How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.

3 for Successful Role Management

Applies to:
SAP BusinessObjects GRC Access Control v5.3.

Summary
Enterprise Role Management (ERM) is the role management component of Access Control. ERM can integrate with Compliant User Provisioning (CUP) by allowing import of roles and role information into CUP for assignment to users. ERM can also integrate with Risk Analysis and Remediation (RAR) to scan roles for Segregation of Duty (SoD) violations. Certain configurations MUST be followed for this to effectively and successfully allow integration (risk analysis in RAR and role import to CUP) to take place. Author: Kevin Tucholke, Senior Consultant Technology Services - SAP

Company: Capgemini Created on: 1 April 2010

Author Bio
Kevin Tucholke is an SAP GRC Senior Consultant at Capgemini with 10 years of overall IT experience, 5 years of SAP GRC implementation and functional expertise and 6 years of Role and User provisioning expertise. He has completed multiple full life cycles of SAP GRC Access Control implementation and upgrade projects (version 3.0, 4.0, and 5.3). and has expert skills in GRC design and configuration in all components of Access Control (Risk Analysis and Remediation, Compliant User Provisioning, Superuser Privilege Management and Enterprise Role Management). He has extensive experience in leading remediation efforts to eliminate or remediate any unmitigated Segregation of Duties issues being reported by SAP GRC. This inlcudes reviewing both security role and business process design and providing recommendations that effectively target trouble areas across the entire ERP system.

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1

How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.3 for Successful Role Management

Table of Contents
Scenario .............................................................................................................................................................. 3 Solution Configuration ........................................................................................................................................ 3 Requirements .................................................................................................................................................. 3 Connections needed for each GRC component for integration ...................................................................... 3 Importing Roles into CUP ................................................................................................................................... 4 Additional Information and Tips .......................................................................................................................... 5 Disclaimer and Liability Notice ............................................................................................................................ 6

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2

How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.3 for Successful Role Management

Scenario
Enterprise Role Management (ERM) is the role management component of Access Control. ERM can integrate with Compliant User Provisioning (CUP) by allowing import of roles and role information into CUP for assignment to users. ERM can also integrate with Risk Analysis and Remediation (RAR) to scan roles for Segregation of Duties (SoD). Certain configurations MUST be followed for this to effectively and successfully allow integration (risk analysis in RAR and role import to CUP) to take place. The following scenario is described for a 3 tier GRC Access Control landscape: GRC Access Control Landscape: PGC (Production GRC), QGC (Quality Assurance GRC), DGC (Development GRC) SAP ABAP Landscape: o Naming convention of Connectors is <SID>_<Client> o PRD_100 (Production ECC) o QAL_100 (Quality Assurance ECC) o DEV_100 (Development ECC GOLDEN) o DEV_300 (Development ECC SANDBOX) ERM will be used for role management for the SAP ABAP Landscape and as the source for role data to be imported into CUP for user provisioning Roles will be generated in DEV_100 and Risk Analysis will be performed in PRD_100 and assigned these actions respectively in ERM CUP will be used to provision users to ALL systems

Solution Configuration
Requirements Any connection to an ABAP backend system that exists in CUP, for provisioning roles to users, MUST exist in ERM and the connector names MUST exactly match. For any systems that require the import of roles into CUP, the system MUST be assigned to the Landscape in ERM otherwise CUP will not find any roles to import for that system. The system does not need to be assigned to any actions, but MUST be assigned to the Landscape. The system listed for action GENERATION (DEV_100) must exist in RAR if using Risk Analysis and the connector names must match. It is not required to be included in any rules or logical systems. It just needs to exist.

Connections needed for each GRC component for integration DGC Development GRC ERM o Systems Connected: DEV_300 o Landscape: ECC DEV Landscape o Systems Assigned: DEV_300 o Actions Assigned: DEV_300 for Role Generation, DEV_300 for Risk Analysis CUP o Systems Connected: DEV_300 (can be listed as either Production or Non-Production system as only one system will be connected here) RAR o Systems Connected: DEV_300 (DEV_300 acts as production for RAR rules) QGC Quality Assurance GRC ERM

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3

How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.3 for Successful Role Management

o o o o CUP o

Systems Connected: QAL_100, DEV_300 Landscape: ECC QAL Landscape Systems Assigned: QAL_100, DEV_300 Actions Assigned: DEV_300 for Role Generation, QAL_100 for Risk Analysis Systems Connected: QAL_100 (listed as Production System), DEV_300 (listed as NonProduction system). This will facilitate testing of CUP workflows between Production and Non-Production systems. Systems Connected: DEV_300 (DEV_300 acts as DEV_100 for rules), QAL_100 (QAL_100 acts as PRD_100 for rules)

RAR o

PGC Production GRC ERM o Systems Connected: PRD_100, QAL_100, DEV_100, DEV_300 o Landscape: ECC PRD Landscape o Systems Assigned: PRD_100, QAL_100, DEV_100, DEV_300 o Actions Assigned: DEV_100 for Role Generation, PRD_100 for Risk Analysis CUP o Systems Connected: PRD_100 (Production), QAL_100 (Non-Production), DEV_100 (NonProduction), DEV_300 (Non-Production) RAR o Systems Connected: DEV_100 (Non-Production), PRD_100 (Production)

Importing Roles into CUP

When roles are imported into CUP, they are done so separately by system. There are three options are available for import (1) Back End, (2) Enterprise Role Management or (3) from an import file. This scenario assumes the use of ERM as the source of the roles. Roles must be imported for each system separately when using the Back End or Enterprise Role Management selection. If a role has been imported for a particular system previously and is now being imported for a new system, CUP will add that system to the role master data screen. To import roles into CUP, click on Configuration Tab in CUP. Then in the left navigation pane click on Roles, Import Roles Fill in the screen as follows: Select the system to import roles Select Enterprise Role Management as the source Select the roles you wish to import by selecting one of the 3 options (see #1 in TIPS section for further information) Optionally, click Overwrite Roles if you wish to update information for existing roles in CUP. Click Import. Repeat these steps for each system to have users with roles provisioned.

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4

How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.3 for Successful Role Management

Additional Information and Tips

1. It is important to note that it is not necessary to import all of the roles from ERM into CUP for each system in the landscape, even if they physically exist in that system. This helps to control what roles can be provisioned to a user in a system; however, it will take a little more planning and maintenance during the role import process Example: In the scenario above for PGC (Production GRC), functional roles that are created for business transactions probably are not needed to be assigned in the DEV_100 (Development GOLDEN) client. The roles will still exist there and can be maintained from ERM, but would not be needed to be assigned to any user. 2. If available, it may be helpful to use a back end system that is NOT in the transport path as the Generation system for any Non-Production GRC systems. This way the role is preserved as it exists in the back end Production client for all systems in the transport path.

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5

How to Connect and Integrate SAP BusinessObjects GRC Access Control v5.3 for Successful Role Management

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

SAP COMMUNITY NETWORK 2010 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6