GR C 10 Training

www.keylabstraining.
com
GRC 10 ONLINE TRAINING

info@keylabstraining.com
USA: +1-908-366-7933
India: +91-9550645679
Skype : keylabstraining
www.keylabstraining.com
ACCESS CONTROL 10.0: INTRODUCTION

Access Control 10.0: Introduction
SAP BusinessObjects Access Control is an enterprise software application
that enables organizations to control access and prevent fraud across
the enterprise, while minimizing the time and cost of compliance.
The application streamlines compliance processes, including access risk
analysis and remediation, business role management, access request
management, superuser maintenance, and periodic compliance
certifications. It delivers immediate visibility of the current risk
situation with real-time data.
Access Control 10.0 is part of newly released SAP Governance Risk &
Compliance (GRC) 10.0 which also comprised of Process control 10.0,
Risk Management 10.0 and Global Trade Services.
The greatest value in GRC 10.0 is the Harmonization of Access Control,
Process Control and Risk
management which ultimately results in shared processes, data and user
interface with reduction in redundancy.
ACCESS CONTROL 10.0: LANDSCAPE
Front end:
The front-end needs a web browser or (optionally) a
client installation of the NetWeaver Business Client
The web browser can be used to access the
embedded NWBC or GRC via the NetWeaver Portal
The Adobe flash player 10 is used for displaying
dashboards e.g. RM heat mapOverview of SAP
BusinessObjects Access Control 10.0
SAPGUI 7.10 PL 15 or higher is required for
administration or customizing tasks note that
SAPGUI 7.20 is
recommended due to the end-of-maintenance of
SAPGUI 7.10
The Crystal Reports Adapter (CRA) is required for
viewing (GRC) Crystal Reports.
Portal:
The NetWeaver Portal 7.02 can be used optionally
The GRC Portal Content contains the GRC Portal UI
elements to access the GRC suite
The Portals AS Java can contain an Adobe Document
Services instance, in effect Portal and ADS may be
shared on one AS Java instance
ERP and Non SAP Business Applications:
The GRC solutions can communicate with SAP ERP and
non-SAP business applications via plug-ins
NW Function Modules hold the AC functions for ERP
systems without HR (former non-HR RTA)
PC relevant features are contained in the plug-in
GRCPIERP, for example, for running automated controls
and the HR relevant functions for AC (former HR RTA)
GTS functions are part of the SLL-PI plug-in, for example,
for GTS integration into the Logistics, HR, FI/CO
and/or HCM processes in SAP ERP
Non-SAP ERP systems can also be connected via
adapters from an SAP Partner company
BI Content:
NetWeaver BW can be used for reporting via the GRC BI
Content
The GRC BI Content is part of BI Content 7.06
NetWeaver BW 7.02 is used for the GRC BI Content.
Identity Management:
AC can be integrated bi-directionally to IdM solutions for
provisioning and risk analysis
NetWeaver IdM7.2 is required for integrating with AC 10.0
Adobe Document Services:
An instance of Adobe Document Services (ADS) should be
accessible from the GRC AS ABAP for
generating offline forms .
Although it is technically optional, it is highly
recommended for generating PDF reports
These ADS can be an existing instance and can also be
shared with other applications
The Portals AS Java can contain an Adobe Document
Services instance, so Portal and ADS may be shared
on one AS Java instance.
NEW AND ENHANCED FEATURES:

1) Enhanced Visualization and Streamlined Navigation This
enhancement provides a common look and feel with
configurable role-based user access for GRC functions from the
SAP Portal or SAP
NetWeaver Business Client (NWBC). Streamlined user navigation
with shared work centers emphasizes function rather than
component. This significantly reduces duplication of menu items
(e.g., one inbox, not three) and makes possible sharing of data
and functions. Menu items seen by the individual user within
each work center is controlled by the users GRC role(s). This
also enables
data shared across components to be viewed differently by
different users
NEW AND ENHANCED FEATURES:

Improved Reporting GRC reporting leverages
the Business Suite ABAP List Viewer (ALV)
Crystal integration framework to present and
personalize ABAP (WebDynpro) reports and
convert into Crystal reports. This lowers the TCO
and extends the benefits of Crystal without the
need for a separate BOE server. It also reduces
the time spent by business users on reporting
needs. Custom Crystal reports with embedded
graphics can also be created easily with Crystal
Designer.
SEPARATION OF DUTIES
Separation of duties(SoD) is the
concept of having more than one
person required to complete a task. In
business the separation by sharing of
more than one individual in one single
task shall prevent fromfraudanderror.
The concept is alternatively called
segregation of duties
SOD RISK MANAGEMENT PROCESS

OVERVIEW
SAP has developed a three-phase approach

to risk management. By applying this
method, it is possible to implement a process
for segregation of duties (SoD) risk
management.The process begins by defining
the risks, and building and validating rules.
SOD RISK MANAGEMENT PROCESS OVERVIEW
Segregation of Duties and Critical Actions:

In a Sarbanes Oxley Act regulated environment, business
need to define their access controls based on segregation of
duties (SoD). In some cases, it is challenging to define SoDs
because in many cases, processes are shared among
business areas. Below are examples of risks in nonsegregated duties
Rule Building and Validation :

After risk recognition, the second step in Phase One
of the SoD Risk Management process is Rule
Building and Validation.
Rule Building Process:

Rules include risks, functions, and business processes. The main
components of the rule building process are shown below. Access
Control automatically generates the rules as permutations of the
different actions and permissions derived from the combined
functions.
Functions:
Functions include specific actions commonly used for a job role
or set of tasks, for example Maintain General Ledger Master
Records or Post Journal Entry. Authorization to perform certain
combinations of functions results in a risk.
Rule Structure:
Actions and permissions combine to form functions. Functions in
certain combinations result in a risk. Risks are associated with
business processes and all the components come together to form
rules. Rules are collected in a rule set.
PHASE TWO OVERVIEW

The purpose of this phase is to provide business
process analysts and business process owners with
alternatives for correcting or eliminating risk.
Risk Analysis
During Risk Analysis, perform a security analysis to
identify risks for:
Simple roles
Composite roles
Users
Review the roles to determine how certain personnel
might be restricted from performing undesired
activities by checking:
Objects
Fields
Values
PHASE 2 FIGURE
RISK REMEDIATION OVERVIEW

The purpose of the remediation phase is to determine alternatives for
eliminating issues in roles.
The recommended approach is to resolve issues in the following order:
Single roles
This is the simplest place to start
Prevents SoD violations from being reintroduced
Composite roles
Users
Risk Remediation
Use a simulation to perform a "what if" analysis on the assignment or
removal of user actions
Use the Management view or Risk Analysis reports for analysis
Security Administrators should document the plan
Business Process Owners should be involved and approve the plan
Simulation
Simulation allows you to preview the result of changes to roles and user
actions to see if your
changes create new risk situations before implementing them Decide
whether to add or remove a value
MITIGATION CONTROLS
EXAMPLES OF MITIGATION CONTROLS
Examples of Mitigation Controls

Review of strategies and authorization limits
Review of user logs
Review of exception reports
Detailed variance analysis
Establish insurance to cover impact of a security incident
Types of Mitigation Controls
Preventative Controls: minimize the likelihood or impact of a risk
before it actually occurs
Detective Controls: alert when a risk takes place and enable the
responsible person to initiate corrective measures
Best Practices
Segregate creation and approval from assignment
Use mitigation as a last resort for exceptions left over from
remediation efforts that have legitimate business reasons to not use
SoD controls
CONTINUOUS COMPLIANCE
THE GRC ARCHITECTURE

GRC solutions share a common technology platform and can be
installed on a single NetWeaver ABAP system.
GRC COMPONENTS
ComponentsGRC 10.0 runs on AS ABAP 7.02

SP6 or higher. The installation components
are broken out as follows:
Access Control, Process Control, and Risk
Management are contained in one ABAP
add-on GRCFND_A
Global Trade Services resides in a separate
add-on SLL-LEG
Nota Fiscal Eletronica has its own add-on
SLL-NFE
Content Lifecycle Management (CLM)
contains functions for transporting GRC
business data, for example, Access Control
rules or Process Control controls. CLM has
the same version requirements as the GRC
10.0 solution and is installed during the GRC
installation. CLM can be disabled if not
required.
ACCESS CONTROL 10.0 ARCHITECTURE

NetWeaver ABAP is the underlying platform
Harmonized with the other GRC 10.0 applications
Leverages existing NWABAP investments:
Role comparison at Action or Permission level
Comparison between roles within Access Control
Harmonization with Process Control and Risk Management allows
users to leverage master data
ACCESS CONTROL ARCHITECTURE COMPONENTS

Access Control constitutes a set of core components:
Access Risk Analysis and Management
Compliance Certification Review
Role Management
Role Mining
Superuser Access Management
Access Control Repository
GRC COMMON COMPONENTS

Access Control uses a set of GRC common components as
part of the harmonization of the GRC suite. These
components are also available to Process Control and Risk
Management:
GRC Master Data
Workflow
Reports and Dashboards
NETWEAVER COMPONENTS
Access Control uses ABAP Web Dynpro as the user interface or UI
technology.
The GRC solution can be presented to end users by using either
NWBC (NetWeaver Business Client) or through the use of SAP
Portal.
Configuration for Access Control is executed using the SAP IMG
via the SAP GUI, which is common across the GRC suite.
Access Control connects to SAP and non-SAP systems with
adapter or IdM systems using the integration framework.
The ABAP database is the common repository for all Access
Control data.
SECURITY AND AUTHORIZATIONS

You are planning a solution and must be able to explain object-level
security, authorization requirements, and identify delivered roles and
security objects.
Object-Level Security
Object-Level Security gives you the ability to limit access for end users
to what they need to see at a granular level. you can limit access by
function, risk, user, or anyother authorization objects available within
role maintenance.
Authorizations
To configure the IMG, you need:
PFCG role(s) relative to specific components to be
configured
PFCG role(s) sufficient to configure SAP workflow
and other non-GRC technologies
PFCG role(s) on GRC and non-GRC systems to set
up Continuous Monitoring
To access GRC 10.0 solutions, you must have at
least the following:
Portal authorization or NWBC authorization
Applicable PFCG base roles
PFCG role(s) relative to specific components (AC, PC, RM) to

be used
Using Access Control with GRC Solutions
If you use Access Control with other GRC solutions, you can
leverage this functionality to:
Manage PFCG roles used with GRC
Create GRC users
Assign GRC PFCG roles to users
Perform SoD analysis for PFCG role authorizations
Assignment of entity-level authorization (via application role
assignment) and ticket-based authorization (via substitution
or transfer) must be done in the respective component.
INSTALLATION
Installation Prerequisites Server
NetWeaver AS ABAP 7.02 SP6 or higher
Installation Prerequisites Back-end
For ERP systems that will install Access Control Plug-In the
following prerequisites must be met:
For SAP ERP system 4.6C, the system must be at SAP_BASIS Support
Pack 55
For SAP ERP 4.70 system, the system must be at SAP_BASIS Support
Pack 63
For ERP 2004 system, the system must be at SAP BasisSupport Pack
18
For ERP 6.0 system, the system must be at SAP_BASIS Support Pack 13
For NetWeaver systems that will install Access Control Plug-In
the following prerequisites must be met:
For SAP Basis 4.6C, the system must be at SAP_BASIS Support Pack 55
For NW 6.20 system, the system must be at SAP_BASIS Support Pack
63
For NW 6.40 system, the system must be at SAP_BASIS Support Pack
18
WHERE TO OBTAIN THE GRC 10.0 SOFTWARE

http://service.sap.com/swdc
CONTENT OF THE INSTALLATION ZIP
ACCESS CONTROL INSTALLATION NOTES
Installation Notes
SAP Note 1490996: Install SAP GRC Access Control 10.0 on
SAP NW 7.02
SAP Note 1500168: Install SAP GRC Access Control 10.0 PlugIn on SAP BASIS 46C NW
SAP Note 1497971: Install SAP GRC Access Control 10.0 PlugIn on SAP BASIS 620 NW
SAP Note 1503749:Install SAP GRC Access Control 10.0 Plug-In
on SAP BASIS 710 NW
SAP Note 1500169: Install SAP GRC Access Control 10.0 PlugIn on SAP BASIS 46C ERP
SAP Note 1497972: Install SAP GRC Access Control 10.0 Plug-
INSTALLATION OF MAIN COMPONENTS

OFAC/PC/RM 10.0
General Steps:
1.Main installation
components:
GRCFND_A
2.Download the installation
packages from Service
Marketplace
3.Install with the transaction
SAINT
4.Follow the detailed
instructions from the SAP Note
1490996
5.Apply the most recent
Support Packages
INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON

ERP
General Steps:
1.Main installation
components:
GRCPINW
GRCPIERP
2.Download the installation
packages from SMP
3.Install with the transaction
SAINT
4.Follow the detailed
instructions from the SAP
Notes 1500689 and 1500690
5.Apply the necessary Support
Packages if there is any
Note:
Attention:The
Plug-Ins vary depending
AC 10.0 plug-ins will upgrade any existing RTA
on back
fromend
previous
ERP system.
AC releases.
This means that any AC instance on running 5.X will stop
working after the plug-ins
are installed.
GRC 10.0 POST-INSTALLATION

1.Client Copy
2.Activating Applications in Client
3.Check SAP ICF Services
4.Activating BC Sets
5.Creating the Initial User in the ABAP System
6.Activate Profile of Roles Delivered by SAP
7.Activate Common Workflow
CLIENT COPY
T-code which starts from SCC*
1. Choose Administration --> System administration -->
Administration>Client admin.>Client Copy-->Local Copy.
2. Select a copy profile.
3. Enter the source client.
click the tick mark it will take some time ....
you can refer the link below
http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/
bcctscco.pdf
ACTIVATING APPLICATIONS IN CLIENT

Call the customizing
with transaction SPRO
Choose SAP
Reference IMG
Expand the
Governance, Risk and
Compliance > General
Settings node and
choose Activate
Applications
in
Choose
New Entries
Client
ACTIVATING APPLICATIONS IN CLIENT

Click the first row and select the GRC solution(s)
required for your project
Then choose the Activecheckbox
Click Save
Note: you may have to create a transport
request
EXAMPLE IS OF GRC PC,YOU MAY NEED AC
IF YOU NEED ONLY ACCCESS CONTROL
CHECK SAP ICF SERVICES

Call transaction SICF
Click the Execute icon

Expand the node default_host-> sap
-> public
Right click publicand choose
Activate Service
Choose Activate Service for all
sub-nodes
Proceed likewise with the node

default_host-> sap -> bc
Activate all sub-nodes too
Now activate the node default_host->

sap -> grc
Also activate all sub-nodes
ACTIVATING BC SETS
Call transaction SPRO again
Click SAP Reference IMG
Click Existing BC Sets in the next
screen
ACTIVATING BC SETS
Select a BC Set
Click BC Sets for Activity
ACTIVATING BC SETS
From the menu choose Goto >Activation Transaction
These BC sets can also be activated via transaction code
SCPR20
ACTIVATING BC SETS
Activate the corresponding BC sets.
Proceed likewise for all required PC, RM, and/or AC BC sets
For a complete list of BC Sets please refer to the PC/RM/AC install
guide!
NOTE:BELOW EXAMPLE IS FOR ACTIVATION ON TIME FRQUENCY
FOR GRCPC:PROCESS CONTROL.
ACTIVATING BC SETS
When activating always use Expert mode
CREATING THE INITIAL USER IN THE ABAP SYSTEM

Call transaction SU01, create a user
Assign following role to access GRC applications, such as AC
SAP_GRC_FN_BASE
Assign following power user role to the person doing the
customization of the product
SAP_GRC_FN_ALL
Assign following role to the business users
SAP_GRC_FN_BUSINESS_USER
Assign following role if you use NWBC as front end UI instead
of Portal
SAP_GRC_NWBC
ACTIVATE PROFILE OF ROLES DELIVERED BY SAP

Activate profile of roles delivered by SAP via
transaction PFCG if you want to use them directly
For the list of the roles, please refer to Security
Guide -here is an example of the SAP-GRC-NWBC
role
Please use transaction SUPC for mass profile
generation in case you want to generate profiles
for multiple roles
ACTIVATE COMMON WORKFLOW

Call transaction SPROagain
Click SAP Reference IMG
Access Workflow node under Governance,
Risk and Compliance > General Settings
Execute Perform Automatic Workflow
Customizing
ACTIVATE COMMON WORKFLOW PERFORM

AUTOMATIC WORKFLOW CUSTOMIZING
Execute Perform
Automatic Workflow
Customizing
Make sure that all tasks are
green after the generation
as show in the screenshot
Note: you may have to
create a transport request
During the activation
procedure you might
receive an error message,
then check the created
system user WF-BATCH in
SU01 if the user has
sufficient roles assigned
see SAP Note 1251255and
the GRC Security Guide.
You may need to run
program RHSOBJCH to fix
ACTIVATE COMMON WORKFLOW PERFORM

AUTOMATIC WORKFLOW CUSTOMIZING
Maintain the Prefix Numbers to your needs or like
shown in the screenshot
ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

Execute
PerformTaskSpecific
Customizing
Expand the
GRCnode.
Click the
Assign
Agents link
at the right
side of the
GRCnode.
Note: if no folders are visible below the GRC folder please run
report RS_APPL_REFRESH in SE38

Assign Task as General
Task via Task Attribute.
Make sure all tasks that
are not using Background
task have been assigned
as General Task.
ck Activate event linking

Click the Properties icon
Set the Linkage Status to No
errors
Make sure Event linkage
activated is checked.
Set Error feedback to Do not
change linkage
Be sure to activate all WS.

Repeat the first four steps to
activate the solutions you need
(e.g. for Access Control GRCAC)
Note: taskspecific
customizing for
GRC-AC is
notavailable in
case you have
the GRC plug-ins
installed in your
GRC system,
check the
Appendix for
perfomingthe
customizing in
POST-INSTALLATION TO FIRST EMERGENCY ACCESS

Requirements
oAdding connector to SUPMG scenario
oCreating users and assigning roles
oVerifying time zones
Configuration
oMaintaining AC owners
oAssigning owners to firefighter IDs
oAssigning firefighter IDs and controllers to firefighters
oCreating reasons codes
Starting an emergency access session
Managing Logs
oRunning log collection
oViewing the firefighter reports
MAINTAIN CONFIGURATION SETTINGS
ADDING CONNECTOR TO SUPMG SCENARIO

To create access requests it is required to have the SUPMG
scenario linked to the connector, this is done via IMG:
CREATING USERS AND

ASSIGNING ROLES
Please create users and roles as needed. Remember to
synchronize again the repository (program
GRAC_REPOSITORY_OBJECT_SYNC ). These roles are
provided as examples and customer roles need to
be created based on their authorizations.
In the AC systemRole
Firefighter userSAP_GRAC_SUPER_USER_MGMT_USER
FirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLR
FirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNER
In the target systemRole
Firefighter IDSAP_GRAC_SPM_FFID
In the AC system the Firefighter ID role is configured in
ParamID 4010 (Firefighter ID role name)
Reminder: end users will require also the roles
based on SAP_GRC_FN_BASEand
SAP_GRC_FN_BUSINESS_USER
VERIFYING TIME ZONES

For logs to be properly captured the time zones in the
connected ERP systems need to be configured to
match the operating system and also the AC server
time zone. This is done in IMG under SAP
NetWeaverGeneral Settings Time Zones
Maintain System Settings
CONFIGURATION
Maintaining AC owners
Assigning owners to firefighter IDs
Assigning firefighter IDs and controllers to
firefighters
Creating reasons codes
MAINTAINING AC OWNERS
Go to NWBC Access Management GRC Role
Assignments Access Control Owners and maintain the
controllers and owners as shown below:
After this is done it is possible to assign those to

FireFighterIDs.
ASSIGNING OWNERS TO
FIREFIGHTER IDS
In Access Management go to SuperuserAssignment and
click on Owners. Here owners are assigned to firefighter
IDs.
ASSIGNING FIREFIGHTER IDS AND CONTROLLERS

TO FIREFIGHTERS
Now you need to assign firefighter IDs and controllers
to users. This is done by going to
SuperuserAssignment Firefighter IDs
Note: Multiple firefighter users and controllers can be

assigned to a multiple firefighter ID.
CREATING REASONS CODES

The reason codes available for firefighter users are
maintained under Superuser Maintenance Reason
Codes
STARTING EMERGENCY ACCESS

Starting a firefighter session
Login to the AC system using the
firefighter user and launch
transaction GRAC_SPM
You will be able to connect to the
target system using the firefighter IDs
previously assigned
MANAGING LOGS
Running Log Collection
Viewing the firefighter reports
Running log collectionForeground mode
The foreground job for log collection can be executed from the Update
Firefighter Log Button which can be found in the following path:
Reports And Analytics Super User Management Reports Consolidated
Log Report
RUNNING LOG COLLECTIONBACKGROUND MODE

The Background Job for Log Collection can be
scheduled periodically from SM36 using
program GRAC_SPM_LOG_SYNC_UPDATE.
THANK YOU
KEYLABS
INFO@KEYLABSTRAINING.COM
WWW. KEYLABSTRAINING.COM

GR C 10 Training

Uploaded by

Copyright:

Available Formats

GR C 10 Training

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GR C 10 Training

Uploaded by

Copyright:

Available Formats

www.keylabstraining.

GRC 10 ONLINE TRAINING

ACCESS CONTROL 10.0: INTRODUCTION

ACCESS CONTROL 10.0: LANDSCAPE

NEW AND ENHANCED FEATURES:

NEW AND ENHANCED FEATURES:

SOD RISK MANAGEMENT PROCESS

SAP has developed a three-phase approach

SOD RISK MANAGEMENT PROCESS OVERVIEW

Segregation of Duties and Critical Actions:

Rule Building and Validation :

Rule Building Process:

PHASE TWO OVERVIEW

RISK REMEDIATION OVERVIEW

EXAMPLES OF MITIGATION CONTROLS

Examples of Mitigation Controls

THE GRC ARCHITECTURE

ComponentsGRC 10.0 runs on AS ABAP 7.02

ACCESS CONTROL 10.0 ARCHITECTURE

ACCESS CONTROL ARCHITECTURE COMPONENTS

GRC COMMON COMPONENTS

SECURITY AND AUTHORIZATIONS

PFCG role(s) relative to specific components (AC, PC, RM) to

WHERE TO OBTAIN THE GRC 10.0 SOFTWARE

CONTENT OF THE INSTALLATION ZIP

ACCESS CONTROL INSTALLATION NOTES

INSTALLATION OF MAIN COMPONENTS

INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON

GRC 10.0 POST-INSTALLATION

2. Select a copy profile.

3. Enter the source client.

click the tick mark it will take some time ....

you can refer the link below

ACTIVATING APPLICATIONS IN CLIENT

ACTIVATING APPLICATIONS IN CLIENT

CHECK SAP ICF SERVICES

CHECK SAP ICF SERVICES

CHECK SAP ICF SERVICES

Proceed likewise with the node

CHECK SAP ICF SERVICES

Now activate the node default_host->

CREATING THE INITIAL USER IN THE ABAP SYSTEM

ACTIVATE PROFILE OF ROLES DELIVERED BY SAP

ACTIVATE COMMON WORKFLOW

ACTIVATE COMMON WORKFLOW PERFORM

ACTIVATE COMMON WORKFLOW PERFORM

ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

ck Activate event linking

ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

ACTIVATE COMMON WORKFLOWPERFORM TASKSPECIFIC CUSTOMIZING

POST-INSTALLATION TO FIRST EMERGENCY ACCESS

MAINTAIN CONFIGURATION SETTINGS

ADDING CONNECTOR TO SUPMG SCENARIO

CREATING USERS AND

VERIFYING TIME ZONES

After this is done it is possible to assign those to