SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com© 2010 SAP AG

Applies to:SAP BusinessObjects Access Control 5.3 and SAP NetWeaver Business Warehouse 7.0

SummaryThis technical how-to document explains how to successfully integrate Access Control into BusinessWarehouse, and contains the necessary prerequisites and step-by-step instructions to connect the twosolutions to be able to receive Access Control data in Business Warehouse.

Author(s): GRC Regional Implementation Group

Company: Governance, Risk and ComplianceSAP BusinessObjects Division

Created on: 02 April 2009

Updated on: 29 March 2010

Version 2.0

How-To Integrate Access Control5.3 and Business Warehouse 7.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2010 SAP AG

Document HistoryDocument Version Description

1.00 First official release of this guide

2.00 Update

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2010 SAP AG

Typographic ConventionsType Style Description

Example Text Words or characters quotedfrom the screen. Theseinclude field names, screentitles, pushbuttons labels,menu names, menu paths,and menu options.

Cross-references to otherdocumentation

Example text Emphasized words orphrases in body text, graphictitles, and table titles

Example text File and directory names andtheir paths, messages,names of variables andparameters, source text, andnames of installation,upgrade and database tools.

Example text User entry texts. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

<Exampletext>

Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

IconsIcon Description

Caution

Note or Important

Example

Recommendation or Tip

Table of Contents

1. Business Scenario ..........................................................................................................2

2. Background Information .................................................................................................2

3. Prerequisites....................................................................................................................2

4. Step-by-Step Configuration Procedure ..........................................................................4

4.1 Create Connectivity between Access Control and Business Warehouse System .......4

4.2 Prepare Business Warehouse System .................................................................... 10

4.3 Business Warehouse Content Activation ................................................................. 11

4.4 Post activation tasks ............................................................................................... 22

4.4.1 Access Control 5.3 SP06, SP07 and Higher ................................................ 22

4.4.2 Missing Program Variants ........................................................................... 22

4.4.3 Potential Timestamp Extract Issues ............................................................ 22

4.5 Extraction Process .................................................................................................. 22

5. Known Issues ................................................................................................................ 23

6. Appendix ........................................................................................................................ 25

7. Copyright ....................................................................................................................... 26

1. Business ScenarioThe integration of Access Control (AC) and Business Warehouse (BW) solutions meets the followingobjectives:

You can access and use the data from your AC system to fit into your enterprise reportingstructure of BW

If there is a demand for more reporting functionality than the delivered features in AccessControl, you can use BW to create reports using your AC data

2. Background InformationThis is an overview of the step-by-step configuration provided in this document:

Check all prerequisites

Prepare your systems

Configure your AC 5.3 NetWeaver Application Server Java system

Apply SAP note(s) to your BW system

Create a Universal Data Connect (UDC) from your BW system to your AC system

Install BW Content

Activate the AC specific BW Content in your BW system

After activation perform adjustments specific to your release (details in section 4)

Load data from the AC database into your BW system via UDC

If the system is successfully configured, you will be able to use standard reports and create newreports in BW using the data from your AC system.

This guide will only focus on the steps necessary to configure the integration. For generaldocumentation on BW configuration and reporting refer to Business Process Expert (BPX) or ServiceMarketplace (SMP) websites.

3. PrerequisitesBefore you start, the following prerequisites must be met:

This software release or higher must be installed on the BW system:

Apply SAP note 1229136 before proceeding with the next action.

Create UDC to source system (your AC system) in workbench (RSA1) before BW Content isinstalled

Ensure this BW Content version or higher is installed:

Obtain the following before the configuration:

Logon details for a Service user in the BW system to be accessible from your AC system

System details of BW system (host name, gateway, system number, client)

Access to an administrator’s user ID with authorization to:

o Visual Administrator on the AC system

o Execute transactions SM59 and RSA1 on BW system

JDBC driver of your database (JAR file)

Ensure that a new source system activation on EXISTING BW content 704 SP1 (or higher)installation does not corrupt the already delivered DTP entries in RSBKDTP by following thesesteps.

Check to see if the correct number of DTP entries are present in table RSBKDTP againstthe newly added source system.Perform this check by adding a new source system to BW, then check that the RSBKDTPtable has the correct number of entries for the new system:

o For AC Compliant User Provisioning (CUP): 158

o For AC Risk Analysis and Remediation (RAR): 109

4. Step-by-Step Configuration ProcedureThis section presents the configuration steps, it is important to read the prerequisites and backgroundinformation before you begin.

4.1 Create Connectivity between Access Control andBusiness Warehouse System

These steps should be followed in the order presented to enable the AC Application Server Java tocommunicate with the BW system.

Use the UDC Guide mentioned in the Appendix for more details on the steps....

1. Start J2EE Visual Administrator in the AC system.

2. Goto Services -> Server0 -> “JCo RFC Provider”.

3. Create a new RFC destination as shown in the screenshot using the system details of your BWsystem.Note that the Program ID is freely defined but needs to match with the Program ID specified inthe RFC destination in the BW system in step 4.

4. Create a TCP/IP RFC destination via transaction SM59 in the BW system

a. Make sure you enable the Unicode setting.

b. Test the connection.

5. Go back to the Visual Administrator, then go to Services -> Server0 -> “JDBC Connector”.

6. Add the freely-defined driver name.

7. Choose the JAR file provided by your database vendor.

8. Go to Services -> Server0 -> “Connector Container”.

9. Select “COM.SAP.IP.BI.SDK.DAC.CONNECTOR.JDBC”.

10. Click on “Resource Adapter” and create an entry under “Loader References” with “library:<drivername from step 6>”.

11. Click on the “Managed Connection Factory” tab and then “Properties”.

12. Enter values for (these values are specific for each DB vendor):

a. “DriverName” (The java class driver name)

b. “URL” (URL to your DB including port)

c. “UserName” (DB user)

d. “Password” (DB password)

13. Click on “Save” icon.

14. Test your settings with http://<AC Hostname>:<J2EE Port>/TestJDBC_Web/TestJDBCPage.jsp.

After you click “Select Connection” and choose any one DB table you will see a result page:

4.2 Prepare Business Warehouse SystemBefore you activate BW content, the following steps must be taken to prepare the BW system.

Read the SAP notes in Appendix B....

1. Make sure that the prerequisites for Support Package (SP) levels, as mentioned in theprerequisites section above, are met by the BW system.

2. Apply SAP note 1229136.

3. Go into the workbench of the BW system via transaction RSA1 to create a connector.

o Click on “Modeling” -> “Source Systems” -> “UD Connect”

o Right click on UDC and choose “New”

o Choose the RFC destination you have created earlier

o Define a logical system name such as the system ID of your AC system

o Select “JDBC” for “Type of Connector”

o Select “SDK_JDBC” for “Name of Connector” (This standard name is defined by the J2EEengine)

o Select “SDK_JDBC” for “Source System Name” (This standard name is defined by the J2EEengine)

o Select “GAC000” for “Type and Release” (This name is defined by the BW Content)

4. Install SAP BW Content 7.04 SP1 or higher.

4.3 Business Warehouse Content Activation Read the SAP notes referenced in Appendix B.

This section presents the steps involved to active BW content....

1. Go to transaction RSA1 to enter the Data Warehousing Workbench.

2. Click on “BI Content”.

3. Select your AC system under “General” and the entry under “Self-def’d”.

4. Install the InfoObject Catalog ‘0GRC_AE*’ with Grouping “Only Necessary Objects” andignore any warnings. (“Grouping” / “Install” are selected via drop-down top of right window)

5. Select the InfoProviders associated with InfoAreas ‘0GAE_MD’ and ‘0GRC_AE’ with Grouping “In Flow Before”.

6. Ignore the message: “Object name is mandatory, specify name on Extraction tab”; this is just awarning. After you ignore this message, rerun the activation using “Install”.You may need to run the activation multiple times because of the dependencies of objects.

7. Install Process Chains ‘0GAE*’ with Grouping “Only Necessary Objects”.

8. Verify via transaction RSPC if process chains show up as selected in step 7.

9. Install Role ‘SAP_BW_GRC_AE_ROLE’ and all Queries ‘0GAE*’ under the ‘0GAE*’InfoProviders with Grouping “Only Necessary Objects”.

10. Add characters via transaction RSKC. This will add valid characters to BW. Instead of theindividual characters, we now specify “ALL_CAPITAL” as follows and execute.

11. Install InfoObject Catalogs ‘0GCC_*’ for activation, and click ‘Install’ with Grouping “OnlyNecessary Objects”.

12. Install the 3.x InfoSource ‘80GCC_URP’ for activation, then click ‘Install’ with Grouping “OnlyNecessary Objects”.

13. Install InfoProviders associated with InfoAreas ‘0GCC_*’ with Grouping “in flow before”.Deselect all objects that are not depended on RAR source system objects before clicking“Install”. To deselect those objects:

a. Search for ‘0GCC_MUSR’

b. Right-click the “InfoObject” node from the sub tree and click on “Do not install any below”

c. Repeat step a and b for ‘0GCC_USER’

14. Ignore this message and click the “Continue" icon.

15. Install Process Chains ‘GCC*’ with Grouping “Only Necessary Objects”.

16. Install Role ‘SAP_BW_GRC_CC_ROLE’ and all Queries ‘0GCC*’ under the ‘0GCC*’InfoProvider.

4.4 Post activation tasks

4.4.1 Access Control 5.3 SP06, SP07 and HigherIf you are using AC 5.3 SP06 or higher, then you need to apply SAP note “1319973 - Synchronizing BIContent with GRC-AC SP database changes” and follow the steps provided in the note.

4.4.2 Missing Program VariantsThis is a manual correction where simple steps are followed to create variants for delivered programswhich are referenced in the delivered process chains. These variants are potentially missing prior to BIContent 7.04 SP06. Please follow the instructions from SAP note 1410480.

4.4.3 Potential Timestamp Extract IssuesFollow instructions from note 518241 if extracts yield the following error(s):

S:RSSDK:300 Cannot convert a value of '1970-01-01 18:53:10.0' from typejava.lang.String to TIME at field UPDTIME (or RUNTIME)

S:RSSDK:300 Query execution failed: [-3050] (at 316): Invalid timestamp format:ISOThe note needs to be completely followed to fix above experienced errors which includes:

This note applies to UD Connect as well as DB Connect Section ‘Example with a DATE field‘ in the note should be followed to create a view of the

related DataSource table in the RAR system (this is the only solution to date) The DataSource needs to be updated to refer to the new view Transformation and DTPs associated with the DataSource may need to be reactivated

The following DataSource/RAR Table combinations have experienced this problem on varioussystems but the problem could occur anywhere the type timestamp (TIMS) is used in the RAR table:

0GCC_CRACTVL/VIRSA_CC_CRACTVL 0GCC_RISK_ATTR/VIRSA_CC_RISK 0GCC_ACTUSAGE/VIRSA_CC_ACTUSAGE 0GCC_PRMVL_USER_VIOLS/VIRSA_CC_PRMVL

4.5 Extraction ProcessWhen activating the RAR Process Chains, it may be necessary to run the install step several timesbecause the interdependency between the chains can sometimes cause the activation to fail duringthe chain activation process. This can be monitored in transaction RSPC – “Process ChainMaintenance”.

Process Chain Activation with Function TOUPPER:

To avoid errors according to lower case letters processed during the process chain activation, pleaseuse function TOUPPER to activate the process chains. (See Appendix A for function documentation)

Execute CUP Process chains in the following sequential order:...

1. ’0GAE_MD’

2. ’0GAE_TEXT’

3. ’0GAE_ARCH_TO_CUBE’

4. ’0GAE_TRANSACTION’ (See “Known Issues” section for possible errors)

5. ’0GAE_TRANSACTION_AR’

6. ’0GAE_ANALYTICAL_GENERAL’

Execute RAR Process chains in following sequential order:

1. ’GCC_INITIAL_FULL_LOAD_704’This step is run only one time for initial setup, and may take a full day or longer to completedepending on the volume of existing data.

2. ’GCC_INITIALIZE_DELTA’ (Check Section “Known Issues” for possible errors)This is the recurring job that will run as often as you schedule it, such as daily or weekly, andcontains the delta processing.This job also contains the full master data loads. Therefore reporting should not be performeduntil after the ‘GCC_INITIAL_FULL_LOAD_704’ chain is run and the first run of the‘GCC_INITIALIZE_DELTA’ chain is done.For BW job scheduling, refer to the standard BW documentation.

5. Known IssuesIn some cases, these known issues could appear (issues could also apply to other objects)

Please refer to the referenced SAP notes in section Appendix B.

Make sure AC source system and BW system have languages in sync

Timestamp issues while extracting using UD Connect as per note 518241

Missing program variants as per note 1410480

Following InfoObjects had to be changed to accept lowercase characters:

o ’0GAE_RLPRN’

o ’0GCC_ACT’

Customers have identified objects which contain only ‘#’ or ‘!’ character in long text. This isaddressed in note 1319978

6. Appendix

Appendix A –Other Reference DocumentationHow to Configure UD Connect on the J2EE Server for External Databases (NW2004):

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/58f4db47-0501-0010-a2bf-ff01b150fdff

Documentation of the delivered BI Content for Access Control:

http://help.sap.com/saphelp_nw70/helpdata/en/f5/ff3eae25a44667800d781670eec16e/frameset.htm

BI Content 7.04 SP05:

http://help.sap.com/saphelp_nw70/helpdata/en/c3/32da2fa4164b8fb93ea3ea1865b5f9/frameset.htm

BW function TOUPPER :

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7e/031f8304dd11d2801d00c04fadbf76/frameset.htm

Appendix B –SAP NotesNote Description

1243085 Available Documentation for GRC Access Control

1229136 70SP19: Incorrect shadow DTP during release upgrade

1319973 Synchronizing BI Content with GRC-AC SP database changes

1319977 Invalid language extraction from GRC-AC RAR sources

1319978 Permitted, Lowercase and Invalid Characters in GRC-AC Cont

1009497 UD Connect: How to update JDBC driver

1260280 GRC AC BI Content 7.04 SP01 Release Notes Documentation

1260279 GRC AC BI Content 7.03 SP10 Release Notes Documentation

1410480 Variants missing for RAR delta deletion programs

518241 DB Connect in BW for an external Oracle database

7. Copyright© 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission ofSAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other softwarevendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner,WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks orregistered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented byNetscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all overthe world. All other product and service names mentioned are the trademarks of their respective companies. Data contained inthis document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are thosethat are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein shouldbe construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, theimplied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damagesthat may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained withinthese materials. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third partyweb pages.

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intendedto be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasingrules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not beliable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally orgrossly negligent.