011000358700000334152011 e

SAP KPS: SAP GRC AC 10.0 Business Role Governance Month: 03, 2011SAP GRC Access

Access Control Pre-Implementation Steps From Post-Installation to First Role Creation

© 2011 SAP AG. All rights reserved. 3

Agenda

Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 ArchitectureSAP Access Control 10.0 Business Role Governance

New Enhancements for Business Role GovernanceSAP Access Control 10.0 Business Role Governance

Access Control Pre-Implementation Steps From Post-Installation to First Role CreationTechnical Configuration & Functional Configuration

Design and Manage Roles

Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 Architecture Overview


* Crystal Reports Adapter – Needed for viewing GRC Crystal Reports

GRC 10.0 LandscapeTechnical Architecture Overview

SAP NetWeaverAS ABAP 7.02

AC, PC & RM(Software Component:

GRCFND_A)

SAP GRC Suite 10.0

GTS(Software Component:

SLL-LEG)

Nota Fiscal Eletronica(Software Component:

SLL-NFE)

CLM (Software Component:

POASBC)

SAP ERP (4.6C – 7.1)

Non-SAP Business ApplicationsAdapter

NW Function Modules(Plug-in: GRCPINW)

NW Function Modules(Plug-in: GRCPINW)

(Plug-in: GRCPIERP)

HR Function ModulesPC Automated Cntrls

(Plug-in: GRCPIERP) GTS Plug-in

(Plug-in: SLL-PI) GTS Plug-in

(Plug-in: SLL-PI)

SAP NW Portal 7.01

GRC Portal Content

SAP NW BW 7.02BI Content 7.06GRC BI Content

Identity Management Solutions

(SAP or Non-SAP)

optional

Optional

Optional

http

RFC

webservices

RFC

Optional

RFC

RFC

DIAGHTTP

RFCSAP NetWeaver 7.02Search/Classification

GRC Search

Recommended for GTS SPL

SAP NW Java 7.01Adobe Document

ServicesAdobe Document

Services

Required for RM and GTS

SAP NetWeaver PI Nota Fiscal Content

Required for Nota Fiscal E.

Optional

SAP GUI7.10

Web Browser

Front End Client

Adobe Flash Player

CRA*

NWBC 3.0

New Enhancements for Business Role Governance

New Enhancements for Business Role GovernanceSAP Access Control 10.0 Business Role Governance

New Features / Changes (Separate Discussions) Certification Provisioning Enhancements Role Mapping SAP Role Maintenance Role Derivation Role Update / Mass Role Derivation CUA Composite Roles Additional Features

Role Management CustomizingSettingsBRF+Workflow Role Owner


10.0 New / Enhanced FeaturesCentral Role Repository for AC

Enhanced Mass Role ImportOption to import directly from the back-end system minimizing manual effortsImproved options for file based importCommon, excel based, import format for all role types

Enhanced Role Maintenance MethodologyEnhanced user experienceAbility to repeat phases in methodology processAbility to update Methodology and Approvers for existing roles

Business Role ManagementDefinition, Risk Analysis, Impact Analysis and ProvisioningUn-limited hierarchy support

CUA Composite Roles

Improved integration with PFCGLeveraging rich features of authorization maintenance in PFCGSegregation of authorization maintenance system from the golden client (development system)

Enhanced Role Search and POWLRole Certification

Enhanced Role Derivation Derivation without Org. levelsAbility to select Org. Value Maps based on range values

Enhanced Mass MaintenanceAbility to update multiple attributes at a timeSupport for enhanced list of attributes for mass updateEnhanced mass update options for Actions (t-codes), Permissions, Org. level valuesAbility to mass synchronize authorizations

Enhanced Role ComparisonAbility to compare multiple roles on multiple back-end systemsAbility to reconcile discrepancies by synchronizing roles to-and-from back-end systems

Enhanced Default Roles

Enhanced Risk AnalysisCommon risk analysis UI and Ability to support multiple rule sets

Enhanced Role Approval Workflow

BAdIs at major integration points

Object Level Security

MiscellaneousWhere-used roles and Assigned Users tabsRole ExistenceRole Generation HistoryRole Export to ExcelAbility to propagate authorizationsAbility to link URLs to test documentation

Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 Business Role Governance


Business Role Governance

Access Control offers scalable and collaborative business role modeling, supporting both technical and business users. Supports the design of centralized, compliant roles through a robust role governance process.

Collaborative role governance process closes loop between business and technical owners

Enforces segregation of duties from the ground up by starting with clean role definitions

Streamline role definition and management

Optimizes role definition and reduces role redundancy

New centralized business role management with embedded access risk analysis

Enhanced process for mapping technical access authorizations to business functions

New role design and flexible role building workflows, including preventative simulations

New ability to analyze role usage for optimal assignment and to keep role definition up to date

Improved role comparison to detect backend changes provides role consistency, synchronization, and compliance

New process for periodic role certification

Solution Enhancements Key Benefits

Account ExecutiveAccount Executive Business Role

Sales ManagerSales Manager Business Role

Sale Executive / Management Sales Executive / Management Business Role

Territory Sales ExecutiveTerritory Sales Executive Business Role

Inside Sales ExecutiveInside Sales Executive Business Role

Territory Sales ManagerTerritory Sales Manager Business Role

Senior Sales ManagementSenior Sales Management Business Role

Business ChampionBusiness Champion Business Role

Senior Sales ManagementSenior Sales Management Business Role

Services Account Manager Services Account Manager Business Role

Enablement ExecutiveEnablement Executive Business Role

Solution Sales Engagement ManagerSolution Sales Engagement Manager Business Role

Inside Sales Executive – ServicesInside Sales Executive – Services Business Role

Inside Sales Executive – EducationInside Sales Executive – Education Business Role

Services Sales Manager Services Sales Manager Business Role

Education Manager Education Manager Business Role

Services Key User / Power UserServices Key User / Power User Business Role

CRM Key UserCRM Key User Business Role

Non-Sales Executive / ManagementNon-Sales Executive Business Role

Board MemberBoard Member Business Role

Business Role Examples


ContentsAdding Connector to Work Area ScenarioAssociate Actions and Assign Default Connectors for Access ControlActivate the BC SetsVerifying Default Configuration ParametersConfigure Role ManagementCustomize the Role AttributesAssigning Roles and Maintaining AC OwnersCreate Role Approval WorkflowCreating the First Role

Optional: Create the BRF+ FunctionDefine the Methodology Process and Steps Additional TasksSynchronizing Users, Roles

Access Control Pre-Implementation Steps From Post-Installation to First Role Creation

Adding Connector to Work Area and Assign Default


Adding Connector to Work Area Scenario

For Role Management it's required to have the ROLMG, AUTH and PROV WorkAreas linked to the Connector. This is done via the IMG


Assigning Connector to Connector Groups

Define Connectors, define Connector Groups, then select the Logical Group and go to “Assign Connectors to Connector Groups” to link a System

Associate Actions and Assign Default Connectors for Access Control 10.0


Associate Actions and Assign Default Connectors for Access Control

o Adding Connector to Work Area Scenarioo Associate Actions and Assign Default Connectors for Access Controlo Activate the BC Setso Verifying Default Configuration Parameterso Customize the Role Attributeso Assigning Roles and Maintaining AC Ownerso Create Role Approval Workflowo Creating the First Role

o Optional: o Create the BRF+ Functiono Define the Methodology Process and Steps o Additional Taskso Synchronizing Users, Roles

Create connector group and activate the groupAssign actions to connectors in connector groups and assign a default connector for each action

Associate Actions and Assign Default Connectors for Access Control

Activate the BC Sets


Activate the BC Sets

Rule Sets are enabled using BC Sets via Transaction Code: SCPR20It’s required, up-front, to enable BC Sets.

It’s described in the GRC 10.0 Post-Installation Deck

GRAC_ROLE_MGMT_LANDSCAPEGRAC_ROLE_MGMT_METHODOLOGYGRAC_ROLE_MGMT_PRE_REQ_TYPEGRAC_ROLE_MGMT_ROLE_STATUSGRAC_ROLE_MGMT_SENTIVITY

Verifying Default Configuration Parameters

Verifying Default Configuration Parameters

Please check that Configuration Parameters, which are related to Role Management, are properly set according to Company’s requirements*

* It’s not necessary to maintain Parameters

Configure Role Management


Role Management Configuration: Introduction

Navigate to IMG by executing SPRO; click on ‘SAP Reference IMG’Navigate to ‘Governance Risk and Compliance > Access Control > Role Management’


Role Management Configuration: Maintain Labels for Role Types

Role Type Description and Language can be maintained

Role type description and language can be maintained


Role Management Configuration: Specify Maximum Length for Role Type

Define the maximum length for the Role Type per Application Type


Role Management Configuration: Specify Naming Conventions (1 of 2)

Role Naming Conventions for all Role Types can be maintained for new Roles

Create Naming Convention


Role Management Configuration: Specify Naming Conventions (2 of 2)

Role Naming Conventions for all Role Types can be maintained for new Roles

Maintain Naming Convention format and position


Role Management Configuration: Maintain Project and Product Release Name

Role Project and Product Release Name can be maintained and used to specify the Role


Role Management Configuration: Define Role Sensitivity

Role Sensitivity can be maintained and used as a Role Attribute


Configure Role Management

Maintain Role Type Settings

Activate Role Types (mandatory)

Maintain Role Types (optional)

Define the maximum length for the Role Types per Application

Activate role types (mandatory)

Maintain role types (optional)

S1

S1 Replace the placeholders with the name of the new or enhanced feature or task and a bulleted list of the functionality provided by that feature or task. Include a description of which users or roles will be change.Tip, 12/06/2009

Customize the Role Attributes


Defining Business / Sub-Processes (mandatory)

Specifying Naming Convention (optional)

Defining Role AttributesMaintain Project Release (mandatory) Role Sensitivity (optional)Critical Level (optional)Companies (optional)Functional Areas (optional)Prerequisite Types (optional)

• Creating Organizational Value Mapping (optional)

Customize the Role Attributes

Assigning Roles and Maintaining Access Control Owners


Creating Users and Assigning Roles

The responsible person for Role Content needs to be created with their respective Roles in the AC System. Please Note: The Roles listed below are provided as examples and Customer Roles should be created based on their authorizations for end-users

In the AC System RolesUser who is Role Owner SAP_GRAC_ROLE_MGMT_ROLE_OWNER

SAP_GRC_FN_BASESAP_GRC_FN_BUSINESS_USER


Maintaining AC Owners

After this is done, it’s now possible to assign ‘Owners to Roles’.

Create Role Approval Workflow

Create Role Approval Workflow

A default Workflow Process can be used to easily set-up the Approval Workflow for the Role Content

Select the Workflow Process: SAP_GRAC_ROLE_APPR

Create Role Approval Workflow (Default)

Maintain the Agent ID GRAC_ROLE_APPROVER and the Task SettingsSave and activate the Workflow

Creating the First Role


Creating the First Role

Now, we should be prepared to create a Role

Go to Access Management Work-Center and select Role Maintenance

Customize the Methodology Process (Optional)and Create the BRF+ Function (Optional)


The customizing steps for “BRF+ Rule Creation” and “Methodology Process Definition” are not necessary when using the default Methodology Process for all Roles

Customize the Methodology Process (optional)


Create the BRF+ Function (optional)

Run the program GRAC_GENERATE_ERM_BRFRULE to create the BRF+ Application and Function

S6

Define the Decision Table for the Methodology Process

Create the BRF+ Function (optional)


Define the Methodology Process and Steps (optional)

Create the different Methodology Processes and include the Required Steps

S7


Assign the BRF+ Rule to the Methodology Process (optional)

Assign BRF+ Condition Group ID to the Methodology Process ID

Assign BRF+ Application Name and the BRF+ Function Name to the Condition Group “METHODOLOGY”

S8

Additional Tasks: Synchronizing Users and Roles (Optional)


Additional Tasks: Synchronizing Users and Roles (optional)

Note: Run this in “Full Sync Mode“ for the first, initial synchronization. Later synchronizations can be done in “Incremental Mode” and should be run periodically to keep the AC System updated

Synchronize the Users and Roles from the back-end System into AC to see the assigned Users in the Role Management and the status of the RolesUse Transaction Code SE38; Programs GRAC_ROLEREP_USER_SYNC and GRAC_ROLEREP_ROLE_SYNC


References

SAP Community NetworkSDN/BPX: www.sdn.sap.com/irj/bpxGRC Forum: http://forums.sdn.sap.com/index.jspaE-Learning: http://www.sdn.sap.com/irj/scn/grc-elearningSAP: www.sap.com/usa/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx

GRC Helphttp://help.sap.com SAP Business User GRC Solutions

RKThttps://service.sap.com/RKT

Email [email protected]


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun MicroSystems, Inc.

JavaScript is a registered trademark of Sun MicroSystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.


Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli und Informix sind Marken oder eingetragene Marken der IBM Corporation.

Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.

Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Incorporated in den USA und/oder anderen Ländern.

Oracle ist eine eingetragene Marke der Oracle Corporation.

UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.

HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

© 2011 SAP AG. Alle Rechte vorbehalten.

Java ist eine eingetragene Marke von Sun MicroSystems, Inc.

JavaScript ist eine eingetragene Marke der Sun MicroSystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern.

Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.

Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG.

Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.

011000358700000334152011 e

Documents

party web

maintaining

configure

role management

db2 universal

access control

assign default

role naming