Slide 1

GRC 10 Online Traininginfo@keylabstraining.comUSA: +1-908-366-7933India: +91-9550645679Skype : keylabstraining

www.keylabstraining.comAccess Control 10.0: Introduction

Access Control 10.0: IntroductionSAP BusinessObjects Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data.Access Control 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Process control 10.0, Risk Management 10.0 and Global Trade Services. The greatest value in GRC 10.0 is the Harmonization of Access Control, Process Control and Risk management which ultimately results in shared processes, data and user interface with reduction in redundancy.www.keylabstraining.comAccess Control 10.0: Landscape

www.keylabstraining.comwww.keylabstraining.comFront end:The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business ClientThe web browser can be used to access the embedded NWBC or GRC via the NetWeaver PortalThe Adobe flash player 10 is used for displaying dashboards e.g. RM heat mapOverview of SAP BusinessObjects Access Control 10.0SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.

www.keylabstraining.comPortal:The NetWeaver Portal 7.02 can be used optionallyThe GRC Portal Content contains the GRC Portal UI elements to access the GRC suiteThe Portals AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instanceERP and Non SAP Business Applications:The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-insNW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA)PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA)GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERPNon-SAP ERP systems can also be connected via adapters from an SAP Partner company

www.keylabstraining.comBI Content:NetWeaver BW can be used for reporting via the GRC BI ContentThe GRC BI Content is part of BI Content 7.06NetWeaver BW 7.02 is used for the GRC BI Content.Identity Management:AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysisNetWeaver IdM7.2 is required for integrating with AC 10.0

Adobe Document Services:An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms .Although it is technically optional, it is highly recommended for generating PDF reportsThese ADS can be an existing instance and can also be shared with other applicationsThe Portals AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.

New and Enhanced Features:1) Enhanced Visualization and Streamlined Navigation This enhancement provides a common look and feel with configurable role-based user access for GRC functions from the SAP Portal or SAP NetWeaver Business Client (NWBC). Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (e.g., one inbox, not three) and makes possible sharing of data and functions. Menu items seen by the individual user within each work center is controlled by the users GRC role(s). This also enables data shared across components to be viewed differently by different userswww.keylabstraining.comNew and Enhanced Features: Improved Reporting GRC reporting leverages the Business Suite ABAP List Viewer (ALV) Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers the TCO and extends the benefits of Crystal without the need for a separate BOE server. It also reduces the time spent by business users on reporting needs. Custom Crystal reports with embedded graphics can also be created easily with Crystal Designer.www.keylabstraining.comSeparation of dutiesSeparation of duties(SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent fromfraudanderror. The concept is alternatively called segregation of dutieswww.keylabstraining.com

SoD Risk Management Process Overview SAP has developed a three-phase approach to risk management. By applying this method, it is possible to implement a process for segregation of duties (SoD) risk management.The process begins by defining the risks, and building and validating rules.

www.keylabstraining.com

SoD Risk Management Process Overview

www.keylabstraining.comwww.keylabstraining.comSegregation of Duties and Critical Actions:In a Sarbanes Oxley Act regulated environment, business need to define their access controls based on segregation of duties (SoD). In some cases, it is challenging to define SoDs because in many cases, processes are shared among business areas. Below are examples of risks in non-segregated duties

www.keylabstraining.comRule Building and Validation :After risk recognition, the second step in Phase One of the SoD Risk Management process is Rule Building and Validation.

www.keylabstraining.com

www.keylabstraining.comRule Building Process:Rules include risks, functions, and business processes. The main components of the rule building process are shown below. Access Control automatically generates the rules as permutations of the different actions and permissions derived from the combined functions.

www.keylabstraining.comFunctions:Functions include specific actions commonly used for a job role or set of tasks, for example Maintain General Ledger Master Records or Post Journal Entry. Authorization to perform certain combinations of functions results in a risk.

www.keylabstraining.comRule Structure:Actions and permissions combine to form functions. Functions in certain combinations result in a risk. Risks are associated with business processes and all the components come together to form rules. Rules are collected in a rule set.

Phase Two Overviewwww.keylabstraining.comThe purpose of this phase is to provide business process analysts and business process owners with alternatives for correcting or eliminating risk.Risk AnalysisDuring Risk Analysis, perform a security analysis to identify risks for:Simple rolesComposite rolesUsers

Review the roles to determine how certain personnel might be restricted from performing undesired activities by checking:ObjectsFieldsValues

Phase 2 Figurewww.keylabstraining.com

Risk Remediation Overviewwww.keylabstraining.comThe purpose of the remediation phase is to determine alternatives for eliminating issues in roles. The recommended approach is to resolve issues in the following order:Single rolesThis is the simplest place to startPrevents SoD violations from being reintroducedComposite rolesUsersRisk RemediationUse a simulation to perform a "what if" analysis on the assignment or removal of user actionsUse the Management view or Risk Analysis reports for analysisSecurity Administrators should document the planBusiness Process Owners should be involved and approve the planSimulationSimulation allows you to preview the result of changes to roles and user actions to see if your changes create new risk situations before implementing them Decide whether to add or remove a value

Mitigation Controlswww.keylabstraining.com

Examples of Mitigation Controls

www.keylabstraining.comExamples of Mitigation ControlsReview of strategies and authorization limitsReview of user logsReview of exception reportsDetailed variance analysisEstablish insurance to cover impact of a security incidentTypes of Mitigation ControlsPreventative Controls: minimize the likelihood or impact of a risk before it actually occursDetective Controls: alert when a risk takes place and enable the responsible person to initiate corrective measuresBest Practices

Segregate creation and approval from assignmentUse mitigation as a last resort for exceptions left over from remediation efforts that have legitimate business reasons to not use SoD controls

Continuous Compliancewww.keylabstraining.com

The GRC Architecturewww.keylabstraining.comGRC solutions share a common technology platform and can be installed on a single NetWeaver ABAP system.

GRC Components

www.keylabstraining.com

ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or higher. The installation components are broken out as follows:Access Control, Process Control, and Risk Management are contained in one ABAP add-on GRCFND_AGlobal Trade Services resides in a separate add-on SLL-LEG

Nota Fiscal Eletronica has its own add-on SLL-NFEContent Lifecycle Management (CLM) contains functions for transporting GRC business data, for example, Access Control rules or Process Control controls. CLM has the same version requirements as the GRC 10.0 solution and is installed during the GRC installation. CLM can be disabled if not required.GRC customizing is transported using the standard ABAP transport system.

Access Control 10.0 Architecturewww.keylabstraining.comNetWeaver ABAP is the underlying platform

Harmonized with the other GRC 10.0 applicationsLeverages existing NWABAP investments:Role comparison at Action or Permission levelComparison between roles within Access ControlHarmonization with Process Control and Risk Management allows users to leverage master data

Access Control Architecture Componentswww.keylabstraining.comAccess Control constitutes a set of core components:

Access Risk Analysis and Management

Compliance Certification Review

Role Management

Role Mining

Superuser Access Management

Access Control Repository

GRC Common Componentswww.keylabstraining.comAccess Control uses a set of GRC common components as part of the harmonization of the GRC suite. These components are also available to Process Control and Risk Management:

GRC Master Data

Workflow

Reports and Dashboards

NetWeaver Componentswww.keylabstraining.comAccess Control uses ABAP Web Dynpro as the user interface or UI technology.

The GRC solution can be presented to end users by using either NWBC (NetWeaver Business Client) or through the use of SAP Portal.

Configuration for Access Control is executed using the SAP IMG via the SAP GUI, which is common across the GRC suite.

Access Control connects to SAP and non-SAP systems with adapter or IdM systems using the integration framework.

The ABAP database is the common repository for all Access Control data.

www.keylabstraining.com

Security and Authorizationswww.keylabstraining.comYou are planning a solution and must be able to explain object-level security, authorization requirements, and identify delivered roles and security objects.Object-Level Security

Object-Level Security gives you the ability to limit access for end users to what they need to see at a granular level. you can limit access by function, risk, user, or anyother authorization objects available within role maintenance.

www.keylabstraining.comAuthorizationsTo configure the IMG, you need:

PFCG role(s) relative to specific components to be configured

PFCG role(s) sufficient to configure SAP workflow and other non-GRC technologies

PFCG role(s) on GRC and non-GRC systems to set up Continuous Monitoring

To access GRC 10.0 solutions, you must have at least the following:

Portal authorization or NWBC authorization

Applicable PFCG base roles

www.keylabstraining.comPFCG role(s) relative to specific components (AC, PC, RM) to be used

Using Access Control with GRC Solutions

If you use Access Control with other GRC solutions, you can leverage this functionality to:

Manage PFCG roles used with GRC

Create GRC users

Assign GRC PFCG roles to users

Perform SoD analysis for PFCG role authorizations

Assignment of entity-level authorization (via application role assignment) and ticket-based authorization (via substitution or transfer) must be done in the respective component.

Installation www.keylabstraining.comInstallation Prerequisites ServerNetWeaver AS ABAP 7.02 SP6 or higher

Installation Prerequisites Back-endFor ERP systems that will install Access Control Plug-In the following prerequisites must be met:For SAP ERP system 4.6C, the system must be at SAP_BASIS Support Pack 55 For SAP ERP 4.70 system, the system must be at SAP_BASIS Support Pack 63 For ERP 2004 system, the system must be at SAP BasisSupport Pack 18 For ERP 6.0 system, the system must be at SAP_BASIS Support Pack 13 For NetWeaver systems that will install Access Control Plug-In the following prerequisites must be met:For SAP Basis 4.6C, the system must be at SAP_BASIS Support Pack 55 For NW 6.20 system, the system must be at SAP_BASIS Support Pack 63 For NW 6.40 system, the system must be at SAP_BASIS Support Pack 18 For NW 7.00 system, the system must be at SAP_BASIS Support Pack 13 For NW 7.01, the system must be at SAP_BASIS Support Pack 02For NW 7.02, the system must be at SAP_BASIS Support Pack 01 For SAP Basis 710 system, the system must be at SAP_BASIS Support Pack 04

Where to obtain the GRC 10.0 softwarewww.keylabstraining.comhttp://service.sap.com/swdc

Content of the Installation ZIPwww.keylabstraining.com

Access Control Installation Noteswww.keylabstraining.comInstallation NotesSAP Note 1490996: Install SAP GRC Access Control 10.0 on SAP NW 7.02 SAP Note 1500168: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C NW SAP Note 1497971: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620 NW SAP Note 1501882: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640 NW SAP Note 1500689: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700 NW SAP Note 1503749:Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 710 NW SAP Note 1500169: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C ERP SAP Note 1497972: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620 ERP SAP Note 1501880: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640 ERP SAP Note 1500690: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700 ERP

Installation of Main Components ofAC/PC/RM 10.0www.keylabstraining.comGeneral Steps:1.Main installation components:GRCFND_A2.Download the installation packages from Service Marketplace3.Install with the transaction SAINT4.Follow the detailed instructions from the SAP Note 14909965.Apply the most recent Support Packages

Installation of Plug-In for AC/PC 10.0 on ERPwww.keylabstraining.comGeneral Steps:1.Main installation components:GRCPINWGRCPIERP2.Download the installation packages from SMP3.Install with the transaction SAINT4.Follow the detailed instructions from the SAP Notes 1500689 and 15006905.Apply the necessary Support Packages if there is any

Note: Plug-Ins vary depending on back end ERP system.

Attention:The AC 10.0 plug-ins will upgrade any existing RTA from previous AC releases. This means that any AC instance on running 5.X will stop working after the plug-ins are installed.

GRC 10.0 Post-Installationwww.keylabstraining.com1.Client Copy2.Activating Applications in Client3.Check SAP ICF Services4.Activating BC Sets5.Creating the Initial User in the ABAP System6.Activate Profile of Roles Delivered by SAP7.Activate Common Workflow

Client Copy

www.keylabstraining.comT-code which starts from SCC*

1. Choose Administration --> System administration --> Administration>Client admin.>Client Copy-->Local Copy.2. Select a copy profile.3. Enter the source client.click the tick mark it will take some time ....you can refer the link belowhttp://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscco.pdf

Activating Applications in Client www.keylabstraining.comCall the customizing with transaction SPROChoose SAP Reference IMGExpand the Governance, Risk and Compliance > General Settings node and choose Activate Applications in Client

Choose New Entries

Activating Applications in Client www.keylabstraining.comClick the first row and select the GRC solution(s) required for your projectThen choose the ActivecheckboxClick SaveNote: you may have to create a transport requestEXAMPLE IS OF GRC PC,YOU MAY NEED AC IF YOU NEED ONLY ACCCESS CONTROL

Check SAP ICF Services

www.keylabstraining.comCall transaction SICFClick the Execute icon

Check SAP ICF Services

www.keylabstraining.comExpand the node default_host-> sap -> publicRight click publicand choose Activate ServiceChoose Activate Service for all sub-nodes

Check SAP ICF Services

www.keylabstraining.comProceed likewise with the node default_host-> sap -> bcActivate all sub-nodes too

Check SAP ICF Services

www.keylabstraining.comNow activate the node default_host-> sap -> grcAlso activate all sub-nodes

Activating BC Sets

www.keylabstraining.comCall transaction SPRO againClick SAP Reference IMGClick Existing BC Sets in the next screen

Activating BC Sets www.keylabstraining.comSelect a BC SetClick BC Sets for Activity

Activating BC Sets www.keylabstraining.comFrom the menu choose Goto >Activation TransactionThese BC sets can also be activated via transaction code SCPR20

Activating BC Sets www.keylabstraining.comActivate the corresponding BC sets.Proceed likewise for all required PC, RM, and/or AC BC setsFor a complete list of BC Sets please refer to the PC/RM/AC install guide!

NOTE:BELOW EXAMPLE IS FOR ACTIVATION ON TIME FRQUENCY FOR GRCPC:PROCESS CONTROL.

Activating BC Sets www.keylabstraining.comWhen activating always use Expert mode

Creating the Initial User in the ABAP System

www.keylabstraining.comCall transaction SU01, create a userAssign following role to access GRC applications, such as ACSAP_GRC_FN_BASE

Assign following power user role to the person doing the customization of the productSAP_GRC_FN_ALL

Assign following role to the business usersSAP_GRC_FN_BUSINESS_USER

Assign following role if you use NWBC as front end UI instead of PortalSAP_GRC_NWBC

Activate Profile of Roles Delivered by SAP

www.keylabstraining.comActivate profile of roles delivered by SAP via transaction PFCG if you want to use them directlyFor the list of the roles, please refer to Security Guide -here is an example of the SAP-GRC-NWBC rolePlease use transaction SUPC for mass profile generation in case you want to generate profiles for multiple roles

Activate Common Workflow

www.keylabstraining.comCall transaction SPROagainClick SAP Reference IMGAccess Workflow node under Governance, Risk and Compliance > General SettingsExecute Perform Automatic Workflow Customizing

Activate Common Workflow Perform Automatic Workflow Customizing www.keylabstraining.comExecute Perform Automatic Workflow CustomizingMake sure that all tasks are green after the generation as show in the screenshotNote: you may have to create a transport requestDuring the activation procedure you might receive an error message, then check the created system user WF-BATCH in SU01 if the user has sufficient roles assigned see SAP Note 1251255and the GRC Security Guide.You may need to run program RHSOBJCH to fix HR control tables

Activate Common Workflow Perform Automatic Workflow Customizing www.keylabstraining.comMaintain the Prefix Numbers to your needs or like shown in the screenshot

Activate Common WorkflowPerform Task-Specific Customizing www.keylabstraining.comExecute PerformTask-Specific CustomizingExpand the GRCnode.Click the Assign Agents link at the right side of the GRCnode.

Note: if no folders are visible below the GRC folder please run report RS_APPL_REFRESH in SE38

Activate Common WorkflowPerform Task-Specific Customizing www.keylabstraining.comAssign Task as General Task via Task Attribute.Make sure all tasks that are not using Background task have been assigned as General Task.

Activate Common WorkflowPerform Task-Specific Customizing www.keylabstraining.comClick Activate event linking

Activate Common WorkflowPerform Task-Specific Customizing www.keylabstraining.comClick the Properties iconSet the Linkage Status to No errors Make sure Event linkage activated is checked.Set Error feedback to Do not change linkageBe sure to activate all WS.

Activate Common WorkflowPerform Task-Specific Customizing www.keylabstraining.comRepeat the first four steps to activate the solutions you need (e.g. for Access Control GRC-AC)Note: task-specific customizing for GRC-AC is notavailable in case you have the GRC plug-ins installed in your GRC system, check the Appendix for perfomingthe customizing in this case

Post-Installation to First Emergency Accesswww.keylabstraining.comRequirementsoAdding connector to SUPMG scenariooCreating users and assigning rolesoVerifying time zonesConfigurationoMaintaining AC ownersoAssigning owners to firefighter IDsoAssigning firefighter IDs and controllers to firefightersoCreating reasons codesStarting an emergency access sessionManaging LogsoRunning log collectionoViewing the firefighter reports

Maintain Configuration Settingswww.keylabstraining.com

Adding connector to SUPMG scenariowww.keylabstraining.comTo create access requests it is required to have the SUPMG scenario linked to the connector, this is done via IMG:

Creating users and assigning roleswww.keylabstraining.comPlease create users and roles as needed. Remember to synchronize again the repository (program GRAC_REPOSITORY_OBJECT_SYNC ). These roles are provided as examples and customer roles need to be created based on their authorizations.In the AC systemRole

Firefighter userSAP_GRAC_SUPER_USER_MGMT_USERFirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLRFirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNERIn the target systemRole

Firefighter IDSAP_GRAC_SPM_FFIDIn the AC system the Firefighter ID role is configured in ParamID 4010 (Firefighter ID role name)Reminder: end users will require also the roles based on SAP_GRC_FN_BASEand SAP_GRC_FN_BUSINESS_USER

Verifying time zoneswww.keylabstraining.comFor logs to be properly captured the time zones in the connected ERP systems need to be configured to match the operating system and also the AC server time zone. This is done in IMG under SAP NetWeaverGeneral Settings Time Zones Maintain System Settings

Configurationwww.keylabstraining.comMaintaining AC ownersAssigning owners to firefighter IDsAssigning firefighter IDs and controllers to firefightersCreating reasons codes

Maintaining AC ownerswww.keylabstraining.comGo to NWBC Access Management GRC Role Assignments Access Control Owners and maintain the controllers and owners as shown below:

After this is done it is possible to assign those to FireFighterIDs.

Assigning owners to firefighter IDswww.keylabstraining.comIn Access Management go to SuperuserAssignment and click on Owners. Here owners are assigned to firefighter IDs.

Assigning firefighter IDs and controllers to firefighterswww.keylabstraining.comNow you need to assign firefighter IDs and controllers to users. This is done by going to SuperuserAssignment Firefighter IDs

Note: Multiple firefighter users and controllers can be assigned to a multiple firefighter ID.

Creating reasons codeswww.keylabstraining.comThe reason codes available for firefighter users are maintained under Superuser Maintenance Reason Codes

Starting Emergency Accesswww.keylabstraining.comStarting a firefighter sessionLogin to the AC system using the firefighter user and launch transaction GRAC_SPMYou will be able to connect to the target system using the firefighter IDs previously assigned

Managing Logswww.keylabstraining.comRunning Log CollectionViewing the firefighter reportsRunning log collectionForeground modeThe foreground job for log collection can be executed from the Update Firefighter Log Button which can be found in the following path:Reports And Analytics Super User Management Reports Consolidated Log Report

Running log collectionBackground modewww.keylabstraining.comThe Background Job for Log Collection can be scheduled periodically from SM36 using program GRAC_SPM_LOG_SYNC_UPDATE.

Thank YouKeylabsinfo@keylabstraining.comwww. keylabstraining.comwww.keylabstraining.com