hands-on lab part 1: a beginner’s guide to the configuration of...
Post on 21-Mar-2020
10 Views
Preview:
TRANSCRIPT
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
Hands-On Lab – Part 1: A Beginner’s Guide to the Configuration of SAP Access Control
Kurt Hollis and Nicole Teibel Deloitte
1
In This Session
• In this hands-on session, gain practical instruction to perform configuration:
Review and perform certain important post-installation steps
of GRC 10.1
Technical Post Installation Tasks for GRC 10.1
Configure the First Risk Analysis
Configure the First Emergency Access
Configure the First Access Request
• All in a newly implemented SAP Access Control 10.1 system
• Expert instructors guide you through key processes and tasks
• Speed up the process of setting up your system while learning important configuration
settings based on real customer project knowledge
2
In This Session (cont.)
• Reviewing the SAP solutions for GRC 10.1 technical overview and architecture
• Taking important post-installation steps, like activating the BCSETS and initializing
workflows
• Setting up and customizing your rule set
• Running scheduled jobs for synchronization and risk analysis
3
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
4
Lab Timing and Sections
• Wednesday, March 16th 2016, 3:00-6:00 p.m.
Intro/Lab Overview I 15 Minutes (3:00-3:15)
Lab – Part 1 70 Minutes (3:15-4:25)
Short Break 10 Minutes (4:25-4:35)
Lab Overview II 15 minutes (4:35-4:50)
Lab – Part 2 70 Minutes (4:50-6:00)
• Part 1 and 2 and Assigned Sections
Part 1 – Section 1: Lab Overview, Lab Schedule, Lab User Access Information
Part 1 – Section 2: GRC Post-Installation Setup Steps and Verification
Part 1 – Section 3: GRC Risk Analysis Configuration and First Risk Analysis
Part 2 – Section 4: GRC Emergency Access Configuration and First Emergency Access
Part 2 – Section 5: GRC Access Request Configuration and First Access Request
5
Part I: Lab Details
• Section 1
Lab Overview, Schedule, and Information
• Section 2
Validate the system and implementation (post-installation)
Prepare the GRC system, completing common post steps
• Section 3
Set up risk analysis
Perform first risk analysis
Set up a batch risk analysis job and run
Verify the dashboards
6
Part II: Lab Details
• Section 4
Set up emergency access
Perform first emergency access
• Section 5
Set up user access provisioning
Perform first user access provisioning
7
Introduction for Lab Workbook
• Lab workbook hard copy is yours to keep and will serve as a very valuable step-by-step guide for setting up
your own GRC systems
• Lab is organized into five sections
Section one covers the details about the lab
Sections 2-5 are the GRC lab content
• The guide is a self-paced, step-by-step format
• 90% of the steps have screen prints to aid you in the work
• Many steps are to verify or view the current settings or configuration (display only)
Done in the interest of saving time
• Some steps require your input or changes
Please pay attention to these steps
• Please do not make random changes to the configuration, or the final results of a running scenario may fail
to be successful
• Instructors are available if you need help
8
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
10
Lab System
• Lab system based on SUSE 11.3 Linux Server with MAXDB 7.5 running SAP NetWeaver
7.40, SP13, and GRC 10.1 SP11 (latest version)
• Self-contained system with everything needed to run the lab on one system
• GRC system has GRC for SAP NetWeaver plug-in installed (to itself)
• Conference laptop is running VMware Workstation 10
• GRC system is a VMware-based system (for the lab)
11
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
12
The Lab System Facts
• GRC system for this lab is running locally on laptops and not on a server across network
• We have 40-50 GRC systems running here, one GRC system per laptop
Done to guarantee performance and complete independence from others working on the same
system
• The system is strictly yours and not shared
• No outbound connections needed, free from network issues
• Versions of the software below again for reference:
Laptop is running VMware Workstation 10
GRC system running on SUSE Linux 11.3 Server and MAXDB 7.5 database
The GRC system is based on SAP NetWeaver 7.40, SP13
The GRC system is running GRCFND_A 10.1, SP11
The GRC plug-in is installed and is version 10.1, SP13
The SAP GUI is installed and is version 7.40 SP2
13
Lab System and Source System
• The source system for the lab system is the Lab System itself
• We installed the GRC plug-in into the same system as the GRC system
• The local GRC plug-in is common and allowed in the same system as the GRC system
• “ARA” risk analysis is completely possible using the Basis roles to perform SOD analysis
in the GRC system
• No ERP roles used here in this scenario, BASIS only roles
• “EAM” emergency firefighter access is possible
• User and Role provisioning is possible
• We set up the connector to the same system using connector name GRDCLNT200
RFC name is also the same name
14
Accessing the Lab System
• SAP System SID is “GRD”
• Client number is 200
• Instance number is 00
• Server host is “ussltcsnl1271”
• Start the SAP GUI
• Launch the GRD LAB system in the SAPGUI
• Log in to client 200 as grctrain1 or grctrain2 with password of “grc2016lab“
Also used for EAM is user “grceamadm”
• Launch transaction “NWBC” for the GRC Web Interface
15
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
16
Installation Planning
• High-level plan to implement GRC Suite 10.1
STEP Description Duration
1 Project plan and review guides and SAP Notes for installation,
download software. Verify server readiness, O/S and patches,
and users for O/S access to the system are set up.
1 day
2 SAP technical team installs SAP NetWeaver ABAP 7.40.
Installation includes database system and required patches (New
system installation).
2 days
3 Install support packages for SAP NetWeaver (SP01-SP0x) .5 day
4 Install SAP GRC applications and required support packages
(GRCFND_A Package and SP01-SP0x). See SAP Note 1855403.
Use SAINT to install.
.5 day
5 Install plug-in components in SAP ERP back-end system
(GRCPIERP, GRCPINW), Use SAINT to install. See SAP Notes
1855404 and 1855405.
.5 day
17
Installation Planning (cont.)
• Six to seven days is typical for SAP NetWeaver and GRC installation, but varies based on
skills
• Experienced GRC person can complete in one week; some tasks done in parallel
• In this lab, we are doing parts of steps 6 and 7 in 3 hours!
STEP Description Duration
6 Perform all technical post-step configurations:
• ABAP parameter changes
• Set up clients, activate apps, activate SICF
• Set up STMS, ICM, SSO, SSL
• Licenses, backups, monitoring
1 day
7 Perform all SAP GRC application (technical-related) post-step
configurations, including activating certain BCSETS (functional-related)
1 day
8 Perform quality checks for installation, performance considerations .5 day
9 Perform go-live checks (SAP) (Production systems only) 1 days
18
GRC 10.1 Implementation: Post-Installation Tasks
STEP Tasks for GRC 10.1 AC/PC/RM Post-Installation Steps
1 Client Setup – Copy Client from 000
2 Activate Applications in Clients
3 Activate Web HTTP using SMICM Services
4 Activate Web HTTP Content using SICF Activation
5 Set up SAP Business Workflow
6 Set up EMAIL using transaction SCOT
7 Set up Parallel Processing for Batch Jobs
8 Activate BC Sets
9 Configure Connections in SPRO to SAP Systems (IMG)
10 Basic Configuration of GRC Background Jobs (Part of Section 3)
Covered in Lab Section 2
19
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
20
Steps for Section 2: Post-Installation Setup
Login to the System
Verify the Client Copy is
Completed
Activate Applications in
Client
Maintain Web Services in
SMICM (HTTP)
STRUST SSO Setup
New UI5 OData Services
Test NWBC user Interface
Workflow Setup EMAIL Setup
(skipped)
System Connections
Setup
23
Demo of Section 1, 2, and 3 Important Steps
• Demonstration of a few important steps in the Lab 1, 2, and 3
24
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
25
Steps for Section 3: First Risk Analysis
Activate BC Sets (Rule Sets)
Generate the Rules
Maintain Configuration
Settings for ARA
Run the Synchronization
Jobs
Test Risk Analysis
Run the Full Batch Risk Analysis
Run the Batch Risk Analysis
Monitor
Run the Risk Violation
Dashboards
Check the Application Logs
SLG1
26
Section 3: BC Sets Key Points
• Business Configuration (BC) Sets are an official implementation toolset used to simplify
the customization process
• There are certain BC Sets that are delivered with GRC suite 10.1 that need to be activated
Transaction SCPR20
Perform the activation in Development “Config” client
Transports will be created
Move these transports up the landscape (and also to other Development clients)
• Errors may occur during the activation (see SAP guide)
BC Sets that begin with GRPC-ATTR-* have errors that can
be ignored
These are documented in the SAP Notes and guides
27
Section 3: BC Sets Key Points (cont.)
• Activation is done using SCPR20
• New rules are loaded using this method
• All initial configuration is loaded with this
method (loading is client-specific)
Analysis
GRAC_RA_RULESET_COMMON (THIS ONE) SOD Rules Set
GRAC_RA_RULESET_SAP_BASIS (NO) SAP Basis Rules Set
GRAC_RA_RULESET_SAP_HR (NO) SAP HR Rules Set
GRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules Set (Not needed)
GRAC_RA_RULESET_SAP_R3 (THIS ONE) SAP R/3 AC Rules Set
GRAC_RA_RULESET_SAP_SRM (NO) SAP SRM Rules Set
Specific to Access Request Management
GRAC_ACCESS_REQUEST_REQ_TYPE* Request Type
GRAC_ACCESS_REQUEST_EUP* EUP (Note: Only the value EU ID 999 is valid for this BC
set)
GRAC_ACCESS_REQUEST_APPL_MAPPING* Mapping BRF Function IDs and AC Applications
GRAC_ACCESS_REQUEST_PRIORITY* Request Priority
Specific to Business Role Management
28
Section 3: BCSETS — Rule Sets Key Points
• The following rule sets are available via SCPR20:
Notice that each rule set is activated and linked into a separate logical group (technical
name in brackets) GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)
GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG)
GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis (SAP_NHR_LG)
GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG) (USED IN LAB)
GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG)
GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG)
GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG)
GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG)
GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)
GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG)
GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG)
29
Section 3: Alternative to Loading Rule Set from BCSETS
• An alternative to BC Sets, you also can upload rules from SPRO
SPRO Governance, Risk, and Compliance Access Control Access Risk
Analysis SOD Rules Upload Rules (use the same files as delivered for Access
Control 5.3 rule files)
• SOD rule files (nine) can be uploaded into the AC 10.1 system using transaction code
GRAC_UPLOAD_RULES with Append/ Overwrite option
(Business Process, Function, Function Business Process, Function Actions, Function
Permissions, Rule Set, Risk, Risk Description, Risk Rule Set Relationship)
• AC 10.1 SOD action rules can be validated by looking at the table GRACACTRULE
• For the other tables related to SOD rules, press F4 to see a dropdown of the *GRAC*RUL*
tables from transaction SE16
30
Section 2: Key Configuration Settings in SPRO
• Using SPRO (IMG), important settings are made in Access Control Configuration Settings
• Important settings are Default Rule Set, Report Type, Offline Risk Analysis, and the
“Ignore” settings
31
Section 3: Background Jobs for Access Control
• Access Control Jobs to be Scheduled (ARA)
• Access Control Jobs to be Scheduled (SPM)
Job Name Job Type Frequency
User/Role/Profile Sync
(GRAC_REPOSITORY_OBJECT_SYNC) Full
One time and then hourly to make sure that everything is
up-to-date
User/Role/Profile Batch Risk Analysis
(GRAC_BATCH_RISK_ANALYSIS) Full
One time and then monthly (outside of core business
hours) to make sure that everything is up-to-date
Authorization sync – Daily or weekly depending on the volume of changes to
the core authorizations in the target system
Action Usage sync – Daily
Role Usage sync – Daily
User/Role/Profile Sync Incremental Hourly or Daily depending on the number of changes to
users, roles, and profiles
User/Role/Profile Batch Risk Analysis Incremental Daily or weekly depending on the volume of changes
Job Name Frequency Description
GRAC_SPM_LOG_SYNC_UPDATE Hourly Generates the EAM activity log
GRAC_SPM_WORKFLOW_SYNC Hourly Compiles the EAM logs together by controller and
triggers the log review workflow
32
Section 3: Background Jobs for Access Control (cont.)
• Schedule jobs for Batch Risk Analysis (ARA)
It is possible to distribute the jobs that are processed in parallel for Access Control and
control the number of parallel jobs running
Use RZ12 (1) and SPRO Set Job Distribution for Parallel Processing (2)
1 2
33
Section 3: Final Results
• First risk analysis successful
• User Risk Analysis – User GRCTRAIN1 risks found
• Ad hoc analysis, foreground
34
Section 3: Final Results (cont.)
• User Risk Analysis – Dashboard
• Results from full batch risk analysis
jobs, all users
35
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
36
Steps for Section 4: First Emergency Access
Activate BC Sets (Emergency
Access)
Add Connectors to Firefighting
Scenario (SUPMG)
Maintain Configuration
Settings
Maintain Criticality Levels
Create Firefighter IDs in Target
Systems
Complete Synchronization
Define Owners and Controllers
Assign Firefighter IDs to Firefighters
Access Firefighter ID
Run Log Collection Job
Access and Review Firefighter Logs
37
Section 4: Emergency Access Key Points
• The overall objective of this section is to familiarize you with the high-level steps involved
in setting up Emergency Access Management (EAM)
• Key steps involved in EAM setup include:
Identifying the systems where you need Firefighter setup
Setting up connections to the target systems from GRC
Setting up Firefighter IDs in the target systems
Defining owners and reviewers in GRC for EAM
• For the purpose of the lab, we will be using ID-based Firefighter setup
• GRC 10.1 also allows for decentralized firefighting where firefighting access can be
localized to the respective systems
38
Section 4: Emergency Access Key Points (cont.)
• In GRC 10.1, workflow setup is recommended to be used for:
Request and approval of emergency access
Reviewing the log of activities performed under a Firefighter ID
• Maintaining master data (approvers, reviewers) is a crucial element in supporting EAM
• Other considerations in EAM Setup include:
Level of Logging in the target systems – This determines the detail in generated logs
Plug-in installation – The GRC plug-in should be installed in every ABAP system where
Firefighting is expected to be performed
Firefighter Exits – To prevent users from directly logging into target systems, the exits
(SAP Notes 1545511 and 1661178) should be implemented at the time of system setup
39
Section 4: Final Results
• First Emergency Access test completed
• Log in as FF_TRAIN01 and provide a reason
• Successfully connects as FF user to the system (GRC system)
1
2 3
40
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
41
Steps for Section 5: First Access Request
Activate BC Sets (User
Provisioning)
Add Connectors to Firefighting
Scenario (PROV)
Maintain Configuration
Settings
Maintain Provisioning
Settings
Activate MSMP Workflow
Import Roles
Complete Synchronization
Create Access Request
Approve Access Request
Review Auto Provisioning
42
Section 5: Access Request Management Key Points
• Section 5 of the lab deals with setting up the User Provisioning component of SAP
Access Control
• Key steps involved in ARQ setup include:
Identifying the systems where you need provisioning
Setting up connections to the target systems from GRC
Importing Roles in GRC
Defining Role owners for roles*
Defining Provisioning settings
• For the purpose of the lab, we will be using role owner approval prior to provisioning
• Provisioning settings are key to successful completion of the workflow
They can be set globally or by each connected system.
* Only required if role owner approval is required prior to provisioning
43
Section 5: Access Request Management Key Points (cont.)
• MSMP (Multi-Stage Multi-Path) workflows are the framework on which workflows are built
in Access Control 10.1
• Important considerations in ARQ setup include:
The number of stages/approvals required to be set up
Detour paths for conditions like SOD violations
Customizing notification messages
Maintaining number ranges
Role management setup
This is required in 10.1, as role management acts as the role repository
44
Section 5: Final Results
• First access request test completed (role added)
• Create a new request (1)
• Approve request (2)
• Verify the completed
request (3) 1
2
3
45
What We’ll Cover
• Overview of Lab
• Technical Architecture
• Lab Systems Information
• Implementation Overview
• Lab Section 2 Key Points
• Lab Section 3 Key Points
• Lab Section 4 Key Points
• Lab Section 5 Key Points
• Wrap-up
46
Where to Find More Information
• Main GRC documentation available
Service/Support Marketplace (guides, software downloads, and SAP Notes)
http://support.sap.com
SAP Online Help http://help.sap.com/grc-ac or http://help.sap.com/pc
GRC Community on SCN http://scn.sap.com/community/grc
• Documentation is now mostly centered at the SAP AC http://help.sap.com/grc-ac and SAP
PC http://help.sap.com/pc websites, including the GRC products where links are provided
to all documentation, including Master, Installation, Upgrade, Configuration, and Security
Guides
• HANA Analytics for GRC (SAP HANA Live) http://help.sap.com/hba
• Good link for SDN documents on GRC www.sdn.sap.com/irj/scn/articles-grc-all
47
7 Key Points to Take Home
• Hands-on experience is one of the best ways to learn SAP Access Control setup and
configuration
• Understanding the details of post-installation will lead to a successful implementation
• Complete the First Risk Analysis step by step in the lab
• Complete the First Emergency Access step by step in the lab
• Complete the First Access Request step by step in the lab
• Tips and lessons learned from the experts will save time
• Doing it yourself builds knowledge and confidence in the GRC product
48
Your Turn!
How to contact us:
Kurt Hollis – kuhollis@deloitte.com
Nicole Teibel – nteibel@deloitte.com
Please remember to complete your session evaluation
49
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may
not be available to attest clients under the rules and regulations of public accounting.
This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,
or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision
or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2016 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited.
Disclaimer
top related