hands-on lab part 1: a beginner’s guide to the configuration of...

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.

Hands-On Lab – Part 1: A Beginner’s Guide to the Configuration of SAP Access Control

Kurt Hollis and Nicole Teibel Deloitte

1

In This Session

• In this hands-on session, gain practical instruction to perform configuration:

Review and perform certain important post-installation steps

of GRC 10.1

Technical Post Installation Tasks for GRC 10.1

Configure the First Risk Analysis

Configure the First Emergency Access

Configure the First Access Request

• All in a newly implemented SAP Access Control 10.1 system

• Expert instructors guide you through key processes and tasks

• Speed up the process of setting up your system while learning important configuration

settings based on real customer project knowledge

2

In This Session (cont.)

• Reviewing the SAP solutions for GRC 10.1 technical overview and architecture

• Taking important post-installation steps, like activating the BCSETS and initializing

workflows

• Setting up and customizing your rule set

• Running scheduled jobs for synchronization and risk analysis

3

What We’ll Cover

• Overview of Lab

• Technical Architecture

• Lab Systems Information

• Implementation Overview

• Lab Section 2 Key Points




• Wrap-up

4

Lab Timing and Sections

• Wednesday, March 16th 2016, 3:00-6:00 p.m.

Intro/Lab Overview I 15 Minutes (3:00-3:15)

Lab – Part 1 70 Minutes (3:15-4:25)

Short Break 10 Minutes (4:25-4:35)

Lab Overview II 15 minutes (4:35-4:50)

Lab – Part 2 70 Minutes (4:50-6:00)

• Part 1 and 2 and Assigned Sections

Part 1 – Section 1: Lab Overview, Lab Schedule, Lab User Access Information

Part 1 – Section 2: GRC Post-Installation Setup Steps and Verification

Part 1 – Section 3: GRC Risk Analysis Configuration and First Risk Analysis

Part 2 – Section 4: GRC Emergency Access Configuration and First Emergency Access

Part 2 – Section 5: GRC Access Request Configuration and First Access Request

5

Part I: Lab Details

• Section 1

Lab Overview, Schedule, and Information

• Section 2

Validate the system and implementation (post-installation)

Prepare the GRC system, completing common post steps

• Section 3

Set up risk analysis

Perform first risk analysis

Set up a batch risk analysis job and run

Verify the dashboards

6

Part II: Lab Details

• Section 4

Set up emergency access

Perform first emergency access

• Section 5

Set up user access provisioning

Perform first user access provisioning

7

Introduction for Lab Workbook

• Lab workbook hard copy is yours to keep and will serve as a very valuable step-by-step guide for setting up

your own GRC systems

• Lab is organized into five sections

Section one covers the details about the lab

Sections 2-5 are the GRC lab content

• The guide is a self-paced, step-by-step format

• 90% of the steps have screen prints to aid you in the work

• Many steps are to verify or view the current settings or configuration (display only)

Done in the interest of saving time

• Some steps require your input or changes

Please pay attention to these steps

• Please do not make random changes to the configuration, or the final results of a running scenario may fail

to be successful

• Instructors are available if you need help

8

What We’ll Cover

• Overview of Lab








• Wrap-up

9

SAP GRC Suite 10.1 Technical Architecture

Source: SAP Master Guide

10

Lab System

• Lab system based on SUSE 11.3 Linux Server with MAXDB 7.5 running SAP NetWeaver

7.40, SP13, and GRC 10.1 SP11 (latest version)

• Self-contained system with everything needed to run the lab on one system

• GRC system has GRC for SAP NetWeaver plug-in installed (to itself)

• Conference laptop is running VMware Workstation 10

• GRC system is a VMware-based system (for the lab)

11

What We’ll Cover

• Overview of Lab








• Wrap-up

12

The Lab System Facts

• GRC system for this lab is running locally on laptops and not on a server across network

• We have 40-50 GRC systems running here, one GRC system per laptop

Done to guarantee performance and complete independence from others working on the same

system

• The system is strictly yours and not shared

• No outbound connections needed, free from network issues

• Versions of the software below again for reference:

Laptop is running VMware Workstation 10

GRC system running on SUSE Linux 11.3 Server and MAXDB 7.5 database

The GRC system is based on SAP NetWeaver 7.40, SP13

The GRC system is running GRCFND_A 10.1, SP11

The GRC plug-in is installed and is version 10.1, SP13

The SAP GUI is installed and is version 7.40 SP2

13

Lab System and Source System

• The source system for the lab system is the Lab System itself

• We installed the GRC plug-in into the same system as the GRC system

• The local GRC plug-in is common and allowed in the same system as the GRC system

• “ARA” risk analysis is completely possible using the Basis roles to perform SOD analysis

in the GRC system

• No ERP roles used here in this scenario, BASIS only roles

• “EAM” emergency firefighter access is possible

• User and Role provisioning is possible

• We set up the connector to the same system using connector name GRDCLNT200

RFC name is also the same name

14

Accessing the Lab System

• SAP System SID is “GRD”

• Client number is 200

• Instance number is 00

• Server host is “ussltcsnl1271”

• Start the SAP GUI

• Launch the GRD LAB system in the SAPGUI

• Log in to client 200 as grctrain1 or grctrain2 with password of “grc2016lab“

Also used for EAM is user “grceamadm”

• Launch transaction “NWBC” for the GRC Web Interface

15

What We’ll Cover

• Overview of Lab








• Wrap-up

16

Installation Planning

• High-level plan to implement GRC Suite 10.1

STEP Description Duration

1 Project plan and review guides and SAP Notes for installation,

download software. Verify server readiness, O/S and patches,

and users for O/S access to the system are set up.

1 day

2 SAP technical team installs SAP NetWeaver ABAP 7.40.

Installation includes database system and required patches (New

system installation).

2 days

3 Install support packages for SAP NetWeaver (SP01-SP0x) .5 day

4 Install SAP GRC applications and required support packages

(GRCFND_A Package and SP01-SP0x). See SAP Note 1855403.

Use SAINT to install.

.5 day

5 Install plug-in components in SAP ERP back-end system

(GRCPIERP, GRCPINW), Use SAINT to install. See SAP Notes

1855404 and 1855405.

.5 day

17

Installation Planning (cont.)

• Six to seven days is typical for SAP NetWeaver and GRC installation, but varies based on

skills

• Experienced GRC person can complete in one week; some tasks done in parallel

• In this lab, we are doing parts of steps 6 and 7 in 3 hours!

STEP Description Duration

6 Perform all technical post-step configurations:

• ABAP parameter changes

• Set up clients, activate apps, activate SICF

• Set up STMS, ICM, SSO, SSL

• Licenses, backups, monitoring

1 day

7 Perform all SAP GRC application (technical-related) post-step

configurations, including activating certain BCSETS (functional-related)

1 day

8 Perform quality checks for installation, performance considerations .5 day

9 Perform go-live checks (SAP) (Production systems only) 1 days

18

GRC 10.1 Implementation: Post-Installation Tasks

STEP Tasks for GRC 10.1 AC/PC/RM Post-Installation Steps

1 Client Setup – Copy Client from 000

2 Activate Applications in Clients

3 Activate Web HTTP using SMICM Services

4 Activate Web HTTP Content using SICF Activation

5 Set up SAP Business Workflow

6 Set up EMAIL using transaction SCOT

7 Set up Parallel Processing for Batch Jobs

8 Activate BC Sets

9 Configure Connections in SPRO to SAP Systems (IMG)

10 Basic Configuration of GRC Background Jobs (Part of Section 3)

Covered in Lab Section 2

19

What We’ll Cover

• Overview of Lab








• Wrap-up

20

Steps for Section 2: Post-Installation Setup

Login to the System

Verify the Client Copy is

Completed

Activate Applications in

Client

Maintain Web Services in

SMICM (HTTP)

STRUST SSO Setup

New UI5 OData Services

Test NWBC user Interface

Workflow Setup EMAIL Setup

(skipped)

System Connections

Setup

21

Using SPRO to Configure the GRC System

• Using transaction SPRO

22

Section 2: NWBC Interface for SAP Access Control 10.1

23

Demo of Section 1, 2, and 3 Important Steps

• Demonstration of a few important steps in the Lab 1, 2, and 3

24

What We’ll Cover

• Overview of Lab








• Wrap-up

25

Steps for Section 3: First Risk Analysis

Activate BC Sets (Rule Sets)

Generate the Rules

Maintain Configuration

Settings for ARA

Run the Synchronization

Jobs

Test Risk Analysis

Run the Full Batch Risk Analysis

Run the Batch Risk Analysis

Monitor

Run the Risk Violation

Dashboards

Check the Application Logs

SLG1

26

Section 3: BC Sets Key Points

• Business Configuration (BC) Sets are an official implementation toolset used to simplify

the customization process

• There are certain BC Sets that are delivered with GRC suite 10.1 that need to be activated

Transaction SCPR20

Perform the activation in Development “Config” client

Transports will be created

Move these transports up the landscape (and also to other Development clients)

• Errors may occur during the activation (see SAP guide)

BC Sets that begin with GRPC-ATTR-* have errors that can

be ignored

These are documented in the SAP Notes and guides

27

Section 3: BC Sets Key Points (cont.)

• Activation is done using SCPR20

• New rules are loaded using this method

• All initial configuration is loaded with this

method (loading is client-specific)

Analysis

GRAC_RA_RULESET_COMMON (THIS ONE) SOD Rules Set

GRAC_RA_RULESET_SAP_BASIS (NO) SAP Basis Rules Set

GRAC_RA_RULESET_SAP_HR (NO) SAP HR Rules Set

GRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules Set (Not needed)

GRAC_RA_RULESET_SAP_R3 (THIS ONE) SAP R/3 AC Rules Set

GRAC_RA_RULESET_SAP_SRM (NO) SAP SRM Rules Set

Specific to Access Request Management

GRAC_ACCESS_REQUEST_REQ_TYPE* Request Type

GRAC_ACCESS_REQUEST_EUP* EUP (Note: Only the value EU ID 999 is valid for this BC

set)

GRAC_ACCESS_REQUEST_APPL_MAPPING* Mapping BRF Function IDs and AC Applications

GRAC_ACCESS_REQUEST_PRIORITY* Request Priority

Specific to Business Role Management

28

Section 3: BCSETS — Rule Sets Key Points

• The following rule sets are available via SCPR20:

Notice that each rule set is activated and linked into a separate logical group (technical

name in brackets) GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)

GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG)

GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis (SAP_NHR_LG)

GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG) (USED IN LAB)

GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG)

GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG)

GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG)

GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG)

GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)

GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG)

GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG)

29

Section 3: Alternative to Loading Rule Set from BCSETS

• An alternative to BC Sets, you also can upload rules from SPRO

SPRO Governance, Risk, and Compliance Access Control Access Risk

Analysis SOD Rules Upload Rules (use the same files as delivered for Access

Control 5.3 rule files)

• SOD rule files (nine) can be uploaded into the AC 10.1 system using transaction code

GRAC_UPLOAD_RULES with Append/ Overwrite option

(Business Process, Function, Function Business Process, Function Actions, Function

Permissions, Rule Set, Risk, Risk Description, Risk Rule Set Relationship)

• AC 10.1 SOD action rules can be validated by looking at the table GRACACTRULE

• For the other tables related to SOD rules, press F4 to see a dropdown of the *GRAC*RUL*

tables from transaction SE16

30

Section 2: Key Configuration Settings in SPRO

• Using SPRO (IMG), important settings are made in Access Control Configuration Settings

• Important settings are Default Rule Set, Report Type, Offline Risk Analysis, and the

“Ignore” settings

31

Section 3: Background Jobs for Access Control

• Access Control Jobs to be Scheduled (ARA)

• Access Control Jobs to be Scheduled (SPM)

Job Name Job Type Frequency

User/Role/Profile Sync

(GRAC_REPOSITORY_OBJECT_SYNC) Full

One time and then hourly to make sure that everything is

up-to-date

User/Role/Profile Batch Risk Analysis

(GRAC_BATCH_RISK_ANALYSIS) Full

One time and then monthly (outside of core business

hours) to make sure that everything is up-to-date

Authorization sync – Daily or weekly depending on the volume of changes to

the core authorizations in the target system

Action Usage sync – Daily

Role Usage sync – Daily

User/Role/Profile Sync Incremental Hourly or Daily depending on the number of changes to

users, roles, and profiles

User/Role/Profile Batch Risk Analysis Incremental Daily or weekly depending on the volume of changes

Job Name Frequency Description

GRAC_SPM_LOG_SYNC_UPDATE Hourly Generates the EAM activity log

GRAC_SPM_WORKFLOW_SYNC Hourly Compiles the EAM logs together by controller and

triggers the log review workflow

32

Section 3: Background Jobs for Access Control (cont.)

• Schedule jobs for Batch Risk Analysis (ARA)

It is possible to distribute the jobs that are processed in parallel for Access Control and

control the number of parallel jobs running

Use RZ12 (1) and SPRO Set Job Distribution for Parallel Processing (2)

1 2

33

Section 3: Final Results

• First risk analysis successful

• User Risk Analysis – User GRCTRAIN1 risks found

• Ad hoc analysis, foreground

34

Section 3: Final Results (cont.)

• User Risk Analysis – Dashboard

• Results from full batch risk analysis

jobs, all users

35

What We’ll Cover

• Overview of Lab








• Wrap-up

36

Steps for Section 4: First Emergency Access

Activate BC Sets (Emergency

Access)

Add Connectors to Firefighting

Scenario (SUPMG)


Settings

Maintain Criticality Levels

Create Firefighter IDs in Target

Systems

Complete Synchronization

Define Owners and Controllers

Assign Firefighter IDs to Firefighters

Access Firefighter ID

Run Log Collection Job

Access and Review Firefighter Logs

37

Section 4: Emergency Access Key Points

• The overall objective of this section is to familiarize you with the high-level steps involved

in setting up Emergency Access Management (EAM)

• Key steps involved in EAM setup include:

Identifying the systems where you need Firefighter setup

Setting up connections to the target systems from GRC

Setting up Firefighter IDs in the target systems

Defining owners and reviewers in GRC for EAM

• For the purpose of the lab, we will be using ID-based Firefighter setup

• GRC 10.1 also allows for decentralized firefighting where firefighting access can be

localized to the respective systems

38

Section 4: Emergency Access Key Points (cont.)

• In GRC 10.1, workflow setup is recommended to be used for:

Request and approval of emergency access

Reviewing the log of activities performed under a Firefighter ID

• Maintaining master data (approvers, reviewers) is a crucial element in supporting EAM

• Other considerations in EAM Setup include:

Level of Logging in the target systems – This determines the detail in generated logs

Plug-in installation – The GRC plug-in should be installed in every ABAP system where

Firefighting is expected to be performed

Firefighter Exits – To prevent users from directly logging into target systems, the exits

(SAP Notes 1545511 and 1661178) should be implemented at the time of system setup

39


• First Emergency Access test completed

• Log in as FF_TRAIN01 and provide a reason

• Successfully connects as FF user to the system (GRC system)

1

2 3

40

What We’ll Cover

• Overview of Lab








• Wrap-up

41

Steps for Section 5: First Access Request

Activate BC Sets (User

Provisioning)

Add Connectors to Firefighting

Scenario (PROV)


Settings

Maintain Provisioning

Settings

Activate MSMP Workflow

Import Roles

Complete Synchronization

Create Access Request

Approve Access Request

Review Auto Provisioning

42

Section 5: Access Request Management Key Points

• Section 5 of the lab deals with setting up the User Provisioning component of SAP

Access Control

• Key steps involved in ARQ setup include:

Identifying the systems where you need provisioning

Setting up connections to the target systems from GRC

Importing Roles in GRC

Defining Role owners for roles*

Defining Provisioning settings

• For the purpose of the lab, we will be using role owner approval prior to provisioning

• Provisioning settings are key to successful completion of the workflow

They can be set globally or by each connected system.

* Only required if role owner approval is required prior to provisioning

43

Section 5: Access Request Management Key Points (cont.)

• MSMP (Multi-Stage Multi-Path) workflows are the framework on which workflows are built

in Access Control 10.1

• Important considerations in ARQ setup include:

The number of stages/approvals required to be set up

Detour paths for conditions like SOD violations

Customizing notification messages

Maintaining number ranges

Role management setup

This is required in 10.1, as role management acts as the role repository

44


• First access request test completed (role added)

• Create a new request (1)

• Approve request (2)

• Verify the completed

request (3) 1

2

3

45

What We’ll Cover

• Overview of Lab








• Wrap-up

46

Where to Find More Information

• Main GRC documentation available

Service/Support Marketplace (guides, software downloads, and SAP Notes)

http://support.sap.com

SAP Online Help http://help.sap.com/grc-ac or http://help.sap.com/pc

GRC Community on SCN http://scn.sap.com/community/grc

• Documentation is now mostly centered at the SAP AC http://help.sap.com/grc-ac and SAP

PC http://help.sap.com/pc websites, including the GRC products where links are provided

to all documentation, including Master, Installation, Upgrade, Configuration, and Security

Guides

• HANA Analytics for GRC (SAP HANA Live) http://help.sap.com/hba

• Good link for SDN documents on GRC www.sdn.sap.com/irj/scn/articles-grc-all

http://support.sap.com/

http://help.sap.com/grc-ac




http://help.sap.com/pc

http://help.sap.com/pc

http://scn.sap.com/community/grc




http://help.sap.com/grc-pc

http://help.sap.com/grc-pc

http://help.sap.com/hba

http://www.sdn.sap.com/irj/scn/articles-grc-all





47

7 Key Points to Take Home

• Hands-on experience is one of the best ways to learn SAP Access Control setup and

configuration

• Understanding the details of post-installation will lead to a successful implementation

• Complete the First Risk Analysis step by step in the lab

• Complete the First Emergency Access step by step in the lab

• Complete the First Access Request step by step in the lab

• Tips and lessons learned from the experts will save time

• Doing it yourself builds knowledge and confidence in the GRC product

48

Your Turn!

How to contact us:

Kurt Hollis – [email protected]

Nicole Teibel – [email protected]

Please remember to complete your session evaluation

49

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a

legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and

its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may

not be available to attest clients under the rules and regulations of public accounting.

This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,

or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision

or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional

advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2016 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited.

Disclaimer

hands-on lab part 1: a beginner’s guide to the configuration of...

Documents