ac10 maint config settings

© 2011SAP AG

Applies to: SAP® BusinessObjects™ Access Control 10.0 SP05

Summary: This guide contains additional information about the parameters used when configuring the access control application. The information covers the configuration parameters available as of SP05.

Created: August 2011

Version 1.0

Maintaining Configuration Settings in Access Control

© 2011 SAP AG

Document History Document Version Description

1.00 Initial release

© 2011 SAP AG

Typographic Conventions Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text>

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons Icon Description

Caution

Note or Important

Example

Recommendation or Tip

© 2011 SAP AG

Table of Contents

1. Maintain Configuration Settings .....................................................................................1

1.1 Standard Settings .....................................................................................................1 1.2 Activities ...................................................................................................................6 1.3 Details of Configuration Parameters ..........................................................................6

2. Copyright ....................................................................................................................... 52

Maintaining Configuration Settings in Access Control 10.0

August 2011 1

1. Maintain Configuration Settings This document covers the use of the Customizing activity Maintain Configuration Settings under Governance, Risks, and Compliance > Access Control.

In this Customizing activity, you maintain the global configuration settings and parameters used in the access control application.

The activity includes settings for the following parameter groups:

01 Change Log 10 Role Management

02 Mitigation 11 Risk Analysis - Risk Terminator

03 Risk Analysis 12 Access Request Role Selection

04 Risk Analysis - Spool 13 Access Request Default Roles

05 Workflow 14 Access Request Role Mapping

06 Superuser Management 15 SOD Review

07 UAR Review 17 Assignment Expiry

08 Performance 18 Access Request Training Verification

09 Risk Analysis - Access Request 19 Authorizations

Note: The numbering is part of the parameter group name. In the above list, number 16 is not used.

1.1 Standard Settings The following table lists the delivered parameters and default values.

Note: Values labeled as <empty> have no default value.

Parameter Group Parameter

ID Description Default Value

Change Log 1001 Enable Function Change Log YES

Change Log 1002 Enable Risk Change Log YES

Change Log 1003 Enable Organization Rule Log YES

Change Log 1004 Enable Supplementary Rule Log YES

Change Log 1005 Enable Critical Role Log YES

Change Log 1006 Enable Critical Profile Log YES

Change Log 1007 Enable Rule Set Change Log YES

Change Log 1008 Enable Role Change Log YES

Mitigation 1011 Default expiration time for mitigating control assignments (in days) 365


August 2011 2



Mitigation 1012 Consider Rule ID also for mitigation assignment NO

Mitigation 1013 Consider System for mitigation assignment NO

Risk Analysis 1021 Consider Org Rules for other applications NO

Risk Analysis 1022 Allow object IDs for this connector to be case sensitive <empty>

Risk Analysis 1023 Default report type for risk analysis 2

Risk Analysis 1024 Default risk level for risk analysis 3

Risk Analysis 1025 Default rule set for risk analysis <empty>

Risk Analysis 1026 Default user type for risk analysis A

Risk Analysis 1027 Enable Offline Risk Analysis NO

Risk Analysis 1028 Include Expired Users NO

Risk Analysis 1029 Include Locked Users NO

Risk Analysis 1030 Include Mitigated Risks NO

Risk Analysis 1031 Ignore Critical Roles and Profiles YES

Risk Analysis 1032 Include Reference user when doing user analysis YES

Risk Analysis 1033 Include Role/Profile Mitigating Controls in Risk Analysis YES

Risk Analysis 1034 Max number of objects in a package for parallel processing 100

Risk Analysis 1035 Send e-mail notification to the monitor of the updated mitigated object

YES

Risk Analysis 1036 Show all objects in Risk Analysis NO

Risk Analysis 1037 Use SoD Supplementary Table for Analysis YES

Risk Analysis 1046 Extended objects enabled connector <empty>

Risk Analysis - Spool 1051 Max number of objects in a file or database record 200000

Risk Analysis - Spool 1052 Spool File Location <empty>

Risk Analysis - Spool 1053 Spool Type D

Workflow 1061 Mitigating Control Maintenance NO

Workflow 1062 Mitigation Assignment NO

Workflow 1063 Risk Maintenance NO

Workflow 1064 Function Maintenance NO

Risk Analysis - Access Request 1071 Enable risk analysis on form

submission NO

Risk Analysis - Access Request 1072 Mitigation of critical risk required

before approving the request NO

Risk Analysis - Risk 1080 Connector enabled for Risk <empty>


August 2011 3


ID Description Default Value Terminator Terminator

Risk Analysis - Risk Terminator 1081 Enable Risk Terminator for PFCG

Role Generation NO

Risk Analysis - Risk Terminator 1082 Enable Risk Terminator for PFCG

User Assignment NO

Risk Analysis - Risk Terminator 1083 Enable Risk Terminator for SU01

Role Assignment NO

Risk Analysis - Risk Terminator 1084 Enable Risk Terminator for SU10

multiple User Assignment NO

Risk Analysis - Risk Terminator 1085 Stop role generation if violations

exist NO

Risk Analysis - Risk Terminator 1086 Comments are required in case of

violations NO

Risk Analysis - Risk Terminator 1087 Send Notification in case of

violations NO

Risk Analysis - Risk Terminator 1088 Default report type for Risk

Terminator 2

Authorizations 1100 Enable authorization logging NO

Workflow 1101 Create Request for Risk Approval 12

Workflow 1102 Update Request for Risk Approval 13

Workflow 1103 Delete Request for Risk Approval 14

Workflow 1104 Create Request for Function Approval 15

Workflow 1105 Update Request for Function Approval 16

Workflow 1106 Delete Request for Function Approval 17

Workflow 1107 Create Request for Mitigation Assignment Approval 18

Workflow 1108 Update Request for Mitigation Assignment Approval 19

Workflow 1109 Delete Request for Mitigation Assignment Approval 20

Workflow 1110 High 2



Workflow 1113 Access Control E-mail Sender WF-BATCH

Performance 1120 Batch size for Batch Risk Analysis 1000

Performance 1121 Batch size for User Sync 1000

Performance 1122 Batch size for Role Sync 1000

Performance 1123 Batch size for Profile Sync 1000

UAR Review 2004 Request Type for UAR <empty>

UAR Review 2005 Default Priority 005


August 2011 4



UAR Review 2006 Who are the reviewers? MANAGER

UAR Review 2007 Admin. review required before sending tasks to reviewers YES

Access Request Default Roles 2009 Consider Default Roles YES

Access Request Default Roles 2010 Request type for default roles <empty>

Access Request Default Roles 2011 Default Role Level <empty>

Access Request Default Roles 2012 Role Attributes <empty>

Access Request Default Roles 2013 Request Attributes <empty>

Access Request Role Mapping 2014 Enable Role Mapping YES

Access Request Role Mapping 2015 Applicable to Role Removals YES

SOD Review 2016 Request Type for SoD <empty>

SOD Review 2017 Default priority for SoD <empty>

SOD Review 2018 Who are the reviewers? MANAGER

SOD Review 2019 Admin. review required before sending tasks to reviewers YES

SOD Review 2023 Is actual removal of role allowed? YES

Access Request Training Verification 2024 Training and verification <empty>

Access Request Role Selection 2031 Allow All Roles for Approver YES

Access Request Role Selection 2032 Approver Role Restriction Attribute <empty>

Access Request Role Selection 2033 Allow All Roles for Requestor YES

Access Request Role Selection 2034 Requestor Role Restriction Attribute <empty>

Access Request Role Selection 2035 Allow Role Comments YES

Access Request Role Selection 2036 Role Comments Mandatory YES

Access Request Role Selection 2037 Display expired roles for existing

roles YES

Access Request Role Selection 2038 Auto Approve Roles without

Approvers YES

Access Request Role Selection 2039 Search Role by Transactions from

Backend System NO

Assignment Expiry 2041 Duration for assignment expiry in Days <empty>


August 2011 5



Performance 2050 Enable Realtime LDAP Search for Access Request User NO

Performance 2051 Enable User ID Validation in Access Request Against Search Data Sources

NO

Role Management 3000 Default Business Process <empty>

Role Management 3001 Default Subprocess <empty>

Role Management 3002 Default Criticality Level <empty>

Role Management 3003 Default Project Release <empty>

Role Management 3004 Default Role Status <empty>

Role Management 3006 Allow add functions to an authorization YES

Role Management 3007 Allow editing organizational level values for derived roles NO

Role Management 3008 A ticket number is required after authorization data changes YES

Role Management 3009 Allow Role Deletion from back-end system YES

Role Management 3010 Allow attaching files to the role definition YES

Role Management 3011 Conduct Risk Analysis before Role Generation YES

Role Management 3012 Allow Role Generation on Multiple Systems NO

Role Management 3013 Use logged-on user credentials for role generation NO

Role Management 3014 Allow role generation with Permission Level violations NO

Role Management 3015 Allow role generation with Critical Permission violations NO

Role Management 3016 Allow role generation with Action Level violations NO

Role Management 3017 Allow role generation with Critical Action violations NO

Role Management 3018 Allow role generation with Critical Role/Profile violations NO

Role Management 3019 Overwrite individual role Risk Analysis results for Mass Risk Analysis

NO

Role Management 3020 Role certification reminder notification 10

Role Management 3021 Directory for mass role import server files <empty>

Workflow 3022 Request Type for Role Approval 21

Workflow 3023 Priority for Role Approval 5


August 2011 6



Workflow 3024 Enforce methodology process for derived roles during generation YES

Superuser Management 4000 Application Type 1

Superuser Management 4001 Default Firefighter Validity Period

(in days) <empty>

Superuser Management 4002 Send E-mail Immediately YES

Superuser Management 4003 Retrieve Change Log YES

Superuser Management 4004 Retrieve System Log YES

Superuser Management 4005 Retrieve Audit Log YES

Superuser Management 4006 Retrieve O/S Command Log YES

Superuser Management 4007 Send Log Report Execution

Notification Immediately YES

Superuser Management 4008 Send FirefightId Logon Notification YES

Superuser Management 4009 Log Report Execution Notification YES

Superuser Management 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID

1.2 Activities To maintain the configuration settings:

1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.

2. In the Parameter ID column, select a parameter ID for use with the parameter group. The short description appears on the right-hand side.

3. Select a Parameter Value from the dropdown list, or enter values in the field.

4. In the Priority field, enter a number for the priority.

5. Choose Save.

1.3 Details of Configuration Parameters The information in this section explains in further detail the configuration parameters. The table is formatted and ordered to match the table displayed in the actual Customizing activity. For each parameter, the table includes information about the purpose of the parameter, the available option values, and screenshots to provide context about how the parameter affects the application.


August 2011 7

Note: The application provides a standard set of work centers, however, your system administrator can customize them according to your company’s corporate processes and structures. Additionally, Access Control is available both as a standalone application and as part of the GRC 10.0 application. Depending on the GRC applications you have licensed, different areas of the access control application are displayed. The navigation paths included in this document and in the screenshots may differ from yours.

# Parameter Group Parameter ID Description DEFAULT Value

1

Change Log 1001 Enable Function Change Log YES

Set to YES to display the Change History tab on the Function screen.

2

Change Log 1002 Enable Risk Change Log YES

Set to YES to display the Change History tab on the Access Risk screen.


August 2011 8

# Parameter Group Parameter ID Description Default Value

3

Change Log 1003 Enable Organization Rule Log YES Set to YES to display the Change History tab on the Organization Rules screen.

4

Change Log 1004 Enable Supplementary Rule Log YES Set to YES to display the Change History tab on the Supplementary Rules screen.


August 2011 9


5

Change Log 1005 Enable Critical Role Log YES Set to YES to display the Change History tab on the Critical Role screen.

6

Change Log 1006 Enable Critical Profile Log YES Set to YES to display the Change History tab on the Critical Profile screen.


August 2011 10


7

Change Log 1007 Enable Rule Set Change Log YES Set to YES to display the Change History tab on the Rule Sets screen.

8

Change Log 1008 Enable Role Change Log YES Set to YES to display the Change History link on the Additional Details tab of the Role Maintenance screen.


August 2011 11


9

Mitigation 1011 Default expiration time for mitigating control assignments (in days) 365

The default quantity of days you are allowed to mitigate any object (selection on service map). You can overwrite this quantity in the Valid To field.


August 2011 12


10

Mitigation 1012 Consider Rule ID also for mitigation assignment NO

By default the application includes all rules when it mitigates the access risk. Setting the value to YES allows you to specify the specific Rule ID to be included when mitigating the risk.


August 2011 13


11

Mitigation 1013 Consider System for mitigation assignment NO

Setting the value to YES allows you to apply mitigating controls to risks originating from specific systems.


August 2011 14


12

Risk Analysis 1021 Consider Org Rules for other applications NO

Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and Role Maintenance screens.


August 2011 15


13

Risk Analysis 1022 Allow object IDs for this connector to be case sensitive <empty>

On the Risk Analysis screen you can perform risk analysis. You specify the system and the analysis criteria such as User, Risk Level, and so on. This parameter allows you to specify for which systems the information entered is case sensitive. In the example below, z_cup_USR001 is case sensitive for system NCACLNT001.

Note: To enter more than one system or connector, enter additional instances of the parameter.


August 2011 16


14

Risk Analysis 1023 Default report type for risk analysis 2 The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. This parameter allows you to choose the type of report that is selected by default. Note: In the value cell, press F4 to display the available types, such as Permission Level, and so on.

Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk Analysis screens; you must set these separately.


August 2011 17


15

Risk Analysis 1024 Default risk level for risk analysis 3 The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. This parameter allows you to choose the Risk Level that is selected by default.

16

Risk Analysis 1025 Default rule set for risk analysis <empty> The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. This parameter allows you to choose the Rule Set that is selected by default.

17

Risk Analysis 1026 Default user type for risk analysis A The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. This parameter allows you to choose the User Type that is selected by default.

18

Risk Analysis 1027 Enable Offline Risk Analysis NO The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. Set the parameter value to YES to include Offline Data in risk analysis by default. On the Risk Analysis screen the Offline Data checkbox is automatically selected.

19 Risk Analysis 1028 Include Expired Users NO

Set to YES to include expired users from plug-in systems for risk analysis.

20 Risk Analysis 1029 Include Locked Users NO

Set to YES to include locked users from plug-in systems for risk analysis.

21

Risk Analysis 1030 Include Mitigated Risks NO The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. Set the parameter value to YES to include Mitigated Risks in the risk analysis by default. The application displays the SoD violations, the mitigated risks, and the mitigating control assigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox is automatically selected.

22 Risk Analysis 1031 Ignore Critical Roles and Profiles YES

Set the value to YES to exclude critical roles and profiles for risk analysis.

23 Risk Analysis 1032 Include Reference user when doing

user analysis YES

Set the value to YES to include referenced users when performing SoD risk analysis for users. This is also valid for Batch Risk Analysis.

24 Risk Analysis 1033 Include Role/Profile Mitigating

Controls in Risk Analysis YES

Set the value to YES to include the mitigating controls assigned to the user’s roles and profiles for risk analysis.

25

Risk Analysis 1034 Maximum number of objects in a package for parallel processing 100

The application uses this parameter in conjunction with the Number of Tasks specified in the Customizing activity Distribute Jobs for Parallel Processing to determine the distribution of objects that are processed per job.

For example, if there are 10,000 users to analyze and this value is 100, then there will be 100 packages created each having 100 users. Each package is submitted to a separate background process which is available to the application via the application group. If instead, we specify three background processes are available to GRAC_SOD, 100 packages are submitted one by one to these processes. Three packages initially and then one by one to each process which complete the package execution.

Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if the RZ10 parameter is set to 2, then the application ignores the parameter in this setting and uses the value 2 instead.


August 2011 18


26

Risk Analysis 1035 Send e-mail notification to the monitor of the updated mitigated object

YES

Set the value to YES to send e-mail notifications to the owner of the mitigating control when the mitigated object is updated, such as the user/role.


August 2011 19


27

Risk Analysis 1036 Show all objects in Risk Analysis NO Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default.

The objects that do not have violations are displayed with the Action: No Violations. Note: This setting applies to SoD Batch Risk Analysis.

28

Risk Analysis 1037 Use SoD Supplementary Table for Analysis YES

Set value to YES to use supplementary rules for SoD risk analysis.


August 2011 20


29

Risk Analysis 1046 Extended objects enabled connector <empty> Extended objects are objects from non-SAP systems. This parameter allows you to specify the connectors for non-SAP systems. The connectors can have object lengths greater than SAP objects. For example, SAP User ID length is 12, but the extended object length may be 50. Note: You can set multiple connectors by adding multiple instances of the parameter.

30

Risk Analysis - Spool 1051 Max number of objects in a file or database record 200000

You can use this parameter to specify the maximum number of analytics data objects the application stores. If parameter 1053 is set to F, the value is the maximum number of objects stored in the file. If parameter 1053 is set to D, the value is the maximum number of objects stored in the REPCONTENT column of the GRACSODREPDATA table. Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table. Prerequisite: You have configured parameters 1052 and 1053.

31

Risk Analysis - Spool 1052 Spool File Location <empty> You can specify the file location the application stores the analytics data, such as \\<ip_address>\public\SoD\. Note: This parameter is only valid if parameter 1053 is set to F. Prerequisite: You have configured parameter 1053.

32

Risk Analysis - Spool 1053 Spool Type D You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for access control, such as ad hoc SoD violations. Set the value to F to store the data on the file system. (You set the file location in parameter 1052). Set the value to D to store the data inthe GRACSODREPDATA table. Note: You see the intermediate results while risk analysis is running. This gives you an opportunity to see if the desired records are created

and choose to stop or cancel the job. If you change the location type (such as from D to F) in mid-course, the report will still read the previously generated files or database

records. Index tables keep track of the source of the records when the data was generated. If you cancel the job before the report is finished, you can still read the data up to the point the files or database records were

created.


August 2011 21


Workflow 1061 Mitigating Control Maintenance NO

The application allows users to create and change mitigating controls. Set the value to YES to require that when users create or change mitigating controls, the application sends a workflow item to an approver to approve the action. Note: On the Mitigating Control screen, the Create button is replaced by a Submit button. You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. Figure A below shows that on the control Owners tab the Mitigation Control Approver points to the Approver. Figure B below shows you can use Maintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER).

Figure A

Figure B


August 2011 22


34

Workflow 1062 Mitigation Assignment NO

The application allows users to mitigate risks for objects (user, role, profile, and so on). Set the value to YES to require the application send an approval workflow item to the mitigating control approver. The screen

displays a Submit button. Note: You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.

Set the value to NO and the users can mitigate risks without approval. The screen displays a Save button.


August 2011 23


35

Workflow 1063 Risk Maintenance NO

The application allows users to create and modify risks. Set the value to YES to require the application send an approval workflow item to the Risk Owner (or to any alternate workflow agent

you set) for approval. The screen displays a Submit button. Note: You can configure the role that receives the approval workflow item using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.

Set the value to NO and then users can create and modify risks without approval. The screen displays a Save button.


August 2011 24


36

Workflow 1064 Function Maintenance NO

The application allows users to create and change functions. Set the value to YES to require the application send an approval workflow item to the specified workflow agent for approval when functions are created or modified. Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER. You can change the approver agent by using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.


August 2011 25


37

Risk Analysis - Access Request 1071 Enable risk analysis on form submission NO

The application automatically performs risk analysis when the requestor submits the request. Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but not on the requestor’s screens.

38 Risk Analysis - Access Request 1072 Mitigation of critical risk required

before approving the request NO

Set the value to YES to require mitigation of Risks that are of the type Critical Access.

39

Risk Analysis - Risk Terminator 1080 Connector enabled for Risk Terminator <empty>

Enter the name of the connector in the value field to enable it for risk terminator. You can enter multiple values by entering multiple instances of the parameter, as follows:

Note: The Plug-in Connector is maintained in parameter 1000. The GRC Connector is maintained in parameter 1001.


August 2011 26


40 Risk Analysis - Risk Terminator 1081 Enable Risk Terminator for PFCG

Role Generation NO Set to YES to trigger the risk terminator service for PFCG Role Generation. The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs.

41 Risk Analysis - Risk Terminator 1082 Enable Risk Terminator for PFCG

User Assignment NO

Set to YES to trigger the risk terminator service for PFCG User Assignment.

42 Risk Analysis - Risk Terminator 1083 Enable Risk Terminator for SU01

Role Assignment NO

Set to YES to trigger the risk terminator service for SU01 Role Assignment.

43 Risk Analysis - Risk Terminator 1084 Enable Risk Terminator for SU10

multiple User Assignment NO

Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment.

44 Risk Analysis - Risk Terminator 1085 Stop role generation if violations

exist NO

Set to YES the risk terminator service stops generating roles if violations exist.

45 Risk Analysis - Risk Terminator 1086 Comments are required in case of

violations NO Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with role generation or role assignment.

46 Risk Analysis - Risk Terminator 1087 Send Notification in case of

violations NO

Set the value to YES to enable the application to send e-mail notifications to the role owner when violations occur.

47 Risk Analysis - Risk Terminator 1088 Default report type for Risk

Terminator 2

Select the default report type the risk terminator service uses to report SoD violations. Use F4 help to display the available report types.

48 Authorizations 1100 Enable the authorization logging NO If set to YES, the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. For example, an owner wants to perform an action and is missing the necessary authorizations.

49

Workflow 1101 Create Request for Risk Approval 12

Use F4 help and choose the request type the workflow uses to create requests for risk approval. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR.


August 2011 27


50

Workflow 1102 Update Request for Risk Approval 13

Use F4 help and choose the request type the workflow uses to update requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

51

Workflow 1103 Delete Request for Risk Approval 14

Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

52

Workflow 1104 Create Request for Function Approval 15

Use F4 help and choose the request type the workflow uses to create requests for function approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

53

Workflow 1105 Update Request for Function Approval 16

Use F4 help and choose the request type the workflow uses to update requests for function approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

54

Workflow 1106 Delete Request for Function Approval 17

Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

55

Workflow 1107 Create Request for Mitigation Assignment Approval 18

Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

56

Workflow 1108 Update Request for Mitigation Assignment Approval 19

Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

57

Workflow 1109 Delete Request for Mitigation Assignment Approval 20

Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

58


You use this parameter to set the default workflow request priority for Updating and Creating Risks. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk approval priorities.


August 2011 28


59


You use this parameter to set the default workflow request priority for Creating and Updating Functions. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function approval priorities.

60


You use this parameter to set the default workflow request priority for Mitigation Control Assignments. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities.

61 Workflow 1113 Access Control E-mail sender WF-BATCH

The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers. See the Access Control 10.0 Security Guide for information about required authorizations for the WF-BATCH user.

62 Performance 1120 Batch size for Batch Risk Analysis 1000 The application uses this value to determine the size of the batch when performing batch risk analysis. (See also parameter 1121 for an example).

63

Performance 1121 Batch size for User sync 1000 The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository. For example, if the batch size is 1000 and there are 10,000 users, the application divides the total users (10,000) by the batch size (1000), and then processes the job in 10 batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in its entirety before continuing with the next. To synchorinize users to the GRC AC Repository, you use the Customizing activity Repository Object Synch under Governance, Risks, and Compliance > Access Control > Synchronization Jobs

64 Performance 1122 Batch size for Role sync 1000 The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter 1121.

65 Performance 1123 Batch size for Profile sync 1000 The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter 1121.


August 2011 29


66

UAR Review 2004 Request Type for UAR <empty> All Request Types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressing F4.

This is important for tagging the workflow in MSMP for UAR Review.

67

UAR Review 2005 Default Priority 005 You use this parameter to set the default priority for user access request reviews. Use F4 help to display the list of available priorities for UAR Requests.

You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. In this example, priority IDs 10, 22, 24, and 36 are relevant for UAR. Review.


August 2011 30

68

UAR Review 2006 Who are the reviewers? MANAGER Select either Manager or Role Owner as the approver type for user access review requests. The application creates a review workflow for the specified approver type. Managers receive review requests sorted by USER, and Role Owners receive review requests sorted by ROLE.


August 2011 31


69

UAR Review 2007 Admin. review required before sending tasks to reviewers YES

Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers in parameter 2006).

70

Access Request Default Roles 2009 Consider Default Roles YES If set to YES, the application automatically adds the relevant Default Roles to the access request. Prerequisites: You have maintained the following parameters as needed: 2011, 2012, and 2013. In this example, the value for the attribute Functional Area maps to a relevant default role, so the application adds the role to the request.


August 2011 32


71

Access Request Default Roles 2010 Request type for default roles <empty> Enter the request types that are relevant for default roles functionality. The application adds default roles only for the specified roles. Enter multiple request types by adding additional instances of the parameter. Use F4 help to display the available request types. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. See also parameters 2009, 2011, 2012, and 2013.

72

Access Request Default Roles 2011 Default Role Level <empty> Select which attribute type the application uses to determine the relevance of the default roles. Role – The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the user

adds the roles to the request. That is, the user does see the added default roles at the time they create the request. You define the relevant role attributes in parameter 2012.

Request - The application uses the request attributes to determine the relevant default roles and adds the default roles when the request is displayed for the approver. That is, the user does not see the added default roles at the time they create the request. You define the relevant request attributes in parameter 2013.

In this example, the value is set to Request. The manager receives a request with the default role z_user_admin already added, because Functional Area is a relevant attribute.

In this example, the value is set to Role. On the request screen, the application shows the default roles as Existing and adds them to the request.


August 2011 33

See also parameters 2009, 2010, 2012, and 2013.

73

Access Request Default Roles 2012 Role Attributes <empty> Enter the role attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributes maintained in parameter 2013. You can add multiple role attributes by adding additional instances of the parameter.



August 2011 34


74

Access Request Default Roles 2013 Request Attributes <empty> Enter the request attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributes maintained in parameter 2012. You can add multiple role attributes by adding additional instances of the parameter.


75

Access Request Role Mapping 2014 Enable Role Mapping YES The application allows you to assign roles as child roles (or map the roles). This allows anyone who is assigned this role to also be assigned the authorizations and access for the child roles. Set the parameter value to YES to enable this functionality. The role mappings are applicable for provisioning access requests. Note: On the Role Maintenance screen, you can select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles. In the following example, the user is requesting the role BS_BS_123 of system GF1->GO7. The mapped role AC_C_ROLE1 is automatically added to the request. The user can choose to remove the role from the request. Note: The Source System dropdown list is from the same landscape you chose on the Detail tab.

76

Access Request Role Mapping 2015 Applicable to Role Removals YES Set the value to YES to allow users to include mapped roles in requests for role removal. For example, if a user creates a request to remove a role assigned to them, and the role has mapped roles, then the mapped roles are automatically included in the request. The user can choose to keep the mapped roles by deleting them from the removal request.

77

SOD Review 2016 Request Type for SoD <empty> Use F4 help and select the request type when SoD review requests are created. You maintain the list of available request type values in the Customizing activity Define Request Types under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.


August 2011 35


78

SOD Review 2017 Default priority for SoD <empty> Use F4 help and select the default priority used for SoD review requests. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.

79

SOD Review 2018 Who are the reviewers? MANAGER Select either Manager or Risk Owner as the approver type for user access review requests. The application creates a review workflow for the specified approver type. Managers receive review requests sorted by USER, and Risk Owners receive review requests sorted by Risk.

80

SOD Review 2019 Admin. review required before sending tasks to reviewers YES

Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers in parameter 2018).

81

SOD Review 2023 Is actual removal of role allowed YES

You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the actual roles associated with a SoD risk or only propose removal of the roles. Set value as NO

This is the default setting, and the recommended setting. On the SoD Review screen, the application displays the Propose Removal button. Reviewers can only propose the removal of roles associated with a SoD risk violation. The workflow goes to the security administrator who is able to view the source of the risk before deciding whether or not to remove the role.

Set value as YES This setting is not recommended. On the SoD Review screen, the application displays the Remove Role button. This allows the reviewer to delete the roles directly without going through approval by the security administrator. Warning: Reviewers do not have the ability to view the source of the risks; therefore have the risk of potentially deleting relevant roles.


August 2011 36


82

Access Request Training Verification 2024 Training and verification <empty> The application allows you to require that users complete specific training courses before the application provisions specific roles to them. You enable this functionality by :

1. Setting training requirements (See Example 1 below.)

2. Configuring MSMP routing rule 3. Configuring the data source systems for verifying if the training requirements are completed

Example 1: The user is requesting a role that has a TRAINING prerequisite, and Verify on Request is set to Yes. The application will not allow them to submit the request until all the prerequisites are met.

The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks this parameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add. If the required training is not completed for a particular role the application does not provision the role, and instead, sends the request to the routing path.

Leave the value field empty to disable the function. The workflow does not take any routing paths. Set the value to BAdI and the application uses the specified BadI to perform the verification. Set the value to WS and the application uses the specified web service to perform the verification.

You specify the prerequisite system in the connector configuration. To configure the connectors, use the Customizing activity Maintain Connectors and Connector Types under Governance, Risk, and Compliance > Common Component Settings > Integration Framework. The connector must be of the type WS and associated with a logical port. You can define the logical port in transaction SOAMANAGER.

Prerequisite: You have implemented the BadI or webservice (WS) as needed. Yes, it correct to say that to disable this function, leave the value field empty. So if the value is empty Note: You can configure the routing in the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.

83

Access Request Role Selection 2031 Allow All Roles for Approver YES The application allows approvers to add additional roles to access requests when reviewing them. Set the value to YES to allow approvers to view and select all roles. Set the value to NO to restrict the roles the approvers can view and select for request creation. You specify the restriction criteria in parameter 2032.


August 2011 37


84

Access Request Role Selection 2032 Approver Role Restriction Attribute <empty> The application allows approvers to add additional roles to access requests when reviewing them. You can restrict the roles approvers can view and select for request creation. Set the value to A to Restrict on Role Approver.

Approvers can view and select only those roles for which they are the role approver. Set the value to B to Restrict on Business Process.

Approvers can view and add only those roles with business process attributes that match those in the request Set the value to F to Restrict on Functional Area.

Approvers can view and add only those roles with functional area attributes that match those in the request. Prerequisite: You have set parameter 2031 to NO. If parameter 2031 is set to YES, the application ignores the restrictions specified here. You can add multiple restriction values by adding additional instances of the parameter.

85 Access Request Role Selection 2033 Allow All Roles for Requestor YES Set the value to YES to allow the user to view all roles for request creation. Set the value to NO to restrict the roles the user can view for request creation. You specify the restriction criteria in parameter 2034.


August 2011 38


86

Access Request Role Selection 2034 Requestor Role Restriction Attribute <empty> This parameter allows you to require that, for access request creation, the application displays only the roles that have attributes that match the specified requestor attributes. Set the value to B to Restrict on Business Process. The application displays only the roles that match the requestor’s business

process attribute. Set the value to F to Restrict on Functional Area. The application displays only the roles that match the requestor’s functional area

attribute. Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. If parameter 2033 is set to YES, the application ignores the restrictions specified here. You can add multiple restriction values by adding additional instances of the parameter.

87 Access Request Role Selection 2035 Allow Role Comments YES

Set value to YES to allow the user to enter Role Comments when creating access requests.

88

Access Request Role Selection 2036 Role Comments Mandatory YES Set value to YES to require Role Comments when creating access requests. Note: This is a GLOBAL setting and is required for all roles included on requests. Mandatory comments can also be determined at the individual role level. Prerequisite: Parameter 2035 must be set to YES.


August 2011 39


89

Access Request Role Selection 2037 Display expired roles for existing roles YES

Set the value to YES to include the roles for which the user assignment is expired when the user chooses the Existing Assignment button on the Access Request.

90 Access Request Role Selection 2038 Auto Approve Roles without

Approvers YES

Set the value to YES to allow the application to automatically approve access requests for roles without role owners.

91

Access Request Role Selection 2039 Search Role by Transactions from Backend System NO

Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository. Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time. This has the following effect:

It adds the Transaction from Backend System criteria to the Select Roles screen. It makes the System criteria mandatory. It fetches role information from the specified system in real time, which may have an effect on performance.


August 2011 40


92

Assignment Expiry 2041 Duration for assignment expiry in Days <empty>

On the My Profile and Existing Assignment screens, the application displays the Status field for the roles. Roles that are about to expire displays the status of Expiring. You use this parameter to specify the timeframe (in days) that triggers the application to display the status as Expiring. In the following example, the My Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to the user that is about to expire in 1 to 45 days.

93

Performance 2050 Enable Realtime LDAP Search for Access Request User. NO

If set to YES, the application searches for the access request user on the specified LDAP source and in real time. Prerequisite: You have specified the data source as LDAP, or else the application ignores this parameter. Note: Be aware that because the search is performed in real time, it impacts performance.

94

Workflow 2051 Enable User ID Validation in Access Request against Search Data Sources

NO

If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does not allow the request to continue. The validation is performed when you choose Submit or press Enter.


August 2011 41


95

Role Management 3000 Default Business Process <empty> Select the business process the application displays by default on the Role Import screen. Use F4 help to display the available business processes. You maintain the list of business processes in the Customizing activity Maintain Business Processes and Subprocesses under Governance, Risk and Compliance > Access Control.

96

Role Management 3001 Default Subprocess <empty> Select the subprocess the application displays by default on the Role Import screen. Use F4 help to display the available subprocesses. You maintain the list of subprocesses in the Customizing activity Maintain Business Processes and Suprocesses under Governance, Risk and Compliance > Access Control.

97

Role Management 3002 Default Criticality Level <empty> Select the criticality level the application displays by default on the Role Import screen. Use F4 help to display the available criticality levels. You maintain the list of subprocesses in the Customizing activity Specify Criticality Level under Governance, Risk and Compliance > Access Control > Role Management.

98

Role Management 3003 Default Project Release <empty> Select the project release the application displays by default on the Role Import screen. Use F4 help to display the available project releases. You maintain the list of project releases in the Customizing activity Maintain Project and Product Release Name under Governance, Risk and Compliance > Access Control > Role Management.

99

Role Management 3004 Default Role Status <empty> Select the role status the application displays by default on the Role Import screen. Use F4 help to display the available role status. You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance, Risk and Compliance > Access Control > Role Management.


August 2011 42


100

Role Management 3006 Allow add functions to an authorization YES

Set the value to YES to display the Add/Delete Function button on the Maintain Authorizations tab of the Role Maintenance screen.

101 Role Management 3007 Allow editing organizational level

values for derived roles NO The maintenance screen for derived roles displays organizational levels from the parent role. Set the value to YES to allow the derived roles to change the values for the organizational levels.

102

Role Management 3008 A ticket number is required after authorization data changes YES

Set the value to YES to require a ticket number when role authorizations are modified in PFCG and the user chooses the Synch with PFCG button. Note: The Ticket Number field is a free text entry field. The application only provides the field and does not have any specific requirements. You can enter information appropriate for your company’s change request processes.


August 2011 43


103

Role Management 3009 Allow Role Deletion from back-end system YES

Set the value to YES to allow users the option to roles from both Access Control and relevant plug-in systems. Setting this value to Yes deletes the roles in each of the systems the role resided individually. For example the role is DELETED directly from PRD instead of having a delete request transported through CTS. Set the value to NO to allow users to delete roles only from Access Control.

104

Role Management 3010 Allow attaching files to the role definition YES

Set the value to YES to allow users to attach files by displaying the Attachments tab on the Role Maintenance screen.


August 2011 44


105

Role Management 3011 Conduct Risk Analysis before Role Generation YES

Set the value to YES to automatically perform risk analysis when the user generates roles.

106

Role Management 3012 Allow Role Generation on Multiple Systems NO

Set the value to YES to allow users to select multiple systems when generating roles. The application displays systems in the landscape which are available for role generation

action.


August 2011 45


107

Role Management 3013 Use logged-on user credentials for role generation NO

When generating a role, the application connects to back-end systems to push the authorization data. The applicatiion needs a username/password to open the connection to the back-end ERP system. You can use this parameter to specify whether the application uses a generic username/password for all role generation connections to the ERP system, or the username/password of the person generating the role. Set the value to NO to use a generic username/password for the connection to the ERP system.

You maintain the generic username/password for the connector in the Customizing activity Create Connectors under Governance, Risk, and Compliance > Common Component Settings > Integration Framework.

Set the value to YES to allow the application to use the username/password of the person who is generating the role.

The advantage of setting this parameter to Yes is that when someone opens a role in the ERP system, they can view exactly who generated it. If the parameter is set to No they can see only that the connector, with the generic username/password, has generated it.

108

Role Management 3014 Allow role generation with Permission Level violations NO

Set the value to YES to allow the application to generate roles even if Permission Level violations are present. Set the value to NO to prohibit role generation if permission level violations are present.

109 Role Management 3015 Allow role generation with Critical

Permission violations NO Set the value to YES to allow the application to generate roles even if permission level violations are present. Set the value to NO to prohibit role generation if permission level violations are present.

110 Role Management 3016 Allow role generation with Action

Level violations NO Set the value to YES to allow the application to generate roles even if action level violations are present. Set the value to NO to prohibit role generation if action level violations are present.


Action violations NO

Set the value to YES to allow the application to generate roles even if critical action violations are present. Set the value to NO to prohibit role generation if critical action violations are present.


Role/Profile violations NO Set the value to YES to allow the application to generate roles even if critical role/profile violations are present. Set the value to NO to prohibit role generation if critical role/profile violations are present.


August 2011 46


113

Role Management 3019 Overwrite individual role Risk Analysis results for Mass Risk Analysis

NO

The application allows you to perform ad hoc risk analysis for multiple roles under Access Management > Role Mass Maintenance > Run Risk Analysis. The application stores the results of the analysis. (See also parameters 1052, 1053). When you next perform mass risk analysis, the application searches the stored data to determine if there are previous risk analysis results for each role. You can choose whether or not the application overwrites the risk analysis results. Set the parameter value to YES to overwrite previous results. Set the parameter value to NO to not overwrite previous results.

Note: This is done per individual role; it does not automatically overwrite the results for all roles.

114

Role Management 3020 Role certification reminder notification 10

You use this parameter to set how many days prior to the Next Certification date the application sends a reminder to the role owner. For example, if the next certification is June 15, xxxx, and this parameter value is 10, then the application sends the reminder notification to the role owner on June 5, xxxx. You set the Certification Period in Days and Next Certification date in the Define Role phase, on the Properties tab.

Note – Additional information about Certification Notifications: You can use the following Customizing activities to maintain custom notification e-mails under Governance, Risks, and Compliance > Access Control > Workflow for Access Control:


August 2011 47

Maintain Custom Notification Messages Maintain Text for Custom Notification Messages Maintain Background Job for E-mail Reminders

The following is an example of a notification e-mail:

The application provides notification templates. You can choose to assign your own custom notification templates in the Customizing activity Maintain Custom Notification Messages under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.

You can customize the notification text by using the Customizing activity Maintain Text for Custom Notification Messages under Governance, Risks, and Compliance > Access Control > Workflow for Access Control.

For certification notifications to be delivered, you must run the GRAC_ERM_ROLE_CERTIFY_NOTIF program either in the foreground or the background. You can schedule background jobs to run periodically using the Customizing activity Maintain Background Job for E-mail Reminders under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.


August 2011 48

If you run the program in the foreground, the application displays the following results screen:

115 Role Management 3021 Directory for mass role import server

files <empty>

The application allows you to perform mass role import under Access Management > Role Mass Maintenance > Role Import. You can select the Import Source as File on Server. You use this parameter to specify the location of the files on the server.

116

Workflow 3022 Request Type for Role Approval 21

Use F4 help and choose the request type the workflow uses for role approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101).

117

Workflow 3023 Priority for Role Approval 5

Priority of the request for Role Approval You use this parameter to set the default workflow request priority for Role Approvals. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_ROLE_APPR to role approval priorities.


August 2011 49


118

Role Management 3024 Enforce methodology process for derived roles during generation YES

You use this parameter to determine the derived roles displayed in the role generation phase of the master role.

Set the value to YES to display only the derived roles that reach the role generation phase of the methodology process.

Set the value to NO to display all derived roles, regardless of their phase in the methodology process.

In the following example, Figure A shows five derived roles available; two of the roles are in Role Generation phase.

Figure B shows that if the value is set to YES, only the two roles in Role Generation phase are displayed.

119

Superuser Management 4000 Application type 1

You use this parameter to set the firefighting configuration: Choose 1 for ID-based firefighting. Choose 2 for Role-based firefighting.


August 2011 50


120

Superuser Management 4001 Default Firefighter Validity Period (Days) <empty>

Set the default validity period (in days) of firefighter ID assignments to a firefighter. Note: This is only the default period. You can override the validity period for each assignment as needed in the front-end.

121

Superuser Management 4002 Send E-mail Immediately YES

The application sends e-mail notifications to the controller. Set the value to YES to send the e-mail notifications immediately. Set the value to NO and the application sends notifications only when the user chooses the Update Firefighter Log button or runs

the program GRAC_SPM_LOG_SYNC_UPDATE. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports.

122

Superuser Management 4003 Retrieve Change Log YES

If set to YES then the application fetches the Change Log when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. (See also parameter 4002.) Note: Plug-in system must have the O/S time and R/3 time zone matched for the logs to be properly collected. This is because STAD stores the logs in O/S files.


August 2011 51


123

Superuser Management 4004 Retrieve System Log YES

If set to YES then the application fetches the System Log (debug changes) when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. (See also parameter 4002.)

124

Superuser Management 4005 Retrieve Audit Log YES If set to YES then the application fetches the audit (security) logs when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. Note: You can activate Audit Logs using the transaction SM19. (See also parameter 4002.)

125

Superuser Management 4006 Retrieve O/S Command Log YES

If set to YES then the application fetches the O/S Command Log when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information when O/S commands (SM49) are created, changed, or executed. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. (See also parameter 4002.)

126

Superuser Management 4007 Send Log Report Execution Notification Immediately YES

The application can send log reports controllers. The application sends the notifications as e-mails or workflow items based on the configuration of the controllers. (See figure below.) Set the value to YES and the application sends notifications when the user chooses the Update Firefighter Log button or runs the

program GRAC_SPM_LOG_SYNC_UPDATE. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports.

Set the value to NO and the application only collects the logs when the user chooses the Update Firefighter Log button or runs the GRAC_SPM_LOG_SYNC_UPDATE program. The application sends the e-mail notifications when the GRAC_SPM_WORKFLOW_SYNC program is run.

127 Superuser Management 4008 Send FirefightId Logon Notification YES

Set to YES and the application sends notification to the controller whenever a firefighter logs onto a system.

128 Superuser Management 4009 Log Report Execution Notification YES

Set to YES and the application sends notification to the controller when a user runs a log report.

129

Superuser Management 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID

Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.


2. Copyright © 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or


warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

ac10 maint config settings

Documents