’
Maintain Process Global Settings:

Escalation:
Information: If you would like to set up auto confirmation when the workflow has just one stage then
you can do so by setting the escalation time. You can set the parameter as 'Escalate to specific agent'
and assign any appropriate agent. Let's take an example. You have set the escalation time as 30 mins
and entered GRAC_SECURITY as the escalation agent. There is just one stage in workflow which is
GRAC_MANAGER. If the manager does not approve in 30 mins then the request goes to the security
stage automatically. If the security team approves the request is completed.
If you have more than one stage in the workflow then you can set an appropriate escalation time and
the parameter as 'Skip to next stage'. In this case if the request is not approved on time, it goes to the
next stage in the workflow process.
Enable Escalation as per business requirement and client agreement
Notification Settings:
Information: We can send the notifications or emails on the development of the events and the settings
are available to maintain when a notification is to send, what template is to send as notification and
whom to send.
Click ‘Add’

Select the Notification using help from the options:
 End of Request: Notification is submitted after the approval & request process is completed.
Select this
 Request Submission: Notification is submitted at the time of request raised
Choose template ID using help: Default one is suggested i.e. GRAC_AR_APPROVED
Choose recipients ID using help: Default one is suggested i.e. GRAC_CURRENT_APPROVERS
Escape Conditions:
Information: In case of auto provision did not happened due to unavailability of Approver or an issue at
back end. The information with the status of request is to be passed.
For this purpose we have to maintain the users to escalate.
Select with ‘Tick’ Mark at ‘Set Escape Routing’ for both ‘Approver not found’ & ‘Auto Provisioning
failure’
Provide path at ‘Escape Path’ for whom the escalation is to be happened.
Select: GRAC_DEFAULT_PATH
Click ‘NEXT’
Maintain Rules: Maintain rules includes a list of all available rules to be used when configuring a
workflow. If a new rule is created (through Step: 51 Generate MSMP Rules for Processes) then it must
be added. Here we also configure default initiator. Default is suggested GRAC_AR_INITIATOR
Rule Kinds:
1. Initiator Rule: Determines the path upon submission of the request.
2. Agents Rule: Determines the recipient or approvers of a stage
3. Routing Rule: Determines a detour routing based upon an attribute of the request. Eg SoD
violation exists, Training verification, No role owner etc.)
4. Notification Valuable Rule: Determines the variable values at run time used in the notification e-
mails.
Rule Types:

1. BRF+ Rule: This rule is defined in the BRF+ application to fetch rule results depending on
conditions inside the rule.
2. Function module based Rule: Function module coded to output rule results
3. ABAP Class based Rule: ABAP class is coded to output rule results.
4. BRF+ Flat Rule Line item by line item: BRF+ rule which is defined for only one line item and the
rule will be called once for each line item in the request. Also referred to as BRF+ easy. Eg. Some
default roles not required for approval. There this rule can be used.
Suggested not to make any changes

If we create a rule ID through Generate MSMP rules for process that can be added here
We will cover BRF+ in the next session and therefore let us go ahead with default rule ID. Just Click
‘NEXT’
Suggested just only to observe the Green Circles & Maintain the Red Circle in below screenshot:
Maintain Agents:
There are default Agent IDs available which will not be permitted to modify.
Therefore let us create our own Agent ID with the agents maintaining in it. The agents who are the
participants in the workflow as Approver or Acknowledger are already created by us in the 30th step of
ARM.
Let us create the agents as below:
Fill the Agent ID starting with Z

Then appears Approver Group ID: select Help to create as well as Maintain
Click ADD to create a new Approver

Group ID & to maintain Users list in
it:
New window gets opened to create a new Approver Group ID & to maintain Users list in it & SAVE
Now after maintaining the users in the Approver ID, select it and don’t select ADD again it takes to
create new Approver ID:

SAVE it now
In the same way create new approver ID for role owner as ZGRAC_ROLE OWNER & ZSECURITY. Maintain
users created in step 30
Variables & Templates:

All templates for e-mail notifications are maintained. The templates are created using transaction code
SE161.
Notifications can be sent at different events such as:
Approval , Request Submission, Rejection, Request Closure, Escalation, Reminder etc
Consider the default Template & Click ‘NEXT’

Maintain Paths:
The path is selected & the stages in the paths are maintained here.
Creation of path is done at BRF+. The stages can be maintained under the each path.
In each stage we maintain the agent ID for whom the approval request is to be forwarded.
To change the stages Select Path ID, go to stage & Click ‘Modify Task Settings’ under ‘Maintain Stages’
Find the Stage settings get opened & try to explore all the options & understand the functionality:
1st Find the Stage of Configuration:
Agent ID: Agent ID can be modified and select the agent ID created to maintain in this stage.
For GRAC_MANAGER stage maintain the agent ID: ZGRAC_MANAGER
For GRAC_ROLEOWNER stage maintain the agent ID: ZGRAC_ROLEMANAGER

For SECURITY stage maintain the agent ID: ZSECURITY


Approval Type:
Any One approver is OK or all the should Approve > Suggest to Select ‘Any One Approver’
We have the agents in group to avoid delay in approving process in case of vacation etc.
Escalation Type:
In case of escalation it is to be done to a specified agent as maintained or Skip to the next stage or No
Escalation is to be done.
Suggest No Escalation as we have not maintained Escalation in Process Global Settings at 1st screen.

Confirm Rejection: If rejected confirm to the User – Suggested to Select

Approve Despite Risk: Approve even Risk exists – Suggest not to Select
Request Rejected: Option to reject the request – Suggest to Select
Confirm Approval: After approved confirm to the user – Suggest to Select
Forward Allowed: Forward is possible if required before approval – Suggest to Select
Risk Analysis Mandatory: While approving a role to the user or the creating a user with roles. Risk
analysis are required to run & therefore we say YES
But, the Process ID contains more activities in it & in such a case if Lock or Unlock activity also included
in the Process ID then Risk analysis is not required for it. Therefore suggested to select YAC: Yes when
Access Change. No is not suggested.

Approval Level: The approval level is required at

REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request
Rejection Level: The rejection level is required at

REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request
Comments Mandatory: At the time of approval or rejection whether the comments are Mandatory or
not are mentioned here. Suggested the comments are mandatory at both because the Role owner will
be doing the review of the access at regular frequency and where he can consider the requirement

based on the comments. Also required to find the reasons at the time of approval & to know the why
rejected.
And ‘SAVE’
Click ‘NEXT’ to move to Maintain Route Mapping
Maintain Route Mapping:

Suggested no changes required to do here & Click ‘NEXT’
Generate Versions:
Click ‘SAVE’
Select the Transport Request:
Select the required transport request available and Click OK.

Also Click OK at ‘MSMP Workflow Configuration’ window
Find the Message Text & Click ‘ACTIVATE’
Now find lot of Message Text created confirming the activation:

Find the 1st row saying that:
Serial Number: 000001 was generated & new records were created for Process Id
SAP_GRAC_ACCESS_REQUEST
The Serial Number is what we have generated in above steps of ARM
The Process ID is what we have selected to maintain for ARM

Step: 037 > Find the working of ARM Configuration

Information
Path NWBC  SAP_GRAC_NWBC  Access Management  Access Request  Access
Request Creator

Find the below screen gets opened:
Request Type: The below are the requests available to choose & Suggested to Choose New Account
Request For: Self or Other or Multiple – Suggested for Self or Multiple.

Find the User Name gets changed based on the selection.
If we select ‘Self’ then User name will be freeze.
If we select other then find the User Name gets Blank and available to choose through help.
If we select Multiple the User name field will disappear and will change the main screen below enabling
us to select Users in big level.
All the 3 stages are shown in the below screen shot.
Suggested to select ‘Self’

Select ‘System’ at main screen for request:

Select the required system in the list & Click OK
Screen exists like below & Click ‘Submit’

Now after select the Request for ‘Other’

The help level at User field will be as below & provide necessary details of new user & Click OK
Select Business Process & Function area if maintained by us at Step 5 of Post Installation:
Go to the main screen & Click ‘ADD’ Find the option ‘ROLE’ & ‘SYSTEM’
Select ‘ROLE’
Find the below screen gets opened & maintain the info as required:

At System we have more options to select User help & select a System with Application
Click OK
At Role Type we have the option to choose from below – ‘Single Role’
Business Role:
Composite Role:
CUA Composite Role:
Derived Role:
Group:
PD Profile:
Profile:
Single Role:
Template:

At Role/ Profile Name provide the existing role name proposed to assign:
Click ‘Search’
Find the function as explained below:

After raising the request
Go to NWBC  SAP_GRAC_NWBC  Access Management  Access Request  Access Request
Creation – Explained above
Find the status at the same path & select ‘Request Status’ under ‘Access Request’
Find the status at which stage the request is pending.
Login with the user ID where the request is pending for approval.
Go to NWBC  SAP_GRAC_NWBC  MY HOME  Work Inbox  Work Inbox  Approve by clicking
SUBMIT
Login to the requester user ID & find the status where it is pending through ‘Request Status’
Login with user ID where the request is pending for approval at 2nd stage.
Proceed till the end of all stages & find the provision happened as requester.

BRF+: Business Rule Framework

With the new features like BRF+ we can have Function maintenance workflow, Risk Maintenance
workflow, Role Maintenance workflow, Mitigation control maintenance & assignment approval
workflow
On executing the T-Code BRF+ its application opens. Initially we use to maintain the rules through ABAP
code.
BRF+ workbench is a user interface that enables users to define, test, and maintain rules for various
business scenarios without need of ABAP code.
Rules can be created for initiators, agents, and also for routing workflows on specific conditions.
Conditions:
BRF+ workbench can be opened using BRF+ T-Code.
We perform 2 main activities related to BRF+ T-Code.
1) Define workflow related MSMP rules – This is generating the rule before maintaining it. Select
MSMP Process ID. If it is for access request then select SAP_GRAC_ACCESS_REQUEST
We select the initiator rule among 4.
MSMP BRF+ flat rule (lineitem by lineitem):
This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple
times, once for each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule
will be called 3 times. As an input to this rule, MSMP sends detail of one lineitem at a time and this BRF
rule provides result for that one lineitem only. BRF+ flat rule is easy to create as no loop is required and
only one decision table (or other expression) is required for the logic. For example, consider an access
request with 3 roles/system. In this case the BRF flat rule is called 3 times by MSMP with following input
and output:
Input provided by MSMP to BRF+ flat rule in first call:

Item Name System Role Type LINEITEM KEY...
ROLE1 SYSTEM 1 SIN 0001
Output given by BRF+ to MSMP in first call:

Lineitem Key Rule Result
0001 RolePath
Input provided by MSMP to BRF+ flat rule in second call:

ROLE2 SYSTEM 2 COM 0002
Output given by BRF+ to MSMP in second call:

0002 RolePath
Input provided by MSMP to BRF+ flat rule in third call:

SYSTEM1 SYSTEM1 0003

Output given by BRF+ to MSMP in third call:

0003 SystemPath
So the flat rule is called once for each lineitem which makes its creation easier as no looping is required
which is required in case of BRF+ rule.
2.) MSMP BRF+ rule:

In this case, all the lineitems (roles, systems and FFID...) present in the Access Request are sent to the
BRF rule in form of a table. After processing, this rule has to return a table with lineitem key and result.
For example, in case of initiator rule the input to BRF rule can be following table. The roles/system
shown here are one that are added to access request.
INPUT sent by MSMP to BRF+
ROLE1 SYSTEM 1 SIN 0001
ROLE2 SYSTEM 2 COM 0002
SYSTEM 1 SYSTEM 1 0003
For the above input, the output of BRF rule will be something like following:
OUTPUT given by BRF+ to MSMP
0001 RolePath
0002 RolePath
0003 SystemPath
Please note that we have not shown the decision table which contains the logic to determine the path in
case of initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so
this rule is called only once by MSMP. Hence it is required that the logic to loop on all the lineitems has
to be done within BRF+ rule. The decision table or other condition is called within the loop so that it is
executed for all the lineitems one by one.
Key differences between BRF+ rule and BRF+ flat rule are again summarized below:
BRF+ Flat Rule BRF+ Rule
1.) Executed multiple times, Once for each
lineitem 1.) Executed only once
2.) Details of one lineitem at a time passed to 2.) Complete request details passed to BRF rule by
BRF rule by MSMP MSMP in form of a table
3.)Output of flat rule is result of one line item 3.) Output of BRF+ rule is complete table with all
only lineitems
4.) Easy to create as no loop is required 4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat 5.) Almost all business cases can be achieved by BRF+
rule rule

Step: 051 > Generate MSMP Rules for Processes
Information Initially we will create an ID maintaining Rule Type & Rule Kind in it. The system will
generate a rule ID which we further maintain through BRF+
Example: In the SAP_GRAC_Access_Request is the process ID which has the request types
Create User, Change User, Lock User ID, Unlock User ID etc.
We require 3 stages of approval process for create & change user including while
assigning role. But, Locking and unlocking user ID we require only 1 stage of approval.
This request type in the process ID is decided by the request initiator and therefore we
use the rule kind Initiator Rule.
Path SPRO
SAP Ref IMG
Access Control
Execute Define Workflow-Related MSMP Rules
Select MSMP Process ID: SAP_GRAC_ACCESS_REQUEST
Select Rule Type BRFplus Flat Rule (LineItem by LineItem)

Select Rule Kind Initiator Rule
Provide the Rule ID as per our naming convention:
All other options retain as per default > shown below:

And EXECUTE

Technical information from below screen displays after execution >

Note the Rule ID generated at 11th Line and the Rule ID we provided ZBTSRI
Rule ID = E309564BA9BA9AF19563ECA86B784858

Step: 052 > Define Business Rule Framework - Execute T-Code BRF+
Information The rule ID created by us with the rule type & rule kind in it. We use that rule ID and
create 2 paths assigning 2 request types in 1st path & another request types locking and
unlocking user in 2nd path.
T-Code BRF+
Path SPRO
SAP Ref IMG
Access Control
Execute Define Business Rule Framework
Find the Name provided by us at Rule ID column while generating the Rule ID

Find the expression created or not. To find right click on the application > Go to Create > Expression >
Click Decision Table
Provide the Table Name: “ZBTSRI_DECTBL_INITRL” > reflecting rule ID name + Table + Rule type Initiator
Rule
Provide Short Text as “Decision Table”
Provide Text as “Decision Table for Initiator Rule of ZBTSRI
Find the Application displayed as ZBTSRI
Click “CREATE AND NAVIGATE TO OBJECT”

Find the below screen appears:

Don’t change the default options and ensure tick is only for “Return an initial Value if no match is found”
Under “Condition Column” > Click Insert Column and Select “From Context Data Object”

The objects got opens and as per our requirement we select ‘REQTYPE’:
Click “SELECT”

Now the screen gets updated with “REQTYPE” Now click “Insert Column from Data Object” under
“Result Columns”
Plain screen gets displayed and Click “Search” to find the list of objects available:
After Search select “Line Item Key” & “Rule Result”

Line Item Key is selected because we have selected previously the rule type as Flat Rule Line Item by
Line Item
Rule Result is selected to maintain the path here against the request types.

Deselect Mandatory Inputs & Click OK
We go to the decision table screen where Table contents will be blank. Click “Insert New Row”
Contents under the table will be filled with Request Types, Trigger Value, & Line Items list
Now we assign the Path (Line Item) for each Request Type by updating Request Type & Trigger Value:
Update the Request Type by selecting “Direct Value Input”

Find the options to select after clicking Direct Value Input:
Go to the Help for selecting other options at 000
Select 001 > “New Account” & Click “OK”

To Add another Condition Click Icon of “Insert Include Condition”
Then again go to the Request Value and select Change Account > 002 & Click “OK”
With this we have selected the 2 request types in Decision Table created by us & Click “OK”
1 is New Account
2 is Change Account

Now, Maintain Trigger Values:

Click the Icon under Trigger Value & select “Direct Value Input”
Here we provide the Path name & we provided as “ZBTSRI_DT_IR_PATH1” DT stands for Decision Table
& IR is Initiator Rule & Click “OK”
Now observe the Request type updated as 001 New Account & 002 Change Account with Path 1
Left Pane Decision Table is not Green
Now Click SAVE & ACTIVE

After Clicking SAVE it appears as “Object(s) saved Successfully” then Click “Active”
Now after clicking “Active” we observe blink above Active button will be Green & Inactive turns into
Active
Also find the left pan decision table becomes Green
Now we have to Create another request type Lock & Unlock with same Path i.e. 2nd Path.
For this Right Click the Decision Table at Left Pan & Select Edit

Click Insert New Row and follow the above steps with the selections as given below:
Request Type: 004 – Lock User & 005 – Unlock the User
Trigger Value: ZBTSRI_DT_IR_PATH2

Click SAVE & ACTIVE
Also observe all the expressions at “Decision Table” come Green

Also the Application we provided displayed under Function at Left Pan should be Green

If we find our application is not Green the follow below steps:

Maximize the Function
Right Click the Application name & Click “Edit”
Below screen gets displayed & Click the Icon at “Top Expression:”

Select “Select”
Below screen gets displayed with list of decision tables under Application ZBTSRI:
Select the current Table which we want to activate
Click button “Activate”

Find the Function icon at left pan becomes Green & above “Activate” button “Inactive” icon turn
“Active” & Greens
Step: 053 > Mapping BRF+ Application with MSMP Workflow:
Information The rule ID and the paths created against the request types in previous 2 steps are
maintained here. We will create agent ID with approvers group here maintaining the
approver at each stage and assign the agent ID in each stage through modify task settings.
Generate the version and activate it.
T-Code
Path SPRO
SAP Ref IMG
Access Control
Execute Maintain MSMP workflows

Maintain the users through agent ID in agents & maintain them in the stages through modify task
settings before and now at each path add those stages.
Select the Process ID which we have maintained at BRF+ : SAP_GRAC_ACCESS_REQUEST
Click “Display/ Change”
Click “Next” till “Maintain Paths”
At “Maintain Paths”
Click Add and provide the new 2 paths created by us
Select the 2nd Path i.e. ZBTSRI_DT_IR_Path2

Click ADD at Maintain Stages
Provide the information of the Stage >
Sequence Number as 001
Stage Configuration ID: GRAC_MANAGER
Stage Description: Manager Approval for LOCK – Path2
SAVE

Find the stage added to the stages list on the screen
Repeat the same step for Path1 with 3 stages > Manager, Role Owner & Security
Stage configuration is:
Manager > GRAC_MANAGER
Role Owner > GRAC_ROLEOWNER
Security > GRAC_SECURITY

Go to Maintain Rules
Click ADD
Provide Rule ID: E309564BA9BA9AF19563ECA86B784858 (Generated at Step 051)
Rule Description: Batchsri initiator Rule
Rule Type: BRFplus Flat Rule (Lineitem by Lineitem) – Select from dropdown
Rule Kind: Initiator Rule – Select from Dropdown
SAVE
Find the Rule ID added to the list:

Select the same line & Click ADD at Rule Results:

Manually give the Path names provided at trigger Values without using the help option
ZBTSRI_DT_IR_PATH1
ZBTSRI_DT_IR_PATH2
Change the Global Rules under it to the Rule ID given by us:
Go to Maintain Route Mapping:

Click ADD > At Rule ID: Use help and select the Rule ID created by us:
Find the Rule kind gets freeze with Initiator Rule as we have not given any other rules in the ID

Click Help at Rule Result & Select 1 Rule Result value we have created already:
At Path ID > Use help & select the path ID we have provided:
Repeat the same way for Rule Result 2 with Path ID 2:

Go to Generate Version:
Select SAVE/ SIMULATE
Opt: Do Not Transport Object & Click OK
Find all the Types are in Green Ticks
Find all the Message text types are in GREEN TICK & also can export the result to Spreadsheet.
Accept at PopUp Blocker

Go to Process Global Settings and find the Process ID uploaded with the version we have created now:
Test the result by assigning a role through access request and find the approval process working –
Refer step 37 in ARM for details of how to do
BUSINESS ROLE MANAGEMENT

The main purpose of the BRM is maintenance of Roles.
We can ensure that the role attributes decided as per SoD concept can protected through BRM
Workflow also integrated lining the approval process. So auto maintenance is introduced with no
manual intervention.
The change log and other tracking system are recorded and can be provided with other reports.
We have some prerequisites before configuring BRM which include the steps covered in common
configuration part. Extra prerequisites required here are creating some users who approve the role
assignment and role content.
Users approve role assignment is said as “Assignment Approver”
User approve role content is said as “Role Content Owner”
Assignment Approver: Users who have the responsibility as role owner to approve the access to roles
requested by end users. This is the 2nd stage in Path maintained at process ID
SAP_GRAC_ACCESS_REQUEST after manager approval. In real time this can be given to Business Process
or Sub-business Process leads at every company code.

(If we maintain concept of parent derived role & maintains derived role for each company code as org
value)
Role Content Owner: Protecting the role attributes as per SoD norms is one of the important
undertaking organization gives to SARBOX compliance. Even to maintain the SoD in good control role
structure is the way. Therefore role content owner concept introduced who will be responsible to
protect the role attributes in its maintenance and creation. This is the stage in path maintained at
process ID SAP_GRAC_ROLE_APPR. In real time the head office which controls the parent role is the
owner and at head office itself the business process lead can be the owner for role. (If we maintain
concept of parent derived role & maintains derived role for each company code as org value)
Step: 038 > Requirements > Maintain Connectors to Connector Group:

Information The same is done by us in Step No 007 at Common Configuration. It is recommended to
use the SAP standard Connection group SAP_R3_LG or SAP_BAS_LG etc.
Path Go to SPRO
SAP Reference IMG
Maintain Connectors and Connection Types


Step: 039 > Requirements > Maintain Connection Settings:

Information The same is done in Step No 008 at maintain connection setting. It is recommended to
maintain ROLMG for Business Role Management.
Path Go to SPRO
SAP Reference IMG
Execute Maintain Connection Settings
Maintain integration scenario PROV & maintain Scenario Connector Link to related Connection Group.

Step: 040 > Requirements > Maintain Mapping for Actions and Connector Groups:
Information The same is done in Step No 011 at Common Configuration. Maintain mapping for actions
0001-Role Generation, 0002-Role Risk Analysis, 0003-Authorization Maintenance, 0004-
Provisioning
Path Go to SPRO
SAP Reference IMG
Access Control
Execute Maintain Mapping for Actions and Connector Groups
Step: 041 > Requirements > Maintain Connector Settings:

Information The same is done in Step No 009 at Common Configuration. Maintain Connector settings
i.e. maintain backend connector whether it’s Development or Testing or Production
System. Currently we are focusing on Role Management. This deals in creation of roles in
the backend system. We create roles in Development, Test them and after user
acceptance Test the same is transferred to Production. Therefore we assign the connector
as DEVELOPMENT

Path Go to SPRO
SAP Reference IMG
Access Control
Execute Maintain Connector Settings
Provide target connector, Application type is SAP & environment is Development & Activate PSS-
Password Self Service & SAVE
Step: 042 > Requirements > Activate Business Configuration BC-Sets:

Information The same is done in Step No 006 at Common Configuration. Activate Business
Configuration BC-Sets
BC Sets related to Role Management are:
Maintain Connector settings i.e. maintain backend connector whether it’s Development or
Testing or Production System.
GRAC_Role_MGMT_Landscape
GRAC_Role_MGMT_Methodology
GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity
T-Code SCPR20
Step: 043 > Requirements > Maintain Configuration Settings:

Information The same is done in Step No 010 at Common Configuration. Maintain Parameters of Role
Management - Parameter Group–ROLE and at 24 Parameter IDs
3000 – Default Business Process: Select all predefined processes which we defined in Step 005
3001 – Default Sub process: Select all defined Sub Processes which we defined in Step 005
3002 – Default Critical Level:
3003 – Default Project Release:
3004 – Default Role Status: Select PRD
3005 – Reset Role Methodology when changing Role Attributes:
3006 – Allow add functions to an authorization:
3007 – Allow editing organization level values for derived roles:
3008 – A Ticket number is required after authorization data changes:
3009 - Allow Role Deletion from Back-End:
3010 - Allow attaching files to the role definition:
3011 - Conduct Risk Analysis before Role Generation:
3012 - Allow Role Generation on Multiple Systems:

3013 - Use logged-on user credentials for role generation:

3014 - Allow role generation with Permission Level violations:
3015 - Allow role generation with Critical Permission violations:
3016 - Allow role generation with Action Level violations:
3017 - Allow role generation with Critical Action violations:
3018 - Allow role generation with Critical Role/Profile violations:
3019 - Overwrite individual role's Risk Analysis result during Mass Risk Analysis run:
3020 - Role certification reminder notification:
3021 - Directory for mass role import server files:
3024 - Enforce methodology process for derived roles during generation:
3025 - Allow selection of Org. Value Maps without leading org.:
In addition to the above Parameter group 12 & 13 are also require to configure
PG12-Access Request Role Selection: Contains 14 Parameter IDs with values in each ID
PG13-Access Request Default roles: Contains 5 Parameter IDs with values in each ID
Step: 044 > Requirements > Create Users & assign as Access Owners:
Information The same is done in Step 12 and we have some more steps added here as required
exclusively for BRM.
Assignment Approver: Create end user in GRC server and provide the below roles to make
him access owner.
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRC_FN_BASE
1) Maintain the owner as ‘Role Owner’ in Access Control Owners.

Path NWBC  SAP_GRAC_NWBC  SETUP  Access Owners  Access Control Owners 

Role Owner
2) Maintain owner as ‘Assignment Approver’ in Role Owners.
Path NWBC  SAP_GRAC_NWBC  SETUP  Access Owners  Role Owners  Assignment
Approver
3) Maintain in role owner stage at path provided in Process ID: SAP_GRAC_ROLE_APPR in MSMP
workflow (Please go through the information provided at ‘Maintain MSMP Workflow’ to find how to
assign this owner.)
4) Maintain again at Role Methodology in define role tab as assignment approver
Role Content Owner: Create end user in GRC server and provide below roles to make him
role content owner.
In addition to the above role one more role SAP_GRAC_ROLE_MGMT_DESIGNER is to be assigned
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_REPORTS
SAP_GRC_FN_BASE
SAP_GRAC_ROLE_MGMT_DESIGNER
3) Maintain in role owner stage at path provided in Process ID: SAP_GRAC_ROLE_APPR in MSMP
workflow (Please go through the information provided at ‘Maintain MSMP Workflow’ to find how to
assign this owner.)
4) Maintain again at Role Methodology in define role tab as role content owner
T-Code SU01 - for Creating Role Owner
Path For Assigning in Access Owners:

NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Access Control Owners 
Click “CREATE”

Information Assign Role Owners which is located below the Access Control Owners.
Provide ID for Condition Group
Use help and pick the User
Assignment Approver: TICK – Owner who approves the access to the user. In general
workflow procedure after submitting request the request will go to manager for approval.
Then it will come to role owner maintained here. Company code level
Role Content Approver: He is the owner for the role structure and will be providing
approval for creation and whenever a change is required to do for the Role. HQ level
We provide both the eligibilities for a single role owner.
T-Code
Path NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Role Owners

Click ‘ADD’
Step: 045 > Maintain Role type Settings:

Information Here we maintain basic 3 conditions for role.
i. Mandatory: SAP provides 9 varieties of roles. All these will be provided to use. If we don’t
require any of the role type in our business model those can be deactivated here.

ii. Optional: The above selected roles can be maintained with labels as per our business
understanding.
iii. Optional: Here we can set the maximum length of role name for each role type. Maximum
length of a role name given by SAP is 30. Example: Parent role can be with 24 characters and
child roles under it can be 30 characters. 6 extra characters in child role can be the org value we
maintain in the child role.
Types of Roles:
Business Role It carries all the roles related to a business process. This can be assigned to FFID
of that business process.
Composite Role Multiple roles are assigned here in case a separate authorization is to be
maintained in a derived role etc.
CUA Comp Role Common role irrespective to the backend servers
Derived Role Contains org value & inherits the T-Codes & Authorization from its Parent role
Group Role Group of all derived roles that is to access any org value (co code - * at BUKRS)
PD Profile:
Profile: Unique ID generated for each role
Single Role: Role has all T-Codes, authorization & org value & can assign to user
Template: A role created with common assignment in it without variables
T-Code
Path Go to SPRO
SAP Reference IMG
Access Control
Role Management
Maintain Role Type Settings
Execute Deactivate Role Type
Click New Entries
Select required role type which is not required & select Inactive > SAVE

ii. Maintain Labels

Path Go to SPRO
SAP Reference IMG
Access Control
Role Management
Execute Maintain Labels for Role Types
Click New Entries
Provide language by selecting from 41 options.
Select role type from which are in active
Description we provide to the role as per our business design
iii. Define length of Role for each role type

Path Go to SPRO
SAP Reference IMG
Access Control

Role Management
Execute Specify Maximum Length for Role Type
Click New Entries:
The role types which require org value in its role name will have 30 characters & which don’t contain org
values can be 24 characters. & SAVE
Step: 046 > Requirements > Define Business Process & Sub Business Process:
Information This is mandatory to maintain the Business and Sub Business processes. If client don’t
provide sub processes, the business process only can be treated as sub business process.
This is also maintained at Step 005.
Path SPRO
SAP Ref IMG
Access Control
Execute Maintain Business Process & Sub Process

Step: 047 > Specify Naming Convention:
Information We maintain the naming convention structure here as agreed with the client. This is an
optional requirement.
We maintain the naming convention to each role type with the maximum characters what
we maintained in Step 046.
Z 1st Level – Norm of customized Role 1 Character 1-1
B/C/A/D/S/T 2nd Level – Role type is mentioned here 1 Character 2-2
rd
_ 3 Level – A underscore is used to separate 1 Character 3-3
FI00/ BS00 4th Level – Business Process is mentioned here 4 Characters 4-7
_ 5th Level – A underscore is used to separate 1 Character 8-8
th
AP/AR/BK/GL 6 Level – Sub Business Process is mentioned 2 Characters 9-10
th
INV_PROCC 8 Level – Role function is described at this level 12 Characters 12-23
CC1000 10th Level – Org value maintained in derived role 6 Characters 25-30
Based on the above naming convention the Role name examples are provided below:
Business Role: ZB_FI00_AP_BUSINESSROLE_CC1000
Composite Role: ZC_FI00_AP_INVOICEPROCC_CC1000
CUA Composite Role: ZA_FI00_AP_INVOICEPROCC_CC1000
Derived Role: ZD_FI00_AP_INVOICEPROCC_CC1000
Group:
PD Profile:
Profile:
Single Role: ZS_FI00_AP_INVOICEPROCC (At parent role level Org value is not maintained)
Template: ZT_FI00_AP_TEMPLATE0001 (At template role Org value is not maintained)
Path SPRO
SAP Ref IMG
Access Control
Role Management
Specify Naming Conventions
Click New Entries
Give the Name to the Version, Description of the version, which type of role & the connector group
SAVE & come back

Then Click Naming Convention Position
Click New Entries & provide below information as explained above & SAVE
In the same way create for other role types also.
Step: 048 > Define Role Attributes:
Information Other attributes-Values can assign to the roles. Some are mandatory & some are
optional. These facilities are explained to the client and to use as designed by client.
A Maintain Project Release: This is mandatory. As GRC is central administrator we require to

provide separate project release which will be used in further configuration
B Define Role Sensitivity: This is optional and can create 4 stages of sensitivity which can be
selected at the time of role creation based on the role.
C Maintain Role Status: This is mandatory. While creating the role the status of the role is
selected & the same status is to be assigned as Production here. On selecting this status while
creating the role it is eligible for provisioning and can be requested by the users through ARM. If
the development roles also are required to provide through ARM then the development roles
are to be TICKED PROD here.

D Critical Level: This is optional and can create different stages of sensitivity which can be
selected at the time of role creation based on the role.
E Define Companies: Companies are defined here which can be selected while creating the role.
In case if the company have different company codes and maintain same role structure this can
be done through Parent derived role system by maintaining Org. values in the derived roles. By
selecting the company here the role related to the same company will be provided.
F Functional Area: Function area can be mentioned while creating a role for which function it
belongs to like AP, AR, GL etc in FI00 business area. Here we provide all the function areas
Codes, Description & abbreviations. Abbreviations are available in 2 characters and also
company can be mentioned here. It is recommended not to provide the company against
function area as same function area exists in all the companies. If any function available in only
one company then it can be maintained.
G Prerequisites: Predefined requisites available are CERTIF – Certification, NDA - & Training.
Before assigning a role to the user if he requires to complete any training or certification to
execute the transactions in the role this is maintained here. We also have the options to create
new controls from new entries. We can add ISO training in SoD procedure.
H Role Prerequisites: Under the prerequisite types created above we can create prerequisites list
linking the type. We can maintain system wise by providing the RFC destination and with course
ID. After providing RFC destination also to be provided the connection type > it is ABAP 3 if
asked.
I Define Organizational Value Maps: we need to create this mapping for creation of derived
roles. We require defining our company code here to get them into role creation screen.
A. Maintain Project Release:

Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Maintain Project and Product Release Name
Click New Entries
Give Project Release ID & Description & SAVE
B. Define Role Sensitivity:

Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Define Role Sensitivity
Click New Entries
C. Maintain Role Status: To maintain other name for Role Status use New Entries & Tick
Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Maintain Role Status
D. Specify Critical Level: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Access Control
Role Management

Execute Maintain Role Status
E. Define Companies: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Define Companies
F. Maintain Functional Areas: New Entries > provide information as below. Abbr is 2 characteristics & Co
is not required to provide as the function area belongs to all company codes. If any
function exclusively present in a single company then that function area can be mentioned
with that company code. Like HQ will have Corp. Tax role > SAVE
Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Maintain Functional Areas

G. Define Prerequisite type: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Access Control
Role Management
H. Define Role Prerequisite: New Entries > provide information as below > SAVE
CERTIF is a Certification
NDA is a Non-Disclosure Agreement
TRAINING is Training
Path SPRO
SAP Ref IMG
Access Control

Role Management
I. Define Organizational Value Maps: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Access Control
Role Management
Execute Define Organizational Value Maps

After saving the above double click the Org Level Mapping Details & provide below information & SAVE
Step: 049 > Maintain MSMP Workflow:

Information The Process ID we have to select for maintaining here is SAP_GRAC_ROLE_APPR. This is
the process ID SAP is provided for role maintenance.
Here we have to maintain the workflow settings as we have done in ARM at Step 36.
Detailed explanation on the maintenance of each page is discussed in Step 36 – Please
refer.
Ideally to understand the performance of MSMP workflow as well as role methodology we
will do below steps:
1) After selecting the process ID and changing to change mode by clicking ‘Change/Display’ at process
Global settings page.

2) On Maintain Rules > Select default rule ID
Under Rule Results Select Default Result Value
Under Global Rules > Select default Process Initiator & Notification Rule:

3) Go to maintain Agents page.

Click Add Under Agents
Provide new Agent ID

Provide Agent Name
Agent Purpose > Notification (Acknowledgement) or Approval
Agent Type: Select Directly Mapped User
Immediately you will find appearance of the new field APPROVERS GROUP

A Window will be opened and Click button ADD
Provide the Approvers Group Name as per the Naming Convention

Provide the Users proposed to be in the group & SAVE
Note:
Here the provided user is the role content owner who approves the creation of the role
Before mentioned here he has to be assigned as a role owner in Access Control Owners under Access
Owners
Next he has to assign as a Assignment Owner & Role Content Owner in Role Owners under Access
Owners

Find the created Approvers Group presence in the exiting list

Drag down to find the group
Click the Approvers Group appeared like a Hyper Link
Finally appears as below & Click SAVE
4) Go to Variables & Templates > Ignore & Click Next

5) Go to maintain Paths: Select the default path provided for this process ID and find the stages in the
path.
Go to the stage and click ‘modify task settings’.
Go to Agents ID field and maintain the Agent ID created by us.

After maintaining the Agent ID

Update the Approve Type as “Any One Approver” & other task settings
Click SAVE
Update the comments column Mandatory at Approval/ Rejection/ Both & SAVE
6) Go to Maintain Route Mapping > Select Default Rule ID & Click NEXT

7) GO to > Generate version and Activate & Click SAVE/ SIMULATE
Click ACTIVATE
Find the message > Version Generated

Before going ahead with role methodology verify the default target connector under connector group
for Action Role Generation
This is discussed in the step 11 of Common Configuration in this document
The role will be placed in the targeted backend server maintained here.
Step: 050 > Role Methodology:
Information Other attributes-Values can be assigned to the roles. Some are mandatory & some are
optional. These facilities are explained to the client & as per the design provided by the
client.
Path NWBC  SAP_GRAC_NWBC  Access Management  Role Management  Role
Maintenance
Click ‘Create’ and it will ask what role to create > find the activated roles present here with
its labels & not redefined role type names. Deactivated roles will not be displayed for
choosing option. Labels will display & not the SAP defined role types

Selected Simple Role – ZS which we labeled for Single Role

Find the wide options to fill as we configured above:
 Application Type: Select SAP among other GRC supporting backend server types
 Landscape: Is a Connector Group & displayed the description here to choose > Select GRC
predefined SAP_BAS_LG or SAP_R3_LG etc
 Business Process: Select one of the predefined business process which we have created in step
005
 Subprocess: Select one of the created sub business process which we have created in step 005
under BP
 Project Release: Select the release created by us
 Role Name: Provide the naming convention designed at Step 048 for Single Role
Click ‘SAVE & CONTINUE’

Click SAVE & Go to Owners & Approvers Tab
Go to the Owners/Approvers tab & maintain the owner
Click help under User > Give the role owner name & Click Start Search
Select the owner & Click OK

Select the owner as Assignment owner & role content owner

Click Save & Continue
Click Maintain Authorization Data
Find the window opened at bottom of the screen & click OPEN

A window will be opened with User Name & Provide Password & Click Logon
If a small window opens maximize

If it asks for password again > Provide & login Ensure we give the right client ID where role got pushed &
we have accesses to the server
If it asks for continue with this login, Select it & continue – previous session will close
Directly it will take us to PFCG screen of this role> go to Menu screen & give the T-Codes:

Go to Authorizations Tab:
If it asks for field values of Org levels > Give full authorization (* gets updated) & Click SAVE
Maintain missing authorizations by clicking as shown in the below screen & save. Please don’t Generate

Profile gets created & role will not generate on saving. If profile creates risk analysis can run for the role
to find out SoD violations with in the role.
Click back after saving

Then message pops up saying profile not generated & saved Click Continue

Click ‘Sync with PFCF’
System asks for a Ticket Number > Provide a number & description > Click OK – will go to next phase
Will go to Analyze Access Risks Phase >

Select required rule set
Select Format of report
Tick Action Level & Permission level
Run the risk analysis in Foreground

Find the risks in the role & ensure that no risks exist within the role.
Ensure we run the report in all the rule sets exists for various geographical locations (co code level)
If the risk exists ensure split the role even if not possible to place the risk creating T-Code in any other
role
Click Save & Continue

We go to Derived Role phase & as we are creating a single role just ignore the stage & Click Save &
Continue
Next phase is Request Approval & Just click Initiate Approval Request
Provide the reason for creation of the role & click OK in window popped up
Find the message that request is processes successfully:

Go to NWBC  SAP_GRAC_NWBC  Access Management  Under Access Request  Click Request

Status
Find a window opens with list of requests raised by us with their status:
Find the details of the request we have raised & under Audit log we can find the approvers where the
request landed.

Login through the owner user ID for Approving the role:
Go to NWBC  SAP_GRAC_NWBC  My Home  Work Inbox under Work Inbox

Will find the request with a hyper link: Click the Hyper link of the Request
Click APPROVE
Fill the Notes in the window popped up & Click OK

For confirmation:
Login through our ID again
Go to NWBC  SAP_GRAC_NWBC  Access Management  Under Access Request Go to the
Request Status again  Select our current request  Click Instance Request:
The same procedure of Role Methodology screen shots are placed with no highlights in the attached file
here. Can use if required:
BRM Role
Methodology.docx

Ac Configuration V1 PDF

Uploaded by

Copyright:

Available Formats

Ac Configuration V1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ac Configuration V1 PDF

Uploaded by

Copyright:

Available Formats

Configuration document of GRC – Access Control

Sirish Vetcha, Consultant - GRC 10.0 1 of 166

Step: 029 > FFID Reports Execution ............................................................................................................ 71

Sirish Vetcha, Consultant - GRC 10.0 2 of 166

Step: 001 > Configuring RFC Destination

Dos Window will be opened.

Sirish Vetcha, Consultant - GRC 10.0 3 of 166

Go to the Path in SAP system

Sirish Vetcha, Consultant - GRC 10.0 4 of 166

Test the creation of destination by Clicking “Connection Test”

Find below result:

Then Click Remote Logon:

Find below screen

Sirish Vetcha, Consultant - GRC 10.0 5 of 166

Step: 002 > Active the application in the client

Sirish Vetcha, Consultant - GRC 10.0 6 of 166

Step: 003 > Activating the Services

Select required Host under Virtual Hosts/ Services Maximizing “Default_host”

Sirish Vetcha, Consultant - GRC 10.0 7 of 166

Select “SERVICE/ HOST” Tab at Menu

Step: 004 > Perform Automatic Workflow Configuration

Sirish Vetcha, Consultant - GRC 10.0 8 of 166

Sirish Vetcha, Consultant - GRC 10.0 9 of 166

Sirish Vetcha, Consultant - GRC 10.0 10 of 166

Step: 006 > Activating BC Sets

List of BC Sets to be maintained are:

Sirish Vetcha, Consultant - GRC 10.0 11 of 166

Select the required BC Set

Sirish Vetcha, Consultant - GRC 10.0 12 of 166

Click Activation Button

Windows activation option will be opened

Step: 007 > Maintain Connectors to Connection Type

Information Here we maintain 2 important configarations:

Sirish Vetcha, Consultant - GRC 10.0 13 of 166

Sirish Vetcha, Consultant - GRC 10.0 14 of 166

Select the required back end type: Let’s take SAP

Double Click Define Connector Group

Sirish Vetcha, Consultant - GRC 10.0 15 of 166

Sirish Vetcha, Consultant - GRC 10.0 16 of 166

Step: 008 > Maintain Connection Settings

Sirish Vetcha, Consultant - GRC 10.0 17 of 166

SUPMG: Super User Privilege Mgmt. – Related to EAM

Use help and select a work area & Click Continue

Sirish Vetcha, Consultant - GRC 10.0 18 of 166

Double click Scenario Connector Link

Find the interface used for connection type

Sirish Vetcha, Consultant - GRC 10.0 19 of 166

Step: 009 > Maintain Connector Settings

The ideal way of connection at the time of development will be as below:

Sirish Vetcha, Consultant - GRC 10.0 20 of 166

Find the application types GRC supports:

Step: 010 > Maintain Configuration Settings

Sirish Vetcha, Consultant - GRC 10.0 21 of 166

Maintain Configuration Settings

Sirish Vetcha, Consultant - GRC 10.0 22 of 166

SOD Review 2019 YES

Elaborate discussion on each Parameter group with open option in attachment:

Click New Entries

Sirish Vetcha, Consultant - GRC 10.0 23 of 166