KEMBAR78
GRC Configuration | PDF | Access Control | Server (Computing)
0% found this document useful (0 votes)
2K views186 pages

GRC Configuration

This document provides steps to configure GRC - Access Control 10.0. It includes over 60 configuration steps organized into sections for post installation, common configuration, access risk analysis, emergency access management, access request management, business rule framework, and business role management. The steps cover areas like activating applications, services and workflows, generating user profiles and roles, defining rules and risk levels, configuring the business rule framework, and more.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
2K views186 pages

GRC Configuration

This document provides steps to configure GRC - Access Control 10.0. It includes over 60 configuration steps organized into sections for post installation, common configuration, access risk analysis, emergency access management, access request management, business rule framework, and business role management. The steps cover areas like activating applications, services and workflows, generating user profiles and roles, defining rules and risk levels, configuring the business rule framework, and more.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 186

Configuration document of GRC – Access Control 10.

POST INSTALLATION ................................................................................................................................ 3


Step: 001 > Active the Applications of Financial Compliance .................................................................... 3
Step: 002 > Activating the Services .......................................................................................................... 4
Step: 003 > Perform Automatic Workflow Configuration ......................................................................... 5
Step: 004 > Perform Task Specific Customizing ........................................................................................ 9
Step: 005 > Generate Profiles for the Roles in GRC Server...................................................................... 13
Step: 006 > Create New User GRC_ADMN: ............................................................................................ 15
Step: 007 > Activate End User Logon: .................................................................................................... 15
Step: 008 > Maintain Access Control Owners & other Nominations in GRC Server: ................................ 17
Step: 009 > Define Business Process & Sub Business Process ................................................................. 21
Step: 010 > Define Employee Types ....................................................................................................... 22
Step: 011 > Configuring Data Sources .................................................................................................... 23
.............................................................................................................................................................. 24
COMMON CONFIGURATION: ................................................................................................................. 24
Step: 012 > Configuring RFC Destination ................................................................................................ 25
Step: 013 > Activating BC Sets................................................................................................................ 27
Step: 014 > Maintain Connectors to Connection Type ............................................................................ 30
Step: 015 > Maintain Connection Settings ............................................................................................. 34
Step: 016 > Maintain Connector Settings ............................................................................................... 36
Step: 017 > Maintain Configuration Settings .......................................................................................... 37
Step: 018 > Maintain Mapping for Actions and Connector Groups ......................................................... 39
Step: 019 > Maintain Plug-in Settings: ................................................................................................... 40
Step: 020 > Distribute Jobs for Parallel Processing: ................................................................................ 43
Step: 021 > Connect User Data Base from Backend to GRC Server (NEW): ............................................. 43
Step: 022 > Synchronization Jobs ........................................................................................................... 46
ACCESS RISK ANALYSIS:.......................................................................................................................... 50
Step: 023 > Maintain Access Risk Levels ................................................................................................. 51
Step: 024 > Maintain Custom User Group .............................................................................................. 51
Step: 025 > Maintain Master User ID Mapping ...................................................................................... 52
Step: 026 > Create & Maintain Rule Set, Function ID & Risk ID ............................................................... 52
Step: 027 > Generate SoD Rules............................................................................................................. 58
Step: 028 > Downloading SoD Rules....................................................................................................... 61

Sirish Vetcha, Consultant - GRC 10.0 1 of 186


Configuration document of GRC – Access Control 10.0

Step: 029 > Uploading SoD Rules ........................................................................................................... 63


Step: 030 > ARA: Run User Risk Analysis ................................................................................................ 64
Step: 031 > ARA: Batch Risk Analysis...................................................................................................... 67
Step: 032 > ARA: Mitigation Configuration............................................................................................. 71
EMERGENCY ACCESS MANAGEMENT:.................................................................................................... 76
Step: 033 > Prerequisite-Maintain Connection Setting ........................................................................... 79
Step: 034 > Prerequisite-Maintain Configuration Settings ...................................................................... 79
Step: 035 > Prerequisite: Create Users and Roles & Maintain in Access Control Owners ........................ 80
Step: 036 > Assign Owner to FFID .......................................................................................................... 84
Step: 037 > Assign FFID to Controller and firefighters ............................................................................ 85
Step: 038 > Create a Reason Code ......................................................................................................... 87
Step: 039 > Firefighter log Synchronization ............................................................................................ 88
Step: 040 > Working of FFID execution by firefighter ............................................................................. 89
Step: 041 > FFID Reports Execution ....................................................................................................... 90
ACCESS REQUEST MANAGEMENT: ......................................................................................................... 91
Step: 042 > Maintain Connection Settings ............................................................................................. 93
Step: 043 > Maintain Configuration Settings .......................................................................................... 94
Step: 044 > Configure Number Ranges & Activate.................................................................................. 94
Step: 045 > Prerequisite: Maintain Provision Settings ............................................................................ 96
Step: 046 > Maintenance of Define Request types – MSMP Process IDs................................................. 97
Step: 047 > Maintain MSMP Workflow .................................................................................................. 99
Step: 048 > Find the working of ARM Configuration............................................................................. 113
BRF+: Business Rule Framework .......................................................................................................... 118
Step: 049 > Generate MSMP Rules for Processes ................................................................................. 120
Step: 050 > Define Business Rule Framework - Execute T-Code BRF+ ................................................... 123
Step: 051 > Mapping BRF+ Application with MSMP Workflow: ............................................................ 136
BUSINESS ROLE MANAGEMENT ........................................................................................................... 143
Step: 052 > Requirements > Maintain Connectors to Connector Group: .............................................. 143
Step: 053 > Requirements > Maintain Connection Settings: ................................................................. 145
Step: 054 > Requirements > Maintain Mapping for Actions and Connector Groups:............................. 145
Step: 055 > Requirements > Maintain Connector Settings:................................................................... 146
Step: 056 > Requirements > Activate Business Configuration BC-Sets: ................................................. 147

Sirish Vetcha, Consultant - GRC 10.0 2 of 186


Configuration document of GRC – Access Control 10.0

Step: 057 > Requirements > Maintain Configuration Settings: ............................................................. 147
Step: 058 > Requirements > Create Users & assign as Access Owners: ................................................. 148
Step: 059 > Maintain Role type Settings:.............................................................................................. 150
Step: 060 > Prerequisite > Define Business Process & Sub Business Process: ........................................ 152
Step: 061 > Specify Naming Convention:.............................................................................................. 153
Step: 062 > Define other Role Attributes: ............................................................................................ 154
Step: 063 > Maintain MSMP Workflow: ............................................................................................... 160
Step: 064 > Role Methodology:............................................................................................................ 168
Step: 065 > Role creation through Methodology:................................................................................. 173

After completing the installation process by basis consultants with software GRCFND_A in GRC server & Plugins at
Backend server
GRC Consultant starts the configuration from this stage of Post Installation & Pre Implementation.
AC configuration plan classifies in below phases:
 Post Installation
 Common Configuration and Connection Settings
 Access Risk Analysis - ARA
 Emergency Access Management - EAM
 Business Role Management - BRM
 Access Request Management - ARM

POST INSTALLATION
One time configuration irrespective to the backend are done in this phase. These include very initial stage settings
like activating basic applications and http services etc.

Step: 001 > Active the Applications of Financial Compliance

Information GRC Financial Compliance has 3 applications and has to activate as per the requirement of the
client.
In GRC5.3 all these 3 are provided in different servers and at version 10 we have all these 3 in a
single server and can activate the required application.
AC – Access Control
PC – Process Control
RM – Risk Management
3 servers for Development, Testing & production are sufficient at version 10 where as in 5.3 we
required 3 X 3 nine servers. This has reduced the cost.
T-Codes

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
General Settings

Sirish Vetcha, Consultant - GRC 10.0 3 of 186


Configuration document of GRC – Access Control 10.0

Execute Active Applications in Client


Click “New Entries”
Select required applications from drop down at 3 different rows
TICK all the selected applications under “ACTIVE” & SAVE
GRC – AC
GRC – PC
GRC – RM

Step: 002 > Activating the Services

Information To access GRC server through internet explorer HTTP services are required to activate at different
levels of GRC server. This is used for access Portal, NWBC and Web dynpro Screens.

T-Codes SICF

Path

Provide Hierarchy Type as SERVICE – HTTP S ervice through help & Execute

Select required Host under ‘Virtual Hosts/ Services’ Maximizing ‘Default_Host’


Option available to select by maximizing:
Default Host  SAP  PUBLIC/ BC/ GRC  NWBC  AC/ PC etc.
Recommended to activate the HTTP Service at the level of

Sirish Vetcha, Consultant - GRC 10.0 4 of 186


Configuration document of GRC – Access Control 10.0

 PUBLIC
 BC
 GRC

(Please don’t double click. Just Select)

Go to “SERVICE/ HOST” Tab at Menu


Select Activate

Step: 003 > Perform Automatic Workflow Configuration

Information We 5 events related to workflow and all should be in Green Tick Mark. Each event has the sub
events and should ensure all these are also in green.

T-Codes

Sirish Vetcha, Consultant - GRC 10.0 5 of 186


Configuration document of GRC – Access Control 10.0

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
General Settings
Workflow
Execute Perform automatic workflow customizing

Maximize ‘Maintain Run Time Environment’


Select ‘Configure RFC Destination’
Create new WF-BATCH user ID for workflows and maintain User ID and Password

If HR Objects are not available –


Go to SA38 and run ABAP Report RHTTCP77 and RHSOBJCT
Select ALL and Click on ‘Adjust’
Click on ‘Check Entries’ from HR Control Tables and EXECUTE

Sirish Vetcha, Consultant - GRC 10.0 6 of 186


Configuration document of GRC – Access Control 10.0

SE38 screen:

Sirish Vetcha, Consultant - GRC 10.0 7 of 186


Configuration document of GRC – Access Control 10.0

Add address for web server and maintain all details and SAVE

Sirish Vetcha, Consultant - GRC 10.0 8 of 186


Configuration document of GRC – Access Control 10.0

Step: 004 > Perform Task Specific Customizing

Information GRC server at access control level performs the administrative tasks related to mainly User
administration and Role administration. Before the GRC implementation SAPAUTH or SECURITY

Sirish Vetcha, Consultant - GRC 10.0 9 of 186


Configuration document of GRC – Access Control 10.0

team manually creates a role in PFCG after getting the approval from respective competent
authority through a ticket, in the same way assigning the role to a user etc. Once GRC server is
installed, the approvers are maintained in the GRC servers as owners at different levels and these
approvals takes place at GRC Server and the required changes are done automatically at backend
servers.
At workflow configuration agents are maintained in the paths and these agents carries the owners
We have to activate the agents here to configure them in Maintain MSMP Workflow settings.

T-Codes

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
General Settings
Workflow
EXECUTE Perform Task Specific Customizing

Maximize the GRC & Click ‘Assign Agents’

If no sub nodes are available then go to SE38 and execute the program RS_APPL_REFRESH

Sirish Vetcha, Consultant - GRC 10.0 10 of 186


Configuration document of GRC – Access Control 10.0

If Nodes are not classified as Background, make them as ‘General Tasks’ with the Classification as ‘Not Classified’

Click on ‘Activate Event Linkage’

Sirish Vetcha, Consultant - GRC 10.0 11 of 186


Configuration document of GRC – Access Control 10.0

Select the web services those are Deactivated


Tick the check mark ‘Event Linkage Activated’
Against Error Feedback Select ‘Do Not Change Linkage’
Notify Employee if Rejected

Repeat the same steps for all the Web Services those are in Deactivated Stage

Sirish Vetcha, Consultant - GRC 10.0 12 of 186


Configuration document of GRC – Access Control 10.0

Activate all the agents related to GRC AC


Assign Agents and Activate Web Services

Step: 005 > Generate Profiles for the Roles in GRC Server

Sirish Vetcha, Consultant - GRC 10.0 13 of 186


Configuration document of GRC – Access Control 10.0

Information SAP predefined roles are available for assigning to the GRC Consultants & Access owners
maintained in GRC Server. Profiles are required to generate for all those roles.

T-Codes PFCG  Select Utilities Tab  Select MASS GENERATION

Path

Select ‘All Roles’


At Role field Use help and give *GR* and select the roles
Select ‘Display Data When Created and Changed’
Select Generate Automatically
Execute

Sirish Vetcha, Consultant - GRC 10.0 14 of 186


Configuration document of GRC – Access Control 10.0

Step: 006 > Create New User GRC_ADMN:

Information Create new user through SU01

Path Login to NWBC


http://grcserver.:8000/sap/bc/nwbc/

Step: 007 > Activate End User Logon:

Information Created GRC Admin is given access as end user logon

Sirish Vetcha, Consultant - GRC 10.0 15 of 186


Configuration document of GRC – Access Control 10.0

Path SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
User Provisioning
Activate End User Logon

Select the service as


GRAC_UIBB_END_USER_LOGON and double click on it

Click on Logon Data Tab

Sirish Vetcha, Consultant - GRC 10.0 16 of 186


Configuration document of GRC – Access Control 10.0

Step: 008 > Maintain Access Control Owners & other Nominations in GRC Server:

Information Prior to GRC users, roles & accesses changes are done with an administrative approval through
ticketing tool. We have to ensure that in the complex hierarchy competent approval has received for the required
change. It is a tuff and complex situation to have the approval matrices organization wide for different business
process in different location or company codes. Ensuring the proper approval and documenting is a biggest task for
the Security or Auth. team currently.
GRC server performs the same activity by maintaining the list of owners at different portfolios in its server. It
ensures the provision happens automatically in the back end server at ABAP level and document all the moments
capturing the comments and other values in each stage without any manual intervention except the approving and
activities performed at the stage.
Out of 11 access control owners 2 are option to choose between FFID Owner & FFID Role Owner, FFID Controller &
FFID Role Controller this is based on the applications ID & Role based in EAM which can be maintained only 1 at a
time.
GRC as a tool ensure compliance in business process by enabling dynamic workflows for activities related to User &
Role administration etc. Administration includes mainly the junctions of notifications and approvals as designed in
workflow. These agents required to be maintained as access owners in GRC Server as this procedure takes place in
GRC Server.
Example: As per the corporate governance the authorities given to any users follow certain approval process and
officers at different levels are assigned to be approvers. GRC helps in governance as designed, client has 5000
employees and average 10 roles to each leads to half a lakh accesses provided to end users. GRC ensures that all
the accesses 100% follow certain approval process by user’s manager, role owner (assignment approver), security
etc. in assigning them.
These owners list is provided by the client as per there design. We have to configure them as agreed. We initiate
the activity by placing them in the Access Owners list which we do now.
All these owners, monitors, controllers etc are to be created as end users in GRC Server. Assign required SAP
predefined roles as discussed below. They may have access in different backend servers where they considered as
end users only by GRC in such case.

List of owner types required to maintain at AC level are as below:


a. Fire Fighter ID Owner: Will be approving the FFID access to user
b. Fire Fighter ID Role Owner: Will be approving the FFID role changes
c. Risk Owner: Will be maintaining the particular risk impacts by t-codes combination

Sirish Vetcha, Consultant - GRC 10.0 17 of 186


Configuration document of GRC – Access Control 10.0

d. Role Owner: Will be owner to maintain the role & approves the changes to the role
e. Mitigation Monitors: Will monitor & controls the implementation of controls for risk
f. Mitigation Approvers: Will approve the implementation of control to mitigate risk for a risk ID
g. Fire Fighter ID Controllers: Monitors and controls a FFID & maintains particular FFID
h. Fire Fighter Role Controllers: Maintains FFID role & approves the changes to role
i. Point of Contact: Approver for a specific functional area. Functional area is an attribute used for roles.
j. Security Lead: Head of security & GRC team uses on any major changes for approval
k. Workflow: Responsibility to reassign of workflows at certain conditions of escape & escalations etc.

For details of role description etc. please use the attached file:

To find the owner (Role content owner) and approver (assignment approver) from the table through SE16 provide
the table name GRACROLE and Execute.
Create the users in GRC server and assign below roles to them:
ACCESS_OWNERS_R
OLES_V2.xlsx
PLATFORM OWNER TYPE ROLES TO BE ASSIGNED IN GRC
EAM FFID Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FFID Role Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Risk Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_RISK_OWNER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER

BRM Role Owner SAP_GRAC_BASE


SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_DESINER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER

Sirish Vetcha, Consultant - GRC 10.0 18 of 186


Configuration document of GRC – Access Control 10.0

ARA Mitigating Monitors SAP_GRAC_BASE


SAP_GRAC_NWBC
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Mitigating SAP_GRAC_BASE
Approvers SAP_GRAC_NWBC
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FFID Controllers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SUPER_USER_MGMT_CNTLR
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FF Role Controllers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SUPER_USER_MGMT_CNTLR
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
GENERAL Point of Contact SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRAC_ACCESS_REQUESTER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_DESIGNER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
GENERAL Security Lead SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRAC_ALERTS
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL

Sirish Vetcha, Consultant - GRC 10.0 19 of 186


Configuration document of GRC – Access Control 10.0

SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_RULE_SETUP
SAP_GRAC_SETUP
SAP_GRAC_SUPER_USER_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRC_MSMP_WF_ADMIN_ALL
SAP_GRC_MSMP_WF_CONFIG_ALL
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
GENERAL Workflow SAP_GRC_MSMP_WF_ADMIN_ALL
SAP_GRC_MSMP_WF_CONFIG_ALL
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
Users require basic access to GRC Server for using NWBC for raising requests etc. Firefighters also
requires access in GRC Server in case if EAM is a centralized as end user should logon to FFID
through GRC Server by executing T-Code GRAC_SPM
EAM FFID User SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_END_USER
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRAC_RISK_ANALYSIS
ARA Access Req. End SAP_GRAC_ACCESS_REQUESTER
User SAP_GRAC_BASE
SAP_GRAC_END_USER
SAP_GRAC_NWBC
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER

Path NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Access Control Owners 


Click “CREATE” available on the header of the owners list.
Give the User name at Owner or group in respective field that we have decided to maintain.
Select (through TICK) which type of owner we proposed to assign in the list.
Fill the comments with information as per best practice SAVE & CLOSE

Sirish Vetcha, Consultant - GRC 10.0 20 of 186


Configuration document of GRC – Access Control 10.0

Step: 009 > Define Business Process & Sub Business Process

Information The business processes are already given by SAP. Change them if client use different naming
convention. The Sub processes are to be created by us as per the client requirement. If client
doesn’t have sub business process ensure to maintain the same business process as sub business
process under it. This is mandatory while creating role in BRM etc.

T-Codes

Path Go to SPRO

Sirish Vetcha, Consultant - GRC 10.0 21 of 186


Configuration document of GRC – Access Control 10.0

SAP Reference IMG


Governance Risk & Compliance
Access Control
Execute Maintain Business Process & Sub Process

Select required Business Process for which we propose to maintain Sub Business Process. Double click
FI00 Business to maintain Sub-Process AP/ AR/ GL etc.
Click New Entries
Give the Sub Business Process as below & SAVE

Step: 010 > Define Employee Types

Sirish Vetcha, Consultant - GRC 10.0 22 of 186


Configuration document of GRC – Access Control 10.0

Information Maintain list of Employee type present in the list of users requires access in backend.

Path SPRO
SAP Reference IMG
Governance, Risk and Compliance
Access Control
User Provisioning
Define Employee Types
Add New Employees as Regular, Contractors

Step: 011 > Configuring Data Sources

Information Get the mail server Host & Port information from Admin team

Path SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
Maintain Data Source Configuration

Sirish Vetcha, Consultant - GRC 10.0 23 of 186


Configuration document of GRC – Access Control 10.0

Add User search Data Source as LDAP1, LDAP2, or IDM and End user verification should be YES

COMMON CONFIGURATION:

Configuration required doing before every module ARA, EAM, ARM, & BRM is consolidated and can be made done
by at a single instance to reduce time of configuration. This is designed as per the strategy of implementation
planning.
If Business Configuration sets, Connection settings, etc are required to maintain before configuring every module
can be part of common configuration phase.

Sirish Vetcha, Consultant - GRC 10.0 24 of 186


Configuration document of GRC – Access Control 10.0

Step: 012 > Configuring RFC Destination

Information We are creating RFC destination with logical backend system name. RFC is an interface for
communication between SAP client and server to external programs and data. This interface can
enable function calls of SAP systems or external systems. The RFC is controlled by RFC destination
parameters. In order to create an RFC port, the RFC destination must be assigned. Ensure RFC
destination name must be same as the logical system name as a best practice.
RFC connection should always be created in CAPS only.

T-Code SM59

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Execute Create Connectors

Get the IP Address of the target host and fill at field “Target Host”.
To get the IP Address Go To “Run” button at windows Start button
Give command “CMD”

Give the command “IPCONFIG” & Press Enter


Find the current server IP address and note down the server name

Sirish Vetcha, Consultant - GRC 10.0 25 of 186


Configuration document of GRC – Access Control 10.0

Go to the Path in GRC System provided above


Expand ABAP Connectors to see the list of SAP servers maintained in GRC Server
Under “RFC Connections” Click ICON of Create
RFC Destination: XXXXXXX (Give Logical Backend system Name)
Connection Type: 3 – “ABAP Connection”

Give this server name example 200.200.200.200 at “Target Host” & enter
Now find the Target Host fills with India.Server.Com (name of the server) &
IP address field will fill automatically with 200.200.200.200
SAVE

Test the creation of destination by Clicking “Connection Test”

Find below result:

Sirish Vetcha, Consultant - GRC 10.0 26 of 186


Configuration document of GRC – Access Control 10.0

Then Click Remote Logon:

Find below screen

Step: 013 > Activating BC Sets

Information Maintain BC Sets. The Business Configuration sets are to be activated for extra customizing services
available in GRC. On activating the BC Set respective tables are enabled for configuration. Find them in attached
file.

AC_BC_SETS.xlsx

Sirish Vetcha, Consultant - GRC 10.0 27 of 186


Configuration document of GRC – Access Control 10.0

SAP provides a set of BC Sets as a baseline. There exists a BC set for the frequency timeframes, we can maintain
the time period for the system.
List of BC Sets to be activated for AC are as below:
APPLICATION BUSINESS CONFIGURATION SET
GRC_MSMP_Configuration
WORKFLOW GRC_MSMP_Sample_Conf
GRC_MSMP_STD_Conf

GRAC_RA_Ruleset_Common
GRAC_RA_Ruleset_SAP_APO
GRAC_RA_Ruleset_SAP_Basis
ACCESS RISK
GRAC_RA_Ruleset_SAP_NHR
ANALYSIS
GRAC_RA_Ruleset_SAP_R3
GRAC_RA_Ruleset_SAP_ECCS
GRAC_RA_Ruleset_SAP_HR

EMERGENCY ACCESS
MANAGEMENT GRAC_SPM_Criticality_ Level

GRAC_Access_Request_Req_Type
ACCESS REQUEST GRAC_Access_Request_Priority
MANAGEMENT GRAC_Access_Request_APPL_Mapping
GRAC_Access_Request_EUP

GRAC_Role_MGMT_Landscape
BUSINESS ROLE GRAC_Role_MGMT_Methodology
MANAGEMENT GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity

T-Codes SCPR20

Path SPRO
SAP REF IMG
GOVERNANCE RISK & COMPLIANCE
SHARED MASTER DATA SETTINGS
(For Workflow related BC Sets) ACTIVATE WORK FLOW FOR MASTER DATA CHANGES
(For AC related BC Sets) MAINTAIN ABILITY TO ADD LOCALLY-DEFINED CONTROLS
Go to BC Set field
Use help level

Sirish Vetcha, Consultant - GRC 10.0 28 of 186


Configuration document of GRC – Access Control 10.0

Give GRC* for 3 workflow related BC sets & GRAC* for other access control related BC Sets

Select the required BC Set

Click Activation Button

Sirish Vetcha, Consultant - GRC 10.0 29 of 186


Configuration document of GRC – Access Control 10.0

Click to continue

Windows activation option will be opened


Under overwrite data: 1st time select overwrite & next time onwards select do not overwrite
Under select activation mode select Expert mode

Step: 014 > Maintain Connectors to Connection Type

Information Here we maintain 2 important configurations:


1. Define Connection Type: The connector created by us in the 1st step is the backend server & here
we are defining the connector type whether it is SAP or LDAP or EP (Enterprise Portal) etc.
2. Create Connector Group & Add our connector to the Group: Connector Group is created and we
can add connectors to this group. It is suggested to use the connector groups given by GRC -
SAP_BAS_LG, SAP_APO_LG, SAP_R3_LG, SAP_CRM_LG, SAP_HR_LG, SAP_SRM_LG etc.
This is because the rule set GLOBAL delivered by SAP maintained the function actions and function
permissions in predefined connector groups only.
Here we suggest use the sap given connector groups instead of creating new one. If customizing is
required then copy the connector group and use.

Sirish Vetcha, Consultant - GRC 10.0 30 of 186


Configuration document of GRC – Access Control 10.0

Further these connector groups plays a vital role as landscape in BRM and can also help in dynamic
maintenance of role naming convention and default back end connector for actions in BRM
methodology at different phases etc separately for each business process.
3. Define Subsequent Connectors: This is needed when a connector needs to trigger another
connector. When extracting data from SAP EP, most of the actions such as create user, delete user
are served by standard SPML interface. But some actions like generate password are not available
with standard SPML interface therefore needs a webservice protocol. In this scenario for SAP EP,
standard SPML interface would be the first connector and the webservice protocol would be the
subsequent connector.

T-Codes CONNECTOR_INFO.
xls
Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Maintain Connectors and Connection Types

After creating connectors > we have to say what type of connection we connect at backend.
Connection type is the type of backend system. Types of backend we use is SAP

Sirish Vetcha, Consultant - GRC 10.0 31 of 186


Configuration document of GRC – Access Control 10.0

Select the required back end type: Let’s take SAP


Select “SAP-SAP System”
Double Click “Define Connectors”
Fill as below:
Target Connector: Use help and select already created connector
Connection Type: Use help & select SAP as we have taken backend as SAP
Source Connector: Give here also the Target Connector name only as best practice
Logical Port: Give here also the target connector name only as best practice
Max No. of BG WP: Background work in progress > Give 3 here as best practice
SAVE

If decided to create new Connector Group instead of using existing


Double Click Define Connector Group
Click “New Entries”
Give Connector Group Name, Connector Group Text, Type & SAVE

Select created connector group & double click Assign Connectors groups to Group type:
Here we are defining type of connector group. The type is LOGICAL GROUP.
This is used for creating risk analysis logical systems and role management landscapes.
If any function IDs of 2 different servers are created using a single backend server those 2 servers are required to
be maintained in Cross System Group. Example SRM & CRM
Select from drop down & SAVE.

Sirish Vetcha, Consultant - GRC 10.0 32 of 186


Configuration document of GRC – Access Control 10.0

Now again select the connector group & double click Assign Connectors to Connector Groups
Click New Entries

Give the Target Connector using help level and mention connector type as SAP & SAVE

Sirish Vetcha, Consultant - GRC 10.0 33 of 186


Configuration document of GRC – Access Control 10.0

Step: 015 > Maintain Connection Settings

Information Here we activate different integration scenarios called work areas and assign them to connector.
Connectors (systems) & Connection Types (system type such as Web service, SAP, file, etc.) are
globally defined which can be used across different applications. Integration scenarios are used to
map the globally defined connectors across different applications. Each application has its specific
integration scenarios.
The Integration Scenarios of AC 10.0 are:
AUTH: Authorization Management – Related to ARA
PROV: Provisioning – Related to ARM
SUPMG: Super User Privilege Mgmt. – Related to EAM
ROLMG: Role Management – Related to BRM

T-Codes

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Execute Maintain Connection Settings

Sirish Vetcha, Consultant - GRC 10.0 34 of 186


Configuration document of GRC – Access Control 10.0

Use help and select a work area & Click Continue

Double click Scenario Connector Link


Now Sub Scenario screen gets opened. Select the same scenario appears on screen & double click Scenario-
Connector link in the left pan.
Give Target Connector from help level & after selecting just press enter
Find connection type & text prefills automatically & SAVE

If require to find the Scenario Connection type link Select given work area & double click “Scenario-Connection
type Link”

Sirish Vetcha, Consultant - GRC 10.0 35 of 186


Configuration document of GRC – Access Control 10.0

Find the interface used for connection type

Repeat the same activity for all the scenarios AUTH, PROV, SUPMG, & ROLMG

Step: 016 > Maintain Connector Settings

Information Till now we have created a connector & mentioned the connection type is SAP assigned the
connector to a connector group. Now, we maintain the connecter type that is the connector (back
end server) environment whether it’s a Development or Testing or Production. The connector we
created in the 1st step is to be maintained its environment now.
PSS can be enabled for the connector by Tick Mark respective connector under heading PSS. PSS is
a Password Self Service. Users in this server have the privilege of PSS if we maintain here.

Best practice connector setting between Backend & GRC Server is given below.
GRD <> ECD
GRQ <> ECQ
GRP <> ECP

Path SPRO
SAP Reference IMG
Governance Risk & Compliance

Sirish Vetcha, Consultant - GRC 10.0 36 of 186


Configuration document of GRC – Access Control 10.0

Access Control
Maintain Connector Settings
Click “New Entries”
Target Connector is selected using help
Application Type is the connector type – SAP (Find 16 in 10.0 & 17 with SAP Hana in 10.1)
Environment for which we are connected now in backend > DEV/ PRD/ TST
Tick PSS > Password Self Service & SAVE
Here we maintain Development
We have also a provision to maintain attributes for this version.

Find the application types GRC supports:

Step: 017 > Maintain Configuration Settings

Information In this step we will set the parameters for the access control components. This
parameter will define the behavior of the systems or respective module.
E.g. Default risk level when running a risk analysis, default rule set, user type etc. In EAM
we can maintain the maximum issuance days of FFID access to the user etc.

Path SPRO
SAP Reference IMG

Sirish Vetcha, Consultant - GRC 10.0 37 of 186


Configuration document of GRC – Access Control 10.0

Governance Risk and Compliance


Access Control
Maintain Configuration Settings
Example of Maintained Parameters:
Parameter Group Parameter ID Parameter Value Priority Description
Risk Analysis 1023 02
Risk Analysis 1024 *
Risk Analysis 1025 GLOBAL
Risk Analysis 1026 A
Risk Analysis 1027 NO
Workflow 1061 NO
Workflow 1062 NO
Workflow 1113 WF-BATCH
Workflow 3022 21
Workflow 3023 5
Emergency Access Management 4000 1
Emergency Access Management 4001 30
Emergency Access Management 4002 YES
Emergency Access Management 4003 YES
Emergency Access Management 4004 YES
Emergency Access Management 4005 YES
Emergency Access Management 4006 YES
Emergency Access Management 4007 YES
Emergency Access Management 4008 YES
Emergency Access Management 4009 YES
Emergency Access Management 4010 SAP_GRC_SPM_FFID
UAR Review 2004 011
UAR Review 2005 007
UAR Review 2006 Manager
UAR Review 2007 YES
Risk Analysis - Access Request 1071 NO
Risk Analysis - Access Request 1072 NO
Role Management 3003 AC10.0
Role Management 3004 PRD
Role Management 3005 NO
Access Request Role Selection 2031 YES
Access Request Role Selection 2033 YES
Access Request Role Selection 2035 YES
Access Request Role Selection 2036 NO
Access Request Role Selection 2037 YES
Access Request Role Selection 2038 NO
Access Request Default Roles 2009 NO
Access Request Default Roles 2011 REQUEST
SOD Review 2016 010
SOD Review 2017 009
SOD Review 2018 MANAGER
SOD Review 2019 YES
SOD Review 2023 NO

Sirish Vetcha, Consultant - GRC 10.0 38 of 186


Configuration document of GRC – Access Control 10.0

Assignment Expiry 2041 10


Access Request Training Verification 2024 WS

Elaborate discussion on each Parameter group with open option in attachment:


AC - Parameters.xlsx

Step: 018 > Maintain Mapping for Actions and Connector Groups

Information The connector-group we are using has various connectors in it like HR backend server, Non-HR
backend server, BI backend server, Development, Testing, Production, etc.
Connector groups play a vital role in BRM as a landscape. Roles are created through methodology
in BRM under respective landscape that is connector group. Like SAP_BAS_LG is the landscape to
create Basis roles, SAP_FI_LG is the landscape for FI roles etc.
We access backend server various times while creating role through role methodology at different
phases like maintenance of t-codes and authorization, generation etc.
Dynamically GRC server navigates to backend server at these phases. We have to maintain default
backend it should navigate for different purposes in role methodology.
Example is to generate role in targeted backend for this purpose should be development because
the role is to be created always in development, and after testing in quality it moves to production.
For this purpose we keep development as default in the connector group for all actions except for
provision. The actions present are:
- Role Generation
- Role Risk Analysis
- Authorization Maintenance
- Provisioning
- HR Trigger

T-Code

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Execute Maintain Mapping for Actions and Connector Groups

Click New Entries


Update the group status as below:
Connector Group: Select the Connector Group using help
Activate: Tick activation
Application Type: Select 01-SAP & display as 1
SAVE

Sirish Vetcha, Consultant - GRC 10.0 39 of 186


Configuration document of GRC – Access Control 10.0

Find the created connector group with other list


Select the created connector group as seen in above screen shot &
Double click “Assign default connector to connector group” available in the left side pan.
Then Click New Entries
Provide the information as below:
Connector Group: Select above connector group with help
Action: Select one after another
0001: Role Generation
0002: Role Risk Analysis
0003: Authorization Maintenance
0004: Provisioning
0005: HR Trigger
Update Target Connector using help
Tick default
SAVE

Assign Group Field Mapping: (Not required) Mapping Access Control fields to connected system fields. We enter
the information necessary to map the field. To maintain this have to give Connector Group & Connector. Click New
Entries
AC Field Name: Example as E_MAIL System Field Name: Example Address
Table Name: Company Sybtype: If any required

Assign Group Parameter Mapping: (Not required) The activity is used for provisioning into systems that are
SPML1.0 compliant like IDMs and SAP EP. These entries are based on schema exposed by IDMs.

Step: 019 > Maintain Plug-in Settings:

Sirish Vetcha, Consultant - GRC 10.0 40 of 186


Configuration document of GRC – Access Control 10.0

Information This configuration allows us to specify the system that access control application uses to
authenticate users and roles.
System uses the SAP PFCG system application by default. We can assign default backend
system where the data is maintained. To bypass the PFCG and to use a non-PFCG
system in our environment this is used.
Path SPRO
SAP REF IMG
Governance Risk and Compliance
Access Control
Maintain Plug-in Settings

To use PFCG Plug-in > Select Activate Plugin from left pan & Click New Entries
Select Target connector using help & SAVE

To use Non PFCG Plug-in > Select Active Plug-in from left pan & Click New Entries
Select Target connector using help & CLICK TICK @ INACTIVE-GRCPI Check box & SAVE

Select Activate Plug-ins and select Target Connector & SAVE.


Select Connector & Double Click Activate Non-GRCPI & Click New Entries

Sirish Vetcha, Consultant - GRC 10.0 41 of 186


Configuration document of GRC – Access Control 10.0

Select Application type and Activate > SAVE

Select Activated Non-GRCPI IDs & Double click Activate Non-GRCPI IDs at left pan
Click New Entries Select drop down for Plugin ID for Adaptors.
Select Activate & SAVE

Sirish Vetcha, Consultant - GRC 10.0 42 of 186


Configuration document of GRC – Access Control 10.0

Step: 020 > Distribute Jobs for Parallel Processing:

Information This transaction can specify the data used to distribute the jobs that are processed in parallel for
Access Control

Path SPRO
SAP REF IMG
Governance Risk & Compliance
Access Control
Distribute Jobs for Parallel Processing

Provide Application for which we require parallel Processing

Server Name will be the GRC Server & Under Logon Parallel generators & Number of Tasks can be 10.

_____________________________________________________________________________________

Step: 021 > Connect User Data Base from Backend to GRC Server (NEW):
Information Users & other data exist in different backend server are required to be sourced to GRC server
while synchronizing the data from backend. The path of the users maintained in each backend server is maintained
at GRC server and then the users get displayed to run risk analysis & to assign roles to them. Access Control reads
the user attributes in sequence from the data sources. They are not overwritten.
The data is to be maintained at 4 stages:
 User Search Data Sources
 User Detail Data Sources
 User Authentication Data Sources
 End User Verification
At each stage Select the target connector (back end server) suggested production as users exist there
Maintain the sequence and ensure the number don’t get repeated
User Data is selected as SU01 or HR Data – In our case lets select SU01 as we create the users here
@ End User Verification – Please Select NO for practice server

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Maintain Data Source Configuration
Double Click User Search Data Source under dialog structure & Click NEW ENTRIES

Sirish Vetcha, Consultant - GRC 10.0 43 of 186


Configuration document of GRC – Access Control 10.0

Use help @ Target Connector & Select the required back server among the connectors we created

Provide the Sequence number & ensure it doesn’t get repeated with existing one
Click help @ User Data Type & Select SU01 & SAVE

Double click User Detail Data Sources > Click New Entries & Repeat the same

Sirish Vetcha, Consultant - GRC 10.0 44 of 186


Configuration document of GRC – Access Control 10.0

Also repeat the same @ User Authentication Data & after saving at each stage resembles as below:

Now we maintain End User Verification:


Access Control uses this confirmation information to verify the requestor’s identity on the selected system in
sequence.
If the user information is confirmed on one system, it is considered as authenticated for all systems; further
confirmation on other systems is not needed.
Double click End User Verification
Use Help under Authentication & Select YES
SAVE

Sirish Vetcha, Consultant - GRC 10.0 45 of 186


Configuration document of GRC – Access Control 10.0

Step: 022 > Synchronization Jobs

Information GRC is a central administrator of all the backend servers which works for and with data of backend
servers - roles, users, there accesses etc. Therefore the data synchronization plays very important activity in GRC.
We have various synchronizations where each one syncs different data from backed.

I) Authorization SYNC:
After completing the plug in settings at back end server important task is to generate all the SoD rules and then
AUTH SYNC is required to do. With this activity all the authorization objects maintained at the back end server will
get synchronized to GRC Suit.
We use this synchronization job to sync authorization master data from the backend servers and store it in the
GRAC repository. Each connectors Auth. data gets stored in GRC repository separately in relation to its connector.
If this program is not executed, we cannot add any T-Code to the functions or we will not see any authorization
object details in functions.
Authorization Object, Authorization Object clauses, authorization level values, authorization level transactions, &
SU24 settings are synchronized through this activity.
Plain master data like which authorization object have which fields, which T-Code has which authorization object
will sync
This synchronization updates data of the following:
Resource Sync: Permissions, resources, and descriptions for authorization objects.
Action Sync: Descriptions for actions and permissions and resources for authorization objects.
Resource Class Sync: Permissions and resources for authorization object classes and their relationships
Resource extension: Organization level, activities level, and descriptions for resource extensions.
Default SU24
Values Sync: Default authorization object and field values for actions.

Authorization sync is suggested to do once every day in nonpeak hours


Any Sync can be done through 3 methods Program/ Path/ T-Code:

Sirish Vetcha, Consultant - GRC 10.0 46 of 186


Configuration document of GRC – Access Control 10.0

1) Through executing the Program as given below


Program: GRAC_PFCG_AUTHORIZATION_SYNC
This program is to be run through SA38 or SE38.
This program can be schedules on weekly basis or as per the client requirement

2) Through T-Code as given below


T-Codes: GRAC_AUTH_SYNC

3) Through Path as given in the path below


Path: Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Synchronization Jobs
Execute Authorization Sync
The connector fields can be * (all) or can select individual backend server
Fill the Connector: Using Help

II) Repository Object Synchronization:


Here it synchronizes data of Profiles, Roles & Users with its relationships (profiles to roles & roles to users) from
backend and legacy systems and stores in GRAC repository.
This activity allows us to select from the following synchronization options:
Profile Sync : This is required to sync for the SoD risk analysis of profiles
Role Sync : This is required for the SoD risk analysis of the roles
User Sync : This is required for the SoD risk analysis of the users

As the synchronization happens in relation to each other Profile to Roles & Roles to Users
If we select Profile only profiles will be selected & synchronizes
If we select Roles observe that Profiles also will get automatically selected. This is because all the roles contain
profiles and Profiles can exist without roles and roles will not exist with profiles so automatically profiles get
selected. To run risk analysis minimum profile is to be created.
When we select User both role and profile will be selected automatically. This is because GRC have tasks with users
who are assigned with roles only. Users with no assignment of roles are not required to GRC as no activities exist
for them. One of the important activities is to run the risk analysis of the users for which this data is required.

Full Sync Mode is advised to do once every 24 hours at nonpeak hours.


Incremental Sync Mode: Incremental synch job is executed on hourly basis that is 24 times per day.

Repository Object Sync can be done through 3 methods:


1) Through executing the Program as given below
Program: GRAC_REPOSITORY_OBJECT_SYNC

Sirish Vetcha, Consultant - GRC 10.0 47 of 186


Configuration document of GRC – Access Control 10.0

This program is to be run through SA38 or SE38.


This program can be schedules on weekly basis or as per the client requirement

2) Through T-Code as given below


T-Codes: GRAC_REP_OBJ_ SYNC

3) Through Path as given in the path below


Path: Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Synchronization Jobs
Execute Repository Object Synchronization
The connector fields can be * (all) or can select individual backend server

III) Action Usage Synchronization:


Using this job we can synchronize the action or transaction usage data from back end system to GRAC repository.
Action usage data is the data related to the user executed transactions.
This is required as audit information of emergency access management.
Suggested to sync once every day in non-peak hours
Action Usage Synchronization can do through 3 methods:
1) Through executing the program as given below:
Program: GRAC_ACTION_USAGE_SYNC

2) Through T-Code as given below:


T-Code: GRAC_ACT_USAGE_SYNC

3) Through path as given below:


Path: SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
Synchronization jobs

Sirish Vetcha, Consultant - GRC 10.0 48 of 186


Configuration document of GRC – Access Control 10.0

Action Usage Synchronization


Give the Connector as Blank or * if all the backend servers are required
Give the Users as * or A* to Z*

IV) Synchronize Role Usage Sync:


We can sync the role usage data from back end server to GRAC repository. T-Codes used from roles & its
frequencies by users are synchronized here.
Suggested to sync once every day in non-peak hours
Role Usage Synchronization can done through 3 methods:
1) Through executing the program as given below:
Program: GRAC_ROLE_USAGE_SYNC

2) Through T-Code as given below:


T-Code: GRAC_ROLE_USAGE_SYNC

3) Through path as given below:


Path: SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
Synchronization jobs
Role Usage Synchronization

Sirish Vetcha, Consultant - GRC 10.0 49 of 186


Configuration document of GRC – Access Control 10.0

ACCESS RISK ANALYSIS:


One of the important activities of GRC is providing the risk analysis report including SoD risk and critical risk of
Users, Roles & Profiles.
The factors of this are:
1) Data of users and there accesses to different roles and profiles in the roles with list of t-codes and its
authorizations. All the data from backend server is synchronized mainly through repository object sync.
2) Rule set and its maintenance in GRC Server
We have seen the synchronization information in step 13 under common configuration and let’s see the rule set
related information and configuration with reports in ARA

ACCESS RISK ANALYSIS


Running Risk Analysis for Users, Roles & profiles

DATA SOURCE
RULE SET USERS & ACCESS DETAILS
Maintained in GRC Server Synchronized from Backend Servers

Risks arise through Combination of Access Data of Access by Users through Roles
STRUCTURE
1. T-Codes classified in different Function IDs 1. T-Codes as actions & Authorization as
2. Risks arise with the combination of different permissions present in each Profile
Function IDs as RISK ID 2. Profile maintained in each Role
3. Rules form for each combination of T-Codes exist in 3. Users having the access to different Roles
Function-IDs which are causing risks as RULE ID

# T-Codes & Function IDs are maintained


Business Processes wise

MAINTENANCE

1. Creating a Rule ID
2. Create a Function ID & Add T-Codes in it Schedule Repository Object synchronization
3. Create a Risk ID & add Function IDs in it Can opt the choice of data to Sync
4. Generate Risk ID to create Rule IDs PROFILES > T-Codes & Auth Obj.s in it will Sync
5. Maintain Risk Approver for the Risk ID ROLES > With Profiles the roles also will Sync
6. Manage above by adding & removing USERS > Users & there accesses to roles will Sync
7. Create Org. Root Hierarchy & maintain Sync can be done through:
Mitigating Approver & Monitor in it T-Code
8. Create Mitigating ID & maintain approver & Program
monitor Path

BENEFITS
Can Run User Risk Analysis in workflow prior assigning new role to the User including proposed Role
Can Run Role Risk Analysis in workflow prior generating new role including the actions & permissions

 Customizing of Current Rule Set


 Creation of New Rule Set
 Maintenance of all Rule Sets
 Run Risk Analysis

Sirish Vetcha, Consultant - GRC 10.0 50 of 186


Configuration document of GRC – Access Control 10.0

 Create & Maintain Mitigation ID


 Assign & Maintain Risk Owner, Mitigation Monitor & Mitigation Approver
 Reports etc are main activities

Step: 023 > Maintain Access Risk Levels


Information Here we can maintain Colors for SoD Risk Levels. Numbers 0 to 3 are reserved for the risk levels
provided by the application. 4 to 99 are free to use.
Path SPRO
SAP REF IMG
Governance Risk & Compliance
Access Control
Maintain Access Risk Levels
Click New Entries & Provide Risk Level, Risk Level Color Code & Description
No Help level is provided

Step: 024 > Maintain Custom User Group

Information We can create custom user group and can add users to the group. This is helpful to run the risk
analysis to the group instead of users individually.

Path SPRO
SAP REF IMG
Governance Risk & Compliance
Access Control
Maintain the Custom Group
Select “Maintain the Custom Group” @ left pan and click New Entries
Provide Custom Group Name & Description
Select it & Double Click “Maintain User ID for the Custom group”
Click New Entries and Provide the User ID of the users required to maintain in the group.

Sirish Vetcha, Consultant - GRC 10.0 51 of 186


Configuration document of GRC – Access Control 10.0

Step: 025 > Maintain Master User ID Mapping

Information Here we can designate the User ID as Master User ID and maintain mappings of the other
backend systems ID.
In a scenario when a company maintains the User ID as Employee Number in one system and Last Name in another
system. We can customize and designate one system ID as main or master ID.

Path SPRO
SAP REF IMG
Governance Risk & Compliance
Access Control
Maintain Master User ID Mapping
Click New Entries >
Provide Target Connector, Enter User ID in the target connector, Provide the Target User ID
Continue in the next line with another server & User ID in it & Provide the Target User ID & SAVE

Step: 026 > Create & Maintain Rule Set, Function ID & Risk ID

Information This is the transporting rules between GRC System. Here we generate rules for all risks.
Eg: Add - VA01, VA02 in a function ID #1 & VB01, VB02 in another function ID #2
Risk #001 exists in combination of Function1 & 2.

Sirish Vetcha, Consultant - GRC 10.0 52 of 186


Configuration document of GRC – Access Control 10.0

System will generate rules in each risk with different combinations of t-codes from both
the function IDs.
VA01 + VB01 = Risk1 > Rule1
VA01 + VB02 = Risk1 > Rule2
VA02 + VB01 = Risk1 > Rule3
VA02 + VB02 = Risk1 > Rule4
Set of all these rules is a Rule Set. Global is the rule set given by GRC.
If customization is required it’s suggested to copy & customize Global rule set.
Customizing includes:
1) Creating or maintaining Function ID by with T-Codes in it
2) Creating or maintaining Risk ID with combinations of different function IDs
3) Generating the risk after making the changes

1st Create Rule ID:


T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Rule Sets
Create

Give New Rule Set ID Name, Description & Save

nd
2 Create Function ID:
T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Functions
Create

Sirish Vetcha, Consultant - GRC 10.0 53 of 186


Configuration document of GRC – Access Control 10.0

Give name of the Function ID as per naming convention


Give Business Process, Analysis Scope to be given as Single System.
Provide description
Under Action > Click Add
Provide Back end system from which we extract the T-Codes to maintain in function ID

Action: T-Codes to be provided under the function ID and Press Enter


Find t-code description updated automatically
Status to be ACTIVE

Sirish Vetcha, Consultant - GRC 10.0 54 of 186


Configuration document of GRC – Access Control 10.0

Press Add button to add New T-Code

To control from authorization object level use Permission Tab


SAVE

In the same way > Create another Function ID with other t-codes

Sirish Vetcha, Consultant - GRC 10.0 55 of 186


Configuration document of GRC – Access Control 10.0

.
rd
3 Create Risk ID:
T-Code
Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Setup  Access Risks
Create

Give: Risk ID, Risk Type, Business Process, Description, Risk Level, & Status.
Fill: Description of Risk and Suggested Control Objective
Risk Level: Exists 4 levels of risks: High, Medium, Low and Critical
Critical is the system level risk and others are Business Process risks
Add: Select Function IDs

Sirish Vetcha, Consultant - GRC 10.0 56 of 186


Configuration document of GRC – Access Control 10.0

Select Rule Set ID in the Rule Sets tab & SAVE

Sirish Vetcha, Consultant - GRC 10.0 57 of 186


Configuration document of GRC – Access Control 10.0

Provide the Risk Owners created in step 12

SAVE

_____________________________________________________________________________________

Step: 027 > Generate SoD Rules

Information The risk ID we have created in the step 13 are to be generated now.
This will generate rules in the risk we have created.
Please refer the explanation of rule set to find more information

T-Code

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Generate SoD Rules

Sirish Vetcha, Consultant - GRC 10.0 58 of 186


Configuration document of GRC – Access Control 10.0

Provide the Risk ID for which we require to generate rules.


Also can give the range of Risk IDs by using the fields From & To
Execute

Find the message generated at bottom of the screen as below:

Also can generate the rules through NWBC:


Path NWBC  SAP_GRC_NWBC  Rule Setup  Access Rule Maintenance  Access Risks
Select the created Risk ID & Click Generate Rules & Select Foreground

Confirm the Risk ID created for combination of function ID

Sirish Vetcha, Consultant - GRC 10.0 59 of 186


Configuration document of GRC – Access Control 10.0

Rules get generated and find 2 hyperlinks to see the rules generated:
Action Rules contains combination of T-Codes between 2 function IDs in the risk ID
Permission Rules contains combination of authorizations between 2 function IDs in the risk ID

Inside the “View Action Rules” find the details in below screen:
Find 1 Risk ID having 2 Rule Ids with 2 Function Ids with its T-Codes in it
We have a Function ID #1 with 1 T-Code-PFCF & Function ID #2 with 2 T-Codes-SCC1 & SU01
Risk ID created with the combination of these 2 function IDs
Find the rules generated with the t-codes combination between 2 function IDs 1 X 2 = 2 rules
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SCC1
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SU01

If we go to the “View Permission Rules” find the extra columns Resource & its extension – Auth. Obj.

Sirish Vetcha, Consultant - GRC 10.0 60 of 186


Configuration document of GRC – Access Control 10.0

_____________________________________________________________________________________

Step: 028 > Downloading SoD Rules

Information The information of the rule set is maintained in 9 separate files having relationship between
each other. This is to provide flexibility like maintenance certain risk IDs in 2 or more rule sets etc.
The downloaded file can be opened through word pad. All the files contain the information in 2
languages English & German.
9 Files gets downloaded and all the information is maintained in GRC server without any relationship to backend
server except 2 files. Function Actions & Function Permissions are maintained in GRC Server in relationship with
backend server.
GLOBAL is SAP predefined rule set where the function action and function permission of this is maintained in
predefined connector groups.
We have to streamline by maintaining whole rule set data in respective single connector group for each backend
server.

1) Business Process: Business process maintained in the GRC server will be downloaded here with its Code,
Language & Description.
These include all the business processes irrespective of predefined by SAP as well as created.
Find the attached actual file downloaded:

1.Business
Process.txt
Find the example below:
BP Code Language Description
AM EN Account Maintaining
AP00 DE APO
AP00 EN APO
BS00 EN Basis
BS00 DE Basis
CA00 EN Cross Application
CA00 DE Zusammengesetzte Anwendung
CR00 DE CRM
CR00 EN CRM
EC00 EN Consolidating
EC00 DE Konsolidierung
FI00 DE Finanzwesen
FI00 EN Finance
HR00 DE HR and Personalabrechnung
HR00 EN HR and Payroll
MM00 EN Materials Management
MM00 DE Materialwirtschaft
PM00 EN Plant Maintenance
PM00 DE Instandhaltung

Sirish Vetcha, Consultant - GRC 10.0 61 of 186


Configuration document of GRC – Access Control 10.0

PR00 DE Beschaffungsprozess
PR00 EN Procure to Pay
SD00 DE Auftragsabwicklung
SD00 EN Order to Cash
SR00 EN EBP and SRM
SR00 DE EBP and SRM

2) Function: Function IDs with its description and its SoD status as “S” will be downloaded here in English and
German.
Attached the downloaded file:

2.Function.txt

3) Function Business Process: This file gives us the information of existing function ID with its Business Process ID.
Attached the downloaded file:

3.Function Business
Process.txt
4) Function Actions: List of T-Codes in each function will be presented in this file.

5) Function Permissions: List of auth. objects in each function will be presented in this file.

6) Rule Set: Rule Set name is down loaded here in both the languages English & German,
Attached here the file downloaded:

6.Rule Set.txt
7) Risk: Report of Risk ID with combination of Function ID1 & Function ID2 and its Business Process is generated.
Attached here the file downloaded:

7.Risk.txt
8) Risk Description: Risk ID with its risk description in 2 languages English, & German are downloaded.
Attached here the file downloaded.

8.Risk
Description.txt
9) Risk Rule Set Relationship: Risk ID with rule set name is downloaded. This shows that which risk ID belongs to
which rule set.
Attached here the file downloaded.

9.Risk Rule Set


Relationaship.txt
T-Code
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Download SoD Rules
st
Give the backend server i.e. created connector in 1 step
Give the path of destination with file name against each report gets downloaded.

Sirish Vetcha, Consultant - GRC 10.0 62 of 186


Configuration document of GRC – Access Control 10.0

Execute
Find 9 files downloaded in the destination as given by us above.
The files are down loaded which can be opened through WordPad and observe that the report don’t maintain any
headings. To have detailed explanation on each report refer above information provided by us and also can refer
sample files attached at each level.

Please find the analysis done by us on Global Rule set in attached file here:
RULESET_ANALYSIS.
xlsx

Step: 029 > Uploading SoD Rules

Information After downloading the existing SoD rules from GRC system we can make required
changes in the downloaded 9 files and here we will upload again by providing the path
to the file. We can overwrite the existing SoD rules in GRC or also can add this to the
existing rules.
As per the best business practices we suggest always to Add/ Append instead of
overwrite.

T-Code

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Upload SoD Rules
As the way we followed in download SoD rules,

Sirish Vetcha, Consultant - GRC 10.0 63 of 186


Configuration document of GRC – Access Control 10.0

st
We give the backend server i.e. created connector in 1 step.
Give the source of each file prepared to upload in all 9 fields. Upload the changed document as required
“Append” Append is adding these uploaded rules to the existing rules in SAP GRC suit.
“Overwrite” Overwrite is erasing existing rules in the SAP GRC suit and existence of these uploaded rules.
Execute

_____________________________________________________________________________________

Step: 030 > ARA: Run User Risk Analysis


Information Here we find how to generate risk analysis for User at basic level.
We will provide the inputs at the screen of NWBC path mentioned below and find the
different options of report and format we get below.

T-Code

Path NWBC  SAP_GRC_NWBC  Access Management  Access Risk Analysis  User Level
Provide the input to the screen:
System : Give created connector in 1st Step
User : Give the User name using search
+ : Use ‘+’ after User to run for one more user
User Group : Give the group if want to run for user group (Here don’t select & ‘-‘)
+ : Use ‘+’ after User Group to run for one more User Group
Risk Level : Select the sensitivity of the risk we want to run – Select All
Rule Set : Select the rule set from drop down
+ : Use ‘+’ after Rule Set to give one more rule set
User Type : Give Dialog or any other user type as required from drop down
Report Options : At initial stage select ‘Action Level’ & ‘Permission Level’
Run : Select ‘Run in Foreground’
We can make it as a variant & can select this when we want to run at same values

Sirish Vetcha, Consultant - GRC 10.0 64 of 186


Configuration document of GRC – Access Control 10.0

Report gets generated & you can find the option we can use at basic level report:
Expand top header ‘Analysis Criteria’ and find the selected options above
We can change the report from Action (t-code) level to Permission (Auth. Obj.) level
We can change the report format as Summary, Detail, Management Summary, & Executive Summary

Option 1) Action Level Report & Summary Format:

Sirish Vetcha, Consultant - GRC 10.0 65 of 186


Configuration document of GRC – Access Control 10.0

Option 2) Action Level Report & Detail Format: Function ID & Role/ Profile is provided

Option 2) Permission Level Report & Detail Format: Auth Obj its extension & values also provided here

Option 3) Management Summary is very simple report at top level with hyperlink to details level:

Sirish Vetcha, Consultant - GRC 10.0 66 of 186


Configuration document of GRC – Access Control 10.0

Option 3) Executive Summary is very simple report at top level with hyperlink to details level:
This is generally used by executives who work on maintaining to find the risks ID with list of conflicts:

_____________________________________________________________________________________

Step: 031 > ARA: Batch Risk Analysis

Information Batch risk analysis is the risk analysis which will run in more number of Users, Roles,
and Profiles & HR Objects. This can be schedules as a background process. Generally
this is used for Reports and Analysis. This is executed on daily basis which will be part
of MIS on SoD. This will be running in nonpeak hours.

T-Code
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
Batch Risk Analysis
Execute Batch Risk Analysis
Give the Job Name
Give Server Name
If the analysis is running at daily basis > Run at Incremental mode
If the analysis is running at initial stage > run at Full mode
Give the Rule set to take as source for finding the risks
Under Object Section:
Can give * at User, Role, Profile, & HR Object fields
Tick> Action Level
Tick> Permission/ Critical Action/ Critical Permission Level
Tick> Critical Role/ Profile Level
Execute

Sirish Vetcha, Consultant - GRC 10.0 67 of 186


Configuration document of GRC – Access Control 10.0

Can go to SM37 and check the recent jobs performed.

Sirish Vetcha, Consultant - GRC 10.0 68 of 186


Configuration document of GRC – Access Control 10.0

The other way to find the status of recent background jobs and its report is explained below:
To find out the status of the report as well as to open the background report:
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
Batch Risk Analysis
Monitor Batch Risk Analysis
Provide the Job Name:
Execute

Find the job name displayed with its status:


If it says In Process > Wait till it gets complete
Use the same path & process till here & find the status as Successfully Completed
Double click the line item with Job Name

Sirish Vetcha, Consultant - GRC 10.0 69 of 186


Configuration document of GRC – Access Control 10.0

Find the Package Data displayed


Double Click the displayed line item

Find the below report generated


List of users have risk with System. User name is under the column ‘SOD Object’:

Sirish Vetcha, Consultant - GRC 10.0 70 of 186


Configuration document of GRC – Access Control 10.0

Step: 032 > ARA: Mitigation Configuration

Information Access is not suggested to approve when risk exists to user based on the roles he have.
In this condition manager or role owner who ever approves the access to user should
take below actions:
Remediate: Removing the role creating conflict
Mitigation: Risk exists can be justified & can be mitigated through a compensating control.
Therefore GRC have given the provision to systematize the mitigating controls with ID,
its owner and controller. This will be in execution under Process Control platform.
After finding the risks in ARA for a user or role or a profile the manager can assign
mitigating control at the same screen by just clicking button ‘MITIGATE’
For this we have to configure the mitigating controls which will be discussed now.
This is the shared master data between AC & PC under a Common Org Hierarchy.
All the mitigating controls are stored in a same location in GRC repository which can share between
Risk Management and Process Control.

Sirish Vetcha, Consultant - GRC 10.0 71 of 186


Configuration document of GRC – Access Control 10.0

GRC provides less complexity and more flexibility by maintain mitigation for multiple systems as
well as to specific systems
The new functionality in GRC AC 10 allows:
Assign a mitigating control to a specific User in a specific system
Assign a mitigation control to a specific User in multiple systems
Like User A mitigated to Risk A in 3 systems & User B mitigated to Risk A in 2 systems
Now risk mitigation became system specific. Previously if one Risk ID was mitigated, it was
mitigated for all the systems. Now you can specify to mitigate it in one system and not in another.
This is useful in dynamic scenario where a flexible mitigation is possible for each risk based on the
land of act for different affiliates. This is also possible for other types like Roles etc.
Mass Mitigation: Select the multiple risks in the risk analysis report & click the Mitigate Risk button to
assign single mitigating control to all the risks selected. Existing control to risk will popup & can
change or create a new control here
Mitigation can done at access rule ID level or at system level
Prerequisites of Mitigating Control Configuration:

1. Create Mitigating Owner through SU01 and assign required roles


2. Create Mitigating Monitor through SU01 and assign required roles
3. Assign the above 2 in Access Control Owners under Access Owners in Setup Tab of NWBC
4. Create Organization Structure Hierarchy
5. Define Mitigating Control ID
6. Activate workflow

First 3 steps were done in Step 11 where we have created all owners, assigned required roles,
and maintained in Access Control owners at NWBC

Create Organizational Hierarchy:

Create Root Organizational Hierarchy:

Information The access control owners maintained in step 12 includes mitigating approvers and
mitigating controllers. Now we have to assign them here as mitigating approver &
mitigating monitor while creating the mitigating ID. Before going ahead with this activity we have
to also assign them in the organization hierarchy either standard or risk org not at root org level but at child org
level. This will reflect in the process control activities.
To find the organizational Hierarchy HR t-codes PPOSE & PPOME also can be used.
T-Codes

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Shared Master Data Settings
Create Root Organizational Hierarchy
Against Organizational view: we get 2 options
002 – Standard Hierarchy and 003 – Risk Hierarchy
For the purpose to maintain mitigating configuration we select
002 – Standard Hierarchy
Against Root Organization Unit & Child Organization Unit
Give the names as per the naming convention
Ensure you validate the From Date as required.
EXECUTE

Sirish Vetcha, Consultant - GRC 10.0 72 of 186


Configuration document of GRC – Access Control 10.0

Find the below message at the bottom of the screen:

Add Mitigating Control Monitor & Approver to the Organizational Hierarchy:


Create Organizational Hierarchy > Risk Hierarchy
Path NWBC  SAP_GRAC_NWBC  Setup  Organizations  Organizations
Select ‘Risk Hierarchy’ against View
Maximize the required Root Org where we have to maintain
Select the Child Org opened after Maximizing.
Click Open

Go to the Owners Tab


Add Owner & SAVE

Sirish Vetcha, Consultant - GRC 10.0 73 of 186


Configuration document of GRC – Access Control 10.0

Create Mitigating Control ID

Path NWBC  SAP_GRAC_NWBC  Setup  Mitigating Controls  Mitigating Controls

Click: ‘Show Quick Criteria Maintenance’ & find the fields in it


Click: ‘Create’

Fill the Mitigating Control ID, Name, Description, Process, Notes &
Click Organization:

Sirish Vetcha, Consultant - GRC 10.0 74 of 186


Configuration document of GRC – Access Control 10.0

After General Tab Go to Access Risks Tab


Click ‘Add Row’
1st Provide the Risk ID for which we created this mitigating ID through help & Click ‘Start Search’

Sirish Vetcha, Consultant - GRC 10.0 75 of 186


Configuration document of GRC – Access Control 10.0

The Rule ID with description is updated & Go to Owners tab:

Go to the owners tab>


Click Add Row: At Name use help & select the Approver & Select Approver at Assignment Type
Click Add Row: At Name use help & select the Monitor & Select Monitor at Assignment Type

_____________________________________________________________________________________

EMERGENCY ACCESS MANAGEMENT:


In GRC 10.0v Centralized Emergency Access is introduced which we don’t have in GRC 5.3v.
This feature centralizes firefighting and administration across all systems. New workflow provides an auditable
process for tracking log report approval.
This reduces the efforts required to grant and provision emergency access to multiple systems.

Provides a structured, documented process around emergency access

Access Control centralizes firefighter access and administration, enhances provisioning and introduces automation
to the log review process.

Unifies all AC capabilities on a standardized ABAP platform, offering enterprise supportability, granular security,
transport and archiving.

In GRC 10, from support pack 10 onwards SAP also provided decentralized fire fighting

1545511 is the note number SAP have given to prevent firefighter IDs direct login to backend systems. This makes
extra check while logging.

Sirish Vetcha, Consultant - GRC 10.0 76 of 186


Configuration document of GRC – Access Control 10.0

If we don’t maintain all integration scenarios for the connector, then system will through a dump when we try to
login with firefighter ID, using GRAC_SPM or GRAC_EAM transaction.
Fix it at Maintain Connection Settings in common component settings.

In 5.3, firefighter is separately created for each ERP and the navigation controller is also created in sequence for
each firefighter. In GRC 10 we have a solution of centralized emergency access. Here all the ERPs are connected to
GRC system and in it all the participants are created where a single GRC system is sufficient for all the backend
ERPs.
Participants in EAM are:

 Fire Fighter: User requesting emergency access, who executes transactions through FFID access
 Fire Fighter ID: User ID with elevated privileges. It can be only be accessed in GRC server using transaction
GRAC_SPM or GRC_EAM
 Fire Fighting: Act of using a firefighter ID. The execution activity taken place through firefighter ID
 Owner: User responsible for firefighting ID and the assignment of controlling and firefighting.
 Controller: Reviews and approves. If necessary the log files generated by a firefighter.
 Reason Code:
 Reporting:

2 types of firefighting applications exist in GRC 10:


ID Based fire fighter: The fire fighter ID created in the remote system will be mapped to the user in the GRC
system either manually or via an access request. The fire fighter accesses assigned FFID in the GRC server using the
SAP GUI and transaction GRAC_SPM. The fire fighter ID for all remote systems assigned to the fire fighter will be
accessed from this transaction. This is possible in centralized EAM and not decentralized

Sirish Vetcha, Consultant - GRC 10.0 77 of 186


Configuration document of GRC – Access Control 10.0

Role based Fire fighter: The fire fighter role created in the remote system will be assigned to the user in the GRC
server. The fire fighter directly logs in to the remote system using their user ID and performs the activities which
are provided in the user’s role and fire fighter role assigned to the user.

We have to configure the type of EAM in AC parameters at IMG - Maintain configuration settings under AC. The
Parameter group is EAM & Parameters ID is 4000. The value is to be selected either ID or Role.

Only one application type can be configured at a given time.

It is recommended to use ID based fire fighter application and so far it was found no clients used role based
firefighter.

Architecture:
The main application runs in the GRC server. It is possible to maintain the user assignments for all systems using
NWBC or the portal.
Provisioning of emergency access also can be done via access requests (workflow)
The web interface facilitates the following:
Firefighter ID/ FF Role Owner Maintenance
Firefighter ID/ FF Role Controller Maintenance
Reason Code maintenance (System Specific)
Firefighter ID/ FF Role assignment to Firefighter, Owner, Controller

Firefighter access is done centrally using the GRC server. Firefighters will log on to the GUI backend and execute
transaction GRAC_SPM. Firefighter IDs for emergency access for all systems assigned to the user will display.

Sirish Vetcha, Consultant - GRC 10.0 78 of 186


Configuration document of GRC – Access Control 10.0

EMERGENCY ACCESS MANAGEMENT


Providing Extra Access out of their Role in a Controlled Auditable Environment
ID based Application Type

MAINTENANCE

@ BACK END SERVER


@ GRC SERVER
FFID Service User - Maintained for each Business
Maintain Access Owners & Reason Codes
Process

SAP_GRAC_SPM_FFID maintained @ Parameter ID 4010 Roles to be maintained for the Service User FFID are:
Create FFID Owner and assign GRC Predefined Roles
Mandatory Role - SAP_GRAC_SPM_FFID
Create FFID Monitor and assign GRC Predefined Roles Functional Roles - All roles of Business Process with *
Create Reason Code connecting backend server @ BUKRS
Maintain FFID Owner & Monitor @ Access Owners

ASSIGNMENT & USAGE

FFID Owner: Firefighter:


Assigns FFID to End User (Firefighter) Executes T-Code GRAC_SPM/ GRAC_EAM @ Backend
(Gets immediately routed to GRC Server)
Assigns FFID Controller for each Firefighter
Selects Reason Code
Provides requirement of the Usage
T-Codes require to use will be Declared
Document can be attached if any
Click Logon & will be taken to Backend for usage of FFID

Step: 033 > Prerequisite-Maintain Connection Setting

Information Refer Common Configuration. Select integration scenario SUPMG and then select target connector
in which the integration scenario SUPMG needs to activate.
At scenario connector link after selecting the target connector press enter and find the
connection type & description updating automatically as they are assigned to target
connector at step 7 Maintain connector to Connection type.

Step: 034 > Prerequisite-Maintain Configuration Settings

Information Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter group 6-
“Emergency Access Management” which contains 14 Parameter IDs with different values in ID.
ID: 4000 – As discussed in introduction above select the EAM type. Recommended ID type
ID: 4001 – FFID validation of each assignment to user default days mention here & not max
ID: 4002 – On assigning the FFID an E-Mail will be issued immediately if selected YES here
ID: 4003 – Able to retrieve change log made to FFID if selected YES here
ID: 4004 – Able to retrieve system log made by firefighter if selected YES here
ID: 4005 – Able to retrieve Audit log if selected YES here
ID: 4006 – Able to retrieve OS Command log if selected YES here
ID: 4007 – If log report executed immediately notification will be sent if YES here
ID: 4008 – When Firefighter logs in a notification will be sent immediately if YES here
ID: 4009 – Log report execution notification will sent if YES here

Sirish Vetcha, Consultant - GRC 10.0 79 of 186


Configuration document of GRC – Access Control 10.0

ID: 4010 – The role mentioned here is mandatory role to be assigned to FFID in backend
SAP given the predefined role SAP_GRAC_SPM_FFID
ID: 4012 – Audit log will be forwarded in workflow either to any user or only controller
ID: 4013 – If required FFID owner can request access for his owned FFID as firefighter
ID: 4014 – If required FFID controller can request for his controlled FFID as firefighter

Step: 035 > Prerequisite: Create Users and Roles & Maintain in Access Control Owners

Information Refer Step 12 of Common Configuration of creating & maintaining the below:

 Create end user to act as firefighter who gets mapped to FFID


 Create FFID in back end system as a service user
 Create FFID owner in the GRC system
 Create FFID controller in the GRC system

Refer access owners information to assign required roles to above.


FFID Owner & Controller created above are to be maintained in Access Control Owners list

FFID in the backend should be assigned with below roles:


Mandatory Role: SAP_GRAC_SPM_FFID the same is to be mentioned in parameter ID 4010
Functional Role: we also need to assign extra authority or wide roles for the FFID in the back end system. SAP_ALL
profile is not required to assign. As the FFID is created business processes wise, for each business processes we can
create a single business role which can be assigned to FFID. This business role works like composite role carrying all
the roles in it.

Create FFID Owner 01>

Sirish Vetcha, Consultant - GRC 10.0 80 of 186


Configuration document of GRC – Access Control 10.0

Create FFID Controller 01>

Create FFID in Backend server>

Sirish Vetcha, Consultant - GRC 10.0 81 of 186


Configuration document of GRC – Access Control 10.0

Create End User for Firefighter >

Sirish Vetcha, Consultant - GRC 10.0 82 of 186


Configuration document of GRC – Access Control 10.0

Maintaining above as Access Control Owners:


Synchronize first to get the created above FFID participants in NWBC – Repository Sync.
Information FFID Owner & Controller are maintained in Access Control Owners under Access Owners. The
same is explained in Step No 12 in Common Configuration.
Path NWBC  SAP_GRAC_NWBC  Setup  Access Owners  Access Control Owners
Click Create, Give FFID owner name & tick FFID Owner repeat for controller

Sirish Vetcha, Consultant - GRC 10.0 83 of 186


Configuration document of GRC – Access Control 10.0

Step: 036 > Assign Owner to FFID

Information :

Path: NWBC  SAP_GRAC_NWBC  Setup  Super User Assignment  Owners

Click ‘Assign’

A New screen gets opened and Go to help at ‘Owner ID’, Select owner & Click OK

Sirish Vetcha, Consultant - GRC 10.0 84 of 186


Configuration document of GRC – Access Control 10.0

Below screen gets generated & click ‘Add’

Provide FFID by selecting from help option, Select through Arrow & Click OK

Provide comments & it resembles as below- Click ‘SAVE’, Now owner assigned for FFID

Step: 037 > Assign FFID to Controller and firefighters

Sirish Vetcha, Consultant - GRC 10.0 85 of 186


Configuration document of GRC – Access Control 10.0

Information The Firefighter ID is assigned to a firefighter who can perform the activities in the back end
system. Multiple fire fighters can be assigned to a single firefighter ID. But, one firefighter only can login at a time.
Controllers are also assigned to the FFID for tracking and auditing the firefighter.

Path NWBC  SAP_GRAC_NWBC  Setup  Super User Assignment  Firefighter IDs

Click Assign button > Firefighter ID assignment window gets opens


Use help at Firefighter ID field and find new window gets pens with list of available FFIDs
Select the required FFID from latest window and Click OK
Find the field fills with FFID & system also gets filled automatically

Then Go to Firefighter tab & Click Add


Use help under Firefighter User ID
Select the end user from the list eligible to be the firefighter as per the roles assigned to those users
Then Click OK

Find the screen fills like below and provide comments.


Observe the default valid days came from current date to 30 days which we provided in parameters group EAM &
ID 4001 as 30 days to take as default which is not max. Here we can increase if required.

Sirish Vetcha, Consultant - GRC 10.0 86 of 186


Configuration document of GRC – Access Control 10.0

Now maintain controller through Controller Tab:


Click ADD
Use help and update Controller ID
Select the concern controller & Click OK
Controller name updates automatically
At Notification we find the option of either E-Mail or Workflow or Log Display > Select one
This we maintained at parameters group EAM at ID 4008 to send notification
Provide comments
SAVE

Final Screen resembles as below:

Step: 038 > Create a Reason Code

Information Ac Company will always run on policy as objective as possible. Here the companies can design
the usage of emergency access for particular reasons only.
Example: A company can have the strategy of business continuity plan and as a part of action
points in it they can make a policy to maintain the roles to old employee in the department which are assigned to
st
new user in 1 month to complete the month end process smoothly. This reason code is created & the
firefighter can select this reason while using the FFID

Path NWBC  SAP_GRAC_NWBC  Setup  Super User Maintenance  Reason Codes


Click CREATE > New window get open >
Give the Reason code as per the naming convention

Sirish Vetcha, Consultant - GRC 10.0 87 of 186


Configuration document of GRC – Access Control 10.0

Status to be ACTIVE
Under System Click ADD
Select system using help
Find other fields in the table with description gets updated automatically
Give description & SAVE

Step: 039 > Firefighter log Synchronization

Information We need to schedule the firefighter log synchronization job as per the client requirement.
Recommended to run every 15 minutes

The same can be run through a T-Code: GRAC_SPM_LOG_SYNC

To the run through program: GRAC_SPM_LOG_SYNC_UPDATE

More details about synchronization can find at Step 13 of Common Configuration

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Synchronization
Firefighter Log Synch
Provide Connector as *
Execute

Sirish Vetcha, Consultant - GRC 10.0 88 of 186


Configuration document of GRC – Access Control 10.0

Step: 040 > Working of FFID execution by firefighter

Information Login through Firefighter ID

Execute the T-Code GRAC_SPM

Find the Used ID & system etc.


Click ‘Logon’, New window gets opened, Give the reason code: From drop down,
Give the Description of requirement of FFID
Enter the list of actions that proposed to Perform & Click TICK

Sirish Vetcha, Consultant - GRC 10.0 89 of 186


Configuration document of GRC – Access Control 10.0

Observe the Screen displays with Start SAP Easy Access:

_____________________________________________________________________________________

Step: 041 > FFID Reports Execution

Information Reports available with regards to Emergency Access Management are discussed below:
Consolidated Log Report: This report provides the information of different logs:
Transaction Log: Captures transaction execution from transaction STAD.
STAD is a transaction code which allows checking the activities of users. It calculates the
resource usage of individual transactions for ABAP systems and provides a detailed analysis
of a transaction and the dialog steps. The selection criteria include user,
transaction, program, task type, start date, and start time.
The statistical record contains detailed information about:
Proportions of response time, Database accesses, memory usage, RFC calls

Path NWBC  SAP_GRAC _NWBC  Reports & Analytics  Emergency Access Management Reports

Sirish Vetcha, Consultant - GRC 10.0 90 of 186


Configuration document of GRC – Access Control 10.0

SoD Conflict Report for FFIDs Results:

_____________________________________________________________________________________

ACCESS REQUEST MANAGEMENT:


Here we see the configuration of Access request management where business user raises the request to provide
access of to create user. Through workflow manager will approve and while approving the manager can run the
risk analysis at simulation level including proposed access. Later role owner & security will approve then role or
user auto provisioning is done.
MSMP workflow is seen with SAP predefined process IDs.
GRC provided 10 process IDs to maintain workflows for different purposes. All the process IDs have its own single
action included in it. But, Process ID Access_Request which is delivered for the purpose of user administration
includes 13 actions in it. Each action is also called as request type. We can activate required requests and maintain
them in different paths with its stages under this process ID
Information Access Control Compliant User Provisioning functionalities:
Initiator : Will be at Stage 1
Standard Path : Stage 2 to Stage N
Provisioning : Optional

Sirish Vetcha, Consultant - GRC 10.0 91 of 186


Configuration document of GRC – Access Control 10.0

At detour path the standard Path starts from Stage 1 & Provisioning is again Optional

Stage: Stage appearance a step or one action item in process flow

Path: Path defines the sequence of stages which needs to be executed

Initiative: Initiative selects the path based on the condition defined in it.

Detour Path: This path will be executed based upon a condition in a stage in the standard path. Detour path will
not have initiator

Differences in terminology between the versions 5.1/ 2/ 3 and 10.0 of SAP BO


Initiator  Initiator Rule
CAD (Custom Approver Determinator)  Agent Rule
Detour  Routing Rule
Path  Path

1 process ID can have multiple request types:


Access requestor: Create request, Change Request etc
Function Approval: Update function, Delete function etc

One initiator rule is able to trigger multiple paths based on the rule result value

Different process IDs available for multiple workflows with different request types

For each request type we can select process ID with different paths and as per the initiator request the path is
decided.

SAP provides standard process ID. But, when 2 different stages pattern requires for 2 different paths we can
customized accordingly. We can select any provided process ID or can copy the existing process ID and can
customize. But, we cannot create a new process ID
.
Create owners GRC server who will be the part of approval group.

 Manager to approve at 1st stage for New & Change user. Only stage for Lock & Unlock user

 Role owner to approve at 2nd stage for New & Change user. Maintain in Access owners & Role owners
rd
 Security to approve at 3 stage for New & Change user. Maintain in Access owners

The above users are to be assigned with below standard roles. (Use all roles if you copy the users)
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_DESINGER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRC_FN_ALL
SAP_GRC_FN_BASE

Example to create owner:


BS_GRACMGR01

Sirish Vetcha, Consultant - GRC 10.0 92 of 186


Configuration document of GRC – Access Control 10.0

BS_GRRLOWN01> Assign in Access owners


As Role Owner in Access Control Owners &
Role Owners as Role Approver & Role content owner
BS_GRACSEC01 > Assign in Access owners as Security

Step: 042 > Maintain Connection Settings

Information : Refer Common Configuration. Select integration scenario PROV and then select target connector
in which the integration scenario PROV needs to activate.
At scenario connector link after selecting the target connector press enter and find the connection type &
description updating automatically as they are assigned to target connector Maintain connector to Connection
type.

Sirish Vetcha, Consultant - GRC 10.0 93 of 186


Configuration document of GRC – Access Control 10.0

Step: 043 > Maintain Configuration Settings

Information : Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter groups:
PG5-Workflow: Contains 20 Parameter IDs with different values in each ID.
PG9-Risk Analysis Access Request which contains 3 Parameter IDs with values in each ID
Ensure all the required process IDs activated after activating them in Define Request Type.
Parameter Group 5 Workflow & ID 1064 Function Maintenance Set the Value YES to activate workflow for
Maintaining Function ID etc.

Step: 044 > Configure Number Ranges & Activate

Create Number Ranges:


Information : To provide request numbers to access request, mitigating request etc. we need to maintain
number range. This number range will be used by workflow to provide a request number when we submit a
request.

Sirish Vetcha, Consultant - GRC 10.0 94 of 186


Configuration document of GRC – Access Control 10.0

T-Code SNRO
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Maintain Number Range intervals for Provisioning Requests

Select object using help: For workflow GRACREQNO


Click Number Range button & Click change intervals.
Click Interval & fill the details in new window & click enter
Then SAVE

Activate Number Range:

Information

T-Code
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control

Sirish Vetcha, Consultant - GRC 10.0 95 of 186


Configuration document of GRC – Access Control 10.0

User Provisioning
Define Number Ranges for Provisioning Requests
Click New Entries
Give the ID of Number range created & SAVE
Press ‘Activate’ Radio button & SAVE

Step: 045 > Prerequisite: Maintain Provision Settings

Information: Here we are configuring the values to be considered in the access request management while
provisioning. An auto provisioning is done based on the values we provide here.
Example: The user can raise request for access to a new role and if user doesn’t exist in respective backend will
automatically create, assign respective role and forwarded the initial password to him after due approval takes
place.

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Maintain Provisioning Settings
Select Maintain Global Provisioning at Dialog Structure

Select
Role Provisioning Type: Direct
Direct – If we are not using HR structured authorizations
Indirect – If we are using HR structured authorizations
Under Indirect 
Job
Position
Organization Type

Sirish Vetcha, Consultant - GRC 10.0 96 of 186


Configuration document of GRC – Access Control 10.0

Combined – If we are using direct and indirect role assignments

Auto Provisioning: Auto Provisioning at the End of the Path is recommended

Create User if does not exist: Tick both Change User Action & Assign Role Action

Account Validation Check: Maintain Warning and not error

Role Assignment: TICK Provisioning effective immediately

Old Role Delimit Duration: This will be used in HR structural organizations where a person changes position within
the organization to be deactivated in how many YEARS | MONTHS | DAYS

Password expiry in days or accesses or none and maintain values in next field

Deactivate password checkbox if we are using Single Sign On – Activate

Email Status – Send Password If YES maintain the period in seconds to password visible.

Step: 046 > Maintenance of Define Request types – MSMP Process IDs

Information We have to configure the workflow and predefined workflows are provided by SAP GRC from
which we can use the suitable one.
Before going ahead with configuring the Multi Source Multi Path-MSMP workflow, we have to ensure that all the
workflow related BC sets are activated.
Workflow related BC sets are 3 in numbers and have the naming as GRC_MSMP_XXXX
Please refer Activating BC Sets in common configuration.
With regards to Access Request SAP GRC provides us a workflow process ID SAP_GRAC_ACCESS_REQUEST for
different activities from which we activate required activities.
Total process IDs provided by SAP GRC are:
SN MSMP Process ID Description
1 SAP_GRAC_ACCESS_REQUEST Access request Approval Workflow
2 SAP_GRAC_ACCESS_REQUEST_HR Access request Approval for HR OM Objects Workflow

Sirish Vetcha, Consultant - GRC 10.0 97 of 186


Configuration document of GRC – Access Control 10.0

3 SAP_GRAC_CONTROL_ASGN Control Assignment Approval Workflow


4 SAP_GRAC_CONTROL_MAINT Mitigation Control Maintenance Workflow
5 SAP_GRAC_FIREFIGHT_LOG_REPORT Fire Fighter Log Report Review Workflow
6 SAP_GRAC_FUNC_APPR Function Approval Workflow
7 SAP_GRAC_RISK_APPR Risk Approval Workflow
8 SAP_GRAC_ROLE_APPR Role Approval Workflow
9 SAP_GRAC_SOD_RISK_REVIEW SOD Risk Review Workflow
10 SAP_GRAC_USER_ACCESS_REVIEW User Access Review Workflow

Standard Actions provided under each process ID are given below:


Create User
Change Users
Delete User
Lock User
Unlock User
Assign Object
Super User Access
Create & Lock User
Change & Lock User
Change & Unlock User
User Defaults
Retain
Remove

We can select required process ID and the actions we want to activate under each process ID here.
There are 10 Process IDs with certain actions in MSMP processes given by SAP GRC.
Eg. SAP provides 13 actions which can maintain in access_request process ID and activate required actions.
Other process IDs are mapped to its own single action present in it.

We also can customize the workflow by creating more paths in access_request using BRF+.
List out the actions required to activate under each ID.

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Define Request Type

Sirish Vetcha, Consultant - GRC 10.0 98 of 186


Configuration document of GRC – Access Control 10.0

Step: 047 > Maintain MSMP Workflow

Information: If you would like to set up auto confirmation when the workflow has just one stage then you can do
so by setting the escalation time. You can set the parameter as 'Escalate to specific agent' and assign any
appropriate agent. Let's take an example. You have set the escalation time as 30 mins and entered
GRAC_SECURITY as the escalation agent. There is just one stage in workflow which is GRAC_MANAGER. If the
manager does not approve in 30 mins then the request goes to the security stage automatically. If the security
team approves the request is completed.
If you have more than one stage in the workflow then you can set an appropriate escalation time and the
parameter as 'Skip to next stage'. In this case if the request is not approved on time, it goes to the next stage in the
workflow process.
Enable Escalation as per business requirement and client agreement

Notification Settings:
Information: We can send the notifications or emails on the development of the events and the settings are
available to maintain when a notification is to send, what template is to send as notification and whom to send.

Click ‘Add’
Select the Notification using help from the options:

 End of Request: Notification is submitted after the approval & request process is completed. Select this
 Request Submission: Notification is submitted at the time of request raised

Choose template ID using help: Default one is suggested i.e. GRAC_AR_APPROVED

Choose recipients ID using help: Default one is suggested i.e. GRAC_CURRENT_APPROVERS

Escape Conditions:
In case of auto provision did not happened due to unavailability of Approver or an issue at back end. The
information with the status of request is to be passed.
For this purpose we have to maintain the users to escalate.
Select with ‘Tick’ Mark at ‘Set Escape Routing’ for both ‘Approver not found’ & ‘Auto Provisioning failure’
Provide path at ‘Escape Path’ for whom the escalation is to be happened.
Select: GRAC_DEFAULT_PATH

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
EXECUTE Maintain MSMP Workflow

A window will open to configure MSMP workflow:


We have to maintain configuration in all 7

Sirish Vetcha, Consultant - GRC 10.0 99 of 186


Configuration document of GRC – Access Control 10.0

Process Global Settings:


Select required Process ID ‘SAP_GRAC_ACCESS_REQUEST’ & Click ‘Display/ Change’

Maintain Process Global Settings:


Escalation:

Click ‘NEXT’

Maintain Rules: Maintain rules includes a list of all available rules to be used when configuring a workflow. If a
new rule is created then it must be added. Here we also configure default initiator. Default is GRAC_AR_INITIATOR

Sirish Vetcha, Consultant - GRC 10.0 100 of 186


Configuration document of GRC – Access Control 10.0

Rule Kinds:
1. Initiator Rule: Determines the path upon submission of the request.
2. Agents Rule: Determines the recipient or approvers of a stage
3. Routing Rule: Determines a detour routing based upon an attribute of the request. Eg SoD violation exists,
Training verification, No role owner etc.)
4. Notification Valuable Rule: Determines the variable values at run time used in the notification e-mails.

Rule Types:
1. BRF+ Rule: This rule is defined in the BRF+ application to fetch rule results depending on conditions inside
the rule.
2. Function module based Rule: Function module coded to output rule results
3. ABAP Class based Rule: ABAP class is coded to output rule results.
4. BRF+ Flat Rule Line item by line item: BRF+ rule which is defined for only one line item and the rule will be
called once for each line item in the request. Also referred to as BRF+ easy. Eg. Some default roles not
required for approval. There this rule can be used.

If we create a rule ID through Generate MSMP rules for process that can be added here
We will do BRF+ later and therefore let us see with default rule ID. Just Click ‘NEXT’
Suggested just only to observe the Green Circles & Maintain the Red Circle in below screenshot:

Maintain Agents:
There are default Agent IDs available which will not be permitted to modify. If the default agent GRAC_MANAGER
is maintained then manual manager maintenance for each assignment is enabled at the access request raising
screen in user details tab.
If the default agent GRAC_ROLEOWNER is used then the role assignment owner maintained in the role definition
phase of role methodology is enabled to be the owner
If the default agent GRAC_SECURITY is used then the access owners under Security lead will be the owners to
approve.
2 purposes of agents exist:
Notification & Approval

4 types of Agent types present:


Direct Mapped Users: Agents are maintained here only under a approval group to maintain in any stage
PFCG Roles: If we maintain a role here & whoever is assigned with this role will become agents
User Group: If we maintain a user group here and whoever part of this group will become agents
APR Rules: If Agent rule is create and maintained in BRF+ then the rule id is required to maintain here.

Sirish Vetcha, Consultant - GRC 10.0 101 of 186


Configuration document of GRC – Access Control 10.0

Let us create the agents as below:

Fill the Agent ID starting with Z


Provide Agent Name and the purpose either for Approval or Acknowledgement.
Agents will be 4 types:
Directly Mapped Users: A group of users created with in the workflow configuration
PFCG Roles: All users who have specified PFCG Role assignments
PFCG User Group: All users who are part of Specified PFCG Group
GRC API Rules: All users returned by the configured rule in the previous activity

Then appears Approver Group ID: select Help to create as well as Maintain

Click ADD to create a new Approver


Group ID & to maintain Users list in it:

Sirish Vetcha, Consultant - GRC 10.0 102 of 186


Configuration document of GRC – Access Control 10.0

New window gets opened to create a new Approver Group ID & to maintain Users list in it & SAVE

Now after maintaining the users in the Approver ID, select it and don’t select ADD again it takes to create new
Approver ID:

SAVE it now

In the same way create new approver ID for role owner as ZGRAC_ROLE OWNER & ZSECURITY. Maintain users
created in step 30

Variables & Templates:


All templates for e-mail notifications are maintained. The templates are created using transaction code SE161.

Sirish Vetcha, Consultant - GRC 10.0 103 of 186


Configuration document of GRC – Access Control 10.0

Notifications can be sent at different events such as:


Approval , Request Submission, Rejection, Request Closure, Escalation, Reminder etc

Consider the default Template & Click ‘NEXT’

Maintain Paths:
The path is selected & the stages in the paths are maintained here.
Creation of path is done at BRF+. The stages can be maintained under the each path.
In each stage we maintain the agent ID for whom the approval request is to be forwarded.
To change the stages Select Path ID, go to stage & Click ‘Modify Task Settings’ under ‘Maintain Stages’

Find the Stage settings get opened & try to explore all the options & understand the functionality:
1st Find the Stage of Configuration:

Sirish Vetcha, Consultant - GRC 10.0 104 of 186


Configuration document of GRC – Access Control 10.0

Agent ID: Agent ID can be modified and select the agent ID created to maintain in this stage.
For GRAC_MANAGER stage maintain the agent ID: ZGRAC_MANAGER
For GRAC_ROLEOWNER stage maintain the agent ID: ZGRAC_ROLEMANAGER
For SECURITY stage maintain the agent ID: ZSECURITY

Sirish Vetcha, Consultant - GRC 10.0 105 of 186


Configuration document of GRC – Access Control 10.0

Sirish Vetcha, Consultant - GRC 10.0 106 of 186


Configuration document of GRC – Access Control 10.0

Sirish Vetcha, Consultant - GRC 10.0 107 of 186


Configuration document of GRC – Access Control 10.0

Approval Type:
Any One approver is OK or all the should Approve > Suggest to Select ‘Any One Approver’
We have the agents in group to avoid delay in approving process in case of vacation etc.

Escalation Type:
In case of escalation it is to be done to a specified agent as maintained or Skip to the next stage or No Escalation is
to be done.
Suggest No Escalation as we have not maintained Escalation in Process Global Settings at 1st screen.

Sirish Vetcha, Consultant - GRC 10.0 108 of 186


Configuration document of GRC – Access Control 10.0

Confirm Rejection: If rejected confirm to the User – Suggested to Select


Approve Despite Risk: Approve even Risk exists – Suggest not to Select
Request Rejected: Option to reject the request – Suggest to Select
Confirm Approval: After approved confirm to the user – Suggest to Select
Forward Allowed: Forward is possible if required before approval – Suggest to Select

Risk Analysis Mandatory: While approving a role to the user or the creating a user with roles. Risk analysis are
required to run & therefore we say YES
But, the Process ID contains more activities in it & in such a case if Lock or Unlock activity also included in the
Process ID then Risk analysis is not required for it. Therefore suggested to select YAC: Yes when Access Change. No
is not suggested.

Sirish Vetcha, Consultant - GRC 10.0 109 of 186


Configuration document of GRC – Access Control 10.0

Approval Level: The approval level is required at


REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request

Rejection Level: The rejection level is required at


REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request

Comments Mandatory: At the time of approval or rejection whether the comments are Mandatory or not are
mentioned here. Suggested the comments are mandatory at both because the Role owner will be doing the review
of the access at regular frequency and where he can consider the requirement based on the comments. Also
required to find the reasons at the time of approval & to know the why rejected.

Sirish Vetcha, Consultant - GRC 10.0 110 of 186


Configuration document of GRC – Access Control 10.0

And ‘SAVE’
Click ‘NEXT’ to move to Maintain Route Mapping

Maintain Route Mapping:


Suggested no changes required to do here & Click ‘NEXT’

Generate Versions:
Click ‘SAVE’
Select the Transport Request:

Select the required transport request available and Click OK.


Also Click OK at ‘MSMP Workflow Configuration’ window

Sirish Vetcha, Consultant - GRC 10.0 111 of 186


Configuration document of GRC – Access Control 10.0

Find the Message Text & Click ‘ACTIVATE’

Now find lot of Message Text created confirming the activation:


Find the 1st row saying that:
Serial Number: 000001 was generated & new records were created for Process Id SAP_GRAC_ACCESS_REQUEST

Sirish Vetcha, Consultant - GRC 10.0 112 of 186


Configuration document of GRC – Access Control 10.0

Step: 048 > Find the working of ARM Configuration


Information
Path NWBC  SAP_GRAC_NWBC  Access Management  Access Request  Access Request
Creator

Sirish Vetcha, Consultant - GRC 10.0 113 of 186


Configuration document of GRC – Access Control 10.0

Find the below screen gets opened:

Request Type: The below are the requests available to choose & Suggested to Choose New Account

Request For: Self or Other or Multiple – Suggested for Self or Multiple.


Find the User Name gets changed based on the selection.
If we select ‘Self’ then User name will be freeze.
If we select other then find the User Name gets Blank and available to choose through help.
If we select Multiple the User name field will disappear and will change the main screen below enabling us to
select Users in big level.
All the 3 stages are shown in the below screen shot.
Suggested to select ‘Self’

Sirish Vetcha, Consultant - GRC 10.0 114 of 186


Configuration document of GRC – Access Control 10.0

Select ‘System’ at main screen for request:


Select the required system in the list & Click OK

Screen exists like below & Click ‘Submit’

Sirish Vetcha, Consultant - GRC 10.0 115 of 186


Configuration document of GRC – Access Control 10.0

Now after select the Request for ‘Other’


The help level at User field will be as below & provide necessary details of new user & Click OK

Select Business Process & Function area if maintained by us at Step 5 of Post Installation:

Go to the main screen & Click ‘ADD’ Find the option ‘ROLE’ & ‘SYSTEM’
Select ‘ROLE’
Find the below screen gets opened & maintain the info as required:

Sirish Vetcha, Consultant - GRC 10.0 116 of 186


Configuration document of GRC – Access Control 10.0

At System we have more options to select User help & select a System with Application
Click OK

At Role Type we have the option to choose from below – ‘Single Role’
Business Role:
Composite Role:
CUA Composite Role:
Derived Role:
Group:
PD Profile:
Profile:
Single Role:
Template:

Sirish Vetcha, Consultant - GRC 10.0 117 of 186


Configuration document of GRC – Access Control 10.0

At Role/ Profile Name provide the existing role name proposed to assign:

Click ‘Search’

Find the function as explained below:


After raising the request
Go to NWBC  SAP_GRAC_NWBC  Access Management  Access Request  Access Request Creation – Explained
above

Find the status at the same path & select ‘Request Status’ under ‘Access Request’

Find the status at which stage the request is pending.

Login with the user ID where the request is pending for approval.
Go to NWBC  SAP_GRAC_NWBC  MY HOME  Work Inbox  Work Inbox  Approve by clicking SUBMIT

Login to the requester user ID & find the status where it is pending through ‘Request Status’

Login with user ID where the request is pending for approval at 2nd stage.

Proceed till the end of all stages & find the provision happened as requester.

BRF+: Business Rule Framework


With the new features like BRF+ we can have Function maintenance workflow, Risk Maintenance workflow, Role
Maintenance workflow, Mitigation control maintenance & assignment approval workflow

On executing the T-Code BRF+ its application opens. Initially we use to maintain the rules through ABAP code.
BRF+ workbench is a user interface that enables users to define, test, and maintain rules for various business
scenarios without need of ABAP code.
Rules can be created for initiators, agents, and also for routing workflows on specific conditions.

Sirish Vetcha, Consultant - GRC 10.0 118 of 186


Configuration document of GRC – Access Control 10.0

Conditions:
BRF+ workbench can be opened using BRF+ T-Code.
We perform 2 main activities related to BRF+ T-Code.
1) Define workflow related MSMP rules – This is generating the rule before maintaining it. Select MSMP Process
ID. If it is for access request then select SAP_GRAC_ACCESS_REQUEST
We select the initiator rule among 4.
MSMP BRF+ flat rule (lineitem by lineitem):
This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for
each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As
an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one
lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other
expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the
BRF flat rule is called 3 times by MSMP with following input and output:

Input provided by MSMP to BRF+ flat rule in first call:


Item Name System Role Type LINEITEM KEY...
ROLE1 SYSTEM 1 SIN 0001

Output given by BRF+ to MSMP in first call:


Lineitem Key Rule Result
0001 RolePath

Input provided by MSMP to BRF+ flat rule in second call:


Item Name System Role Type LINEITEM KEY...
ROLE2 SYSTEM 2 COM 0002

Output given by BRF+ to MSMP in second call:


Lineitem Key Rule Result
0002 RolePath

Input provided by MSMP to BRF+ flat rule in third call:


Item Name System Role Type LINEITEM KEY...
SYSTEM1 SYSTEM1 0003

Output given by BRF+ to MSMP in third call:


Lineitem Key Rule Result
0003 SystemPath
So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is
required in case of BRF+ rule.

2.) MSMP BRF+ rule:


In this case, all the lineitems (roles, systems and FFID...) present in the Access Request are sent to the BRF rule in
form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case of
initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to
access request.
INPUT sent by MSMP to BRF+
Item Name System Role Type LINEITEM KEY...
ROLE1 SYSTEM 1 SIN 0001

Sirish Vetcha, Consultant - GRC 10.0 119 of 186


Configuration document of GRC – Access Control 10.0

Item Name System Role Type LINEITEM KEY...


ROLE2 SYSTEM 2 COM 0002
SYSTEM 1 SYSTEM 1 0003

For the above input, the output of BRF rule will be something like following:
OUTPUT given by BRF+ to MSMP
Lineitem Key Rule Result
0001 RolePath
0002 RolePath
0003 SystemPath

Please note that we have not shown the decision table which contains the logic to determine the path in case of
initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called
only once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule.
The decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.

Key differences between BRF+ rule and BRF+ flat rule are again summarized below:
BRF+ Flat Rule BRF+ Rule
1.) Executed multiple times, Once for each lineitem 1.) Executed only once
2.) Details of one lineitem at a time passed to BRF 2.) Complete request details passed to BRF rule by MSMP in
rule by MSMP form of a table
3.)Output of flat rule is result of one line item only 3.) Output of BRF+ rule is complete table with all lineitems
4.) Easy to create as no loop is required 4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat rule 5.) Almost all business cases can be achieved by BRF+ rule

Step: 049 > Generate MSMP Rules for Processes

Information Initially we will create an ID maintaining Rule Type & Rule Kind in it. The system will
generate a rule ID which we further maintain through BRF+
Example: In the SAP_GRAC_Access_Request is the process ID which has the request types Create
User, Change User, Lock User ID, Unlock User ID etc.
We require 3 stages of approval process for create & change user including while assigning role.
But, Locking and unlocking user ID we require only 1 stage of approval.
This request type in the process ID is decided by the request initiator and therefore we use the
rule kind Initiator Rule.
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Define Workflow-Related MSMP Rules

Select MSMP Process ID: SAP_GRAC_ACCESS_REQUEST

Sirish Vetcha, Consultant - GRC 10.0 120 of 186


Configuration document of GRC – Access Control 10.0

Select Rule Type BRFplus Flat Rule (LineItem by LineItem)

Select Rule Kind Initiator Rule

Provide the Rule ID as per our naming convention:

Sirish Vetcha, Consultant - GRC 10.0 121 of 186


Configuration document of GRC – Access Control 10.0

All other options retain as per default > shown below:


And EXECUTE

Technical information from below screen displays after execution >


th
Note the Rule ID generated at 11 Line and the Rule ID we provided ZBTSRI
Rule ID = E309564BA9BA9AF19563ECA86B784858

Sirish Vetcha, Consultant - GRC 10.0 122 of 186


Configuration document of GRC – Access Control 10.0

Step: 050 > Define Business Rule Framework - Execute T-Code BRF+

Information The rule ID created by us with the rule type & rule kind in it. We use that rule ID and create 2
paths assigning 2 request types in 1st path & another request types locking and unlocking user in 2nd path.

T-Code BRF+

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Define Business Rule Framework

Sirish Vetcha, Consultant - GRC 10.0 123 of 186


Configuration document of GRC – Access Control 10.0

Find the Name provided by us at Rule ID column while generating the Rule ID

Find the expression created or not. To find right click on the application > Go to Create > Expression > Click
Decision Table

Provide the Table Name: “ZBTSRI_DECTBL_INITRL” > reflecting rule ID name + Table + Rule type Initiator Rule
Provide Short Text as “Decision Table”
Provide Text as “Decision Table for Initiator Rule of ZBTSRI
Find the Application displayed as ZBTSRI
Click “CREATE AND NAVIGATE TO OBJECT”

Sirish Vetcha, Consultant - GRC 10.0 124 of 186


Configuration document of GRC – Access Control 10.0

Find the below screen appears:


Don’t change the default options and ensure tick is only for “Return an initial Value if no match is found”

Under “Condition Column” > Click Insert Column and Select “From Context Data Object”

Sirish Vetcha, Consultant - GRC 10.0 125 of 186


Configuration document of GRC – Access Control 10.0

The objects got opens and as per our requirement we select ‘REQTYPE’:
Click “SELECT”

Now the screen gets updated with “REQTYPE” Now click “Insert Column from Data Object” under “Result
Columns”

Sirish Vetcha, Consultant - GRC 10.0 126 of 186


Configuration document of GRC – Access Control 10.0

Plain screen gets displayed and Click “Search” to find the list of objects available:

After Search select “Line Item Key” & “Rule Result”


Line Item Key is selected because we have selected previously the rule type as Flat Rule Line Item by Line Item
Rule Result is selected to maintain the path here against the request types.

Deselect Mandatory Inputs & Click OK

Sirish Vetcha, Consultant - GRC 10.0 127 of 186


Configuration document of GRC – Access Control 10.0

We go to the decision table screen where Table contents will be blank. Click “Insert New Row”

Contents under the table will be filled with Request Types, Trigger Value, & Line Items list

Now we assign the Path (Line Item) for each Request Type by updating Request Type & Trigger Value:
Update the Request Type by selecting “Direct Value Input”

Sirish Vetcha, Consultant - GRC 10.0 128 of 186


Configuration document of GRC – Access Control 10.0

Find the options to select after clicking Direct Value Input:

Go to the Help for selecting other options at 000

Select 001 > “New Account” & Click “OK”

Sirish Vetcha, Consultant - GRC 10.0 129 of 186


Configuration document of GRC – Access Control 10.0

To Add another Condition Click Icon of “Insert Include Condition”

Then again go to the Request Value and select Change Account > 002 & Click “OK”

With this we have selected the 2 request types in Decision Table created by us & Click “OK”
1 is New Account
2 is Change Account

Sirish Vetcha, Consultant - GRC 10.0 130 of 186


Configuration document of GRC – Access Control 10.0

Now, Maintain Trigger Values:


Click the Icon under Trigger Value & select “Direct Value Input”

Here we provide the Path name & we provided as “ZBTSRI_DT_IR_PATH1” DT stands for Decision Table & IR is
Initiator Rule & Click “OK”

Now observe the Request type updated as 001 New Account & 002 Change Account with Path 1
Left Pane Decision Table is not Green
Now Click SAVE & ACTIVE

Sirish Vetcha, Consultant - GRC 10.0 131 of 186


Configuration document of GRC – Access Control 10.0

After Clicking SAVE it appears as “Object(s) saved Successfully” then Click “Active”

Now after clicking “Active” we observe blink above Active button will be Green & Inactive turns into Active
Also find the left pan decision table becomes Green

Now we have to Create another request type Lock & Unlock with same Path i.e. 2nd Path.
For this Right Click the Decision Table at Left Pan & Select Edit

Click Insert New Row and follow the above steps with the selections as given below:

Sirish Vetcha, Consultant - GRC 10.0 132 of 186


Configuration document of GRC – Access Control 10.0

Request Type: 004 – Lock User & 005 – Unlock the User

Trigger Value: ZBTSRI_DT_IR_PATH2


Click SAVE & ACTIVE

Also observe all the expressions at “Decision Table” come Green


Also the Application we provided displayed under Function at Left Pan should be Green

Sirish Vetcha, Consultant - GRC 10.0 133 of 186


Configuration document of GRC – Access Control 10.0

If we find our application is not Green the follow below steps:


Maximize the Function
Right Click the Application name & Click “Edit”

Below screen gets displayed & Click the Icon at “Top Expression:”

Select “Select”

Sirish Vetcha, Consultant - GRC 10.0 134 of 186


Configuration document of GRC – Access Control 10.0

Below screen gets displayed with list of decision tables under Application ZBTSRI:
Select the current Table which we want to activate

Click button “Activate”

Sirish Vetcha, Consultant - GRC 10.0 135 of 186


Configuration document of GRC – Access Control 10.0

Find the Function icon at left pan becomes Green & above “Activate” button “Inactive” icon turn “Active” & Greens

Step: 051 > Mapping BRF+ Application with MSMP Workflow:

Information The rule ID and the paths created against the request types in previous 2 steps are
maintained here. We will create agent ID with approvers group here maintaining the
approver at each stage and assign the agent ID in each stage through modify task settings.
Generate the version and activate it.
T-Code

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Maintain MSMP workflows

Maintain the users through agent ID in agents & maintain them in the stages through modify task settings before
and now at each path add those stages.
Select the Process ID which we have maintained at BRF+ : SAP_GRAC_ACCESS_REQUEST
Click “Display/ Change”
Click “Next” till “Maintain Paths”

At “Maintain Paths”
Click Add and provide the new 2 paths created by us

Sirish Vetcha, Consultant - GRC 10.0 136 of 186


Configuration document of GRC – Access Control 10.0

nd
Select the 2 Path i.e. ZBTSRI_DT_IR_Path2
Click ADD at Maintain Stages
Provide the information of the Stage >
Sequence Number as 001
Stage Configuration ID: GRAC_MANAGER
Stage Description: Manager Approval for LOCK – Path2
SAVE

Find the stage added to the stages list on the screen

Sirish Vetcha, Consultant - GRC 10.0 137 of 186


Configuration document of GRC – Access Control 10.0

Repeat the same step for Path1 with 3 stages > Manager, Role Owner & Security
Stage configuration is:
Manager > GRAC_MANAGER
Role Owner > GRAC_ROLEOWNER
Security > GRAC_SECURITY

Go to Maintain Rules
Click ADD
Provide Rule ID: E309564BA9BA9AF19563ECA86B784858 (Generated at Step 051)
Rule Description: Batchsri initiator Rule
Rule Type: BRFplus Flat Rule (Lineitem by Lineitem) – Select from dropdown
Rule Kind: Initiator Rule – Select from Dropdown
SAVE

Sirish Vetcha, Consultant - GRC 10.0 138 of 186


Configuration document of GRC – Access Control 10.0

Find the Rule ID added to the list:

Select the same line & Click ADD at Rule Results:


Manually give the Path names provided at trigger Values without using the help option
ZBTSRI_DT_IR_PATH1
ZBTSRI_DT_IR_PATH2
Change the Global Rules under it to the Rule ID given by us:

Sirish Vetcha, Consultant - GRC 10.0 139 of 186


Configuration document of GRC – Access Control 10.0

Go to Maintain Route Mapping:


Click ADD > At Rule ID: Use help and select the Rule ID created by us:
Find the Rule kind gets freeze with Initiator Rule as we have not given any other rules in the ID

Click Help at Rule Result & Select 1 Rule Result value we have created already:

Sirish Vetcha, Consultant - GRC 10.0 140 of 186


Configuration document of GRC – Access Control 10.0

At Path ID > Use help & select the path ID we have provided:

Repeat the same way for Rule Result 2 with Path ID 2:

Go to Generate Version:
Select SAVE/ SIMULATE
Opt: Do Not Transport Object & Click OK
Find all the Types are in Green Ticks

Sirish Vetcha, Consultant - GRC 10.0 141 of 186


Configuration document of GRC – Access Control 10.0

Find all the Message text types are in GREEN TICK & also can export the result to Spreadsheet.
Accept at PopUp Blocker

Go to Process Global Settings and find the Process ID uploaded with the version we have created now:

Test the result by assigning a role through access request and find the approval process working

Sirish Vetcha, Consultant - GRC 10.0 142 of 186


Configuration document of GRC – Access Control 10.0

BUSINESS ROLE MANAGEMENT


The main purpose of the BRM is maintenance of Roles.
We can ensure that the role attributes decided as per SoD concept can protected through BRM
Workflow also integrated lining the approval process. So auto maintenance is introduced with no manual
intervention.
The change log and other tracking system are recorded and can be provided with other reports.

We have some prerequisites before configuring BRM which include the steps covered in common configuration
part. Extra prerequisites required here are creating some users who approve the role assignment and role content.
Users approve role assignment is said as “Assignment Approver”
User approve role content is said as “Role Content Owner”
Assignment Approver: Users who have the responsibility as role owner to approve the access to roles requested
nd
by end users. This is the 2 stage in Path maintained at process ID SAP_GRAC_ACCESS_REQUEST after manager
approval. In real time this can be given to Business Process or Sub-business Process leads at every company code.
(If we maintain concept of parent derived role & maintains derived role for each company code as org value)
Role Content Owner: Protecting the role attributes as per SoD norms is one of the important undertaking
organization gives to SARBOX compliance. Even to maintain the SoD in good control role structure is the way.
Therefore role content owner concept introduced who will be responsible to protect the role attributes in its
maintenance and creation. This is the stage in path maintained at process ID SAP_GRAC_ROLE_APPR. In real time
the head office which controls the parent role is the owner and at head office itself the business process lead can
be the owner for role. (If we maintain concept of parent derived role & maintains derived role for each company
code as org value)

Step: 052 > Requirements > Maintain Connectors to Connector Group:


Information The same is done by us in Step No 007 at Common Configuration. It is recommended to use the
SAP standard Connection group SAP_R3_LG or SAP_BAS_LG etc.

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Maintain Connectors and Connection Types

Sirish Vetcha, Consultant - GRC 10.0 143 of 186


Configuration document of GRC – Access Control 10.0

Sirish Vetcha, Consultant - GRC 10.0 144 of 186


Configuration document of GRC – Access Control 10.0

Step: 053 > Requirements > Maintain Connection Settings:


Information The same is done in Step No 008 at maintain connection setting. It is recommended to
maintain ROLMG for Business Role Management.

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Execute Maintain Connection Settings
Maintain integration scenario PROV & maintain Scenario Connector Link to related Connection Group.

Step: 054 > Requirements > Maintain Mapping for Actions and Connector Groups:

Sirish Vetcha, Consultant - GRC 10.0 145 of 186


Configuration document of GRC – Access Control 10.0

Information The same is done in Step No 011 at Common Configuration. Maintain mapping for actions 0001-
Role Generation, 0002-Role Risk Analysis, 0003-Authorization Maintenance, 0004- Provisioning

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Execute Maintain Mapping for Actions and Connector Groups

Step: 055 > Requirements > Maintain Connector Settings:


Information The same is done in Step No 009 at Common Configuration. Maintain Connector settings i.e.
maintain backend connector whether it’s Development or Testing or Production System. Currently we are
focusing on Role Management. This deals in creation of roles in the backend system. We create roles in
Development, Test them and after user acceptance Test the same is transferred to Production. Therefore we
assign the connector as DEVELOPMENT

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Execute Maintain Connector Settings

Sirish Vetcha, Consultant - GRC 10.0 146 of 186


Configuration document of GRC – Access Control 10.0

Provide target connector, Application type is SAP & environment is Development & Activate PSS-Password Self
Service & SAVE

Step: 056 > Requirements > Activate Business Configuration BC-Sets:


Information The same is done in Step No 006 at Common Configuration. Activate Business Configuration BC-
Sets
BC Sets related to Role Management are:
Maintain Connector settings i.e. maintain backend connector whether it’s Development or
Testing or Production System.
GRAC_Role_MGMT_Landscape
GRAC_Role_MGMT_Methodology
GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity

T-Code SCPR20

Step: 057 > Requirements > Maintain Configuration Settings:


Information The same is done in Step No 010 at Common Configuration. Maintain Parameters of Role
Management - Parameter Group–ROLE and at 24 Parameter IDs
3000 – Default Business Process: Select all predefined processes which we defined in Step 005
3001 – Default Sub process: Select all defined Sub Processes which we defined in Step 005
3002 – Default Critical Level:
3003 – Default Project Release:
3004 – Default Role Status: Select PRD
3005 – Reset Role Methodology when changing Role Attributes:
3006 – Allow add functions to an authorization:
3007 – Allow editing organization level values for derived roles:
3008 – A Ticket number is required after authorization data changes:
3009 - Allow Role Deletion from Back-End:
3010 - Allow attaching files to the role definition:
3011 - Conduct Risk Analysis before Role Generation:
3012 - Allow Role Generation on Multiple Systems:
3013 - Use logged-on user credentials for role generation:
3014 - Allow role generation with Permission Level violations:
3015 - Allow role generation with Critical Permission violations:
3016 - Allow role generation with Action Level violations:
3017 - Allow role generation with Critical Action violations:
3018 - Allow role generation with Critical Role/Profile violations:
3019 - Overwrite individual role's Risk Analysis result during Mass Risk Analysis run:
3020 - Role certification reminder notification:
3021 - Directory for mass role import server files:
3024 - Enforce methodology process for derived roles during generation:
3025 - Allow selection of Org. Value Maps without leading org.:
In addition to the above Parameter group 12 & 13 are also require to configure

Sirish Vetcha, Consultant - GRC 10.0 147 of 186


Configuration document of GRC – Access Control 10.0

PG12-Access Request Role Selection: Contains 14 Parameter IDs with values in each ID
PG13-Access Request Default roles: Contains 5 Parameter IDs with values in each ID

Step: 058 > Requirements > Create Users & assign as Access Owners:
Information The same is done in Step 12 and we have some more steps added here as required
exclusively for BRM.
Assignment Approver: Create end user in GRC server and provide the below roles to make
him access owner.
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER

1) Maintain the owner as ‘Role Owner’ in Access Control Owners.


Path NWBC  SAP_GRAC_NWBC  SETUP  Access Owners  Access Control Owners  Role Owner
2) Maintain owner as ‘Assignment Approver’ in Role Owners.
Path NWBC  SAP_GRAC_NWBC  SETUP  Access Owners  Role Owners  Assignment Approver
3) Maintain in role owner stage at path provided in Process ID: SAP_GRAC_ROLE_APPR in MSMP workflow (Please
go through the information provided at ‘Maintain MSMP Workflow’ to find how to assign this owner.)
4) Maintain again at Role Methodology in define role tab as assignment approver
Role Content Owner: Create end user in GRC server and provide below roles to make him role
content owner.
In addition to the above role one more role SAP_GRAC_ROLE_MGMT_DESIGNER is to be assigned
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_USER

Sirish Vetcha, Consultant - GRC 10.0 148 of 186


Configuration document of GRC – Access Control 10.0

SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRAC_ROLE_MGMT_DESIGNER

3) Maintain in role owner stage at path provided in Process ID: SAP_GRAC_ROLE_APPR in MSMP workflow (Please
go through the information provided at ‘Maintain MSMP Workflow’ to find how to assign this owner.)

4) Maintain again at Role Methodology in define role tab as role content owner
T-Code SU01 - for Creating Role Owner

Path For Assigning in Access Owners:


NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Access Control Owners 
Click “CREATE”

Information Assign Role Owners which is located below the Access Control Owners.
Provide ID for Condition Group
Use help and pick the User
Assignment Approver: TICK – Owner who approves the access to the user. In general
workflow procedure after submitting request the request will go to manager for approval.
Then it will come to role owner maintained here. Company code level
Role Content Approver: He is the owner for the role structure and will be providing approval
for creation and whenever a change is required to do for the Role. HQ level
We provide both the eligibilities for a single role owner.

T-Code

Path NWBC  SAP_GRAC_NWBC  Set Up  Access Owners  Role Owners


Click ‘ADD’

Sirish Vetcha, Consultant - GRC 10.0 149 of 186


Configuration document of GRC – Access Control 10.0

Step: 059 > Maintain Role type Settings:


Information Here we maintain basic 3 conditions for role.
i. Mandatory: SAP provides 9 varieties of roles. All these will be provided to use. If we don’t require any of
the role type in our business model those can be deactivated here.
ii. Optional: The above selected roles can be maintained with labels as per our business understanding.
iii. Optional: Here we can set the maximum length of role name for each role type. Maximum length of a role
name given by SAP is 30. Example: Parent role can be with 24 characters and child roles under it can be 30
characters. 6 extra characters in child role can be the org value we maintain in the child role.
Types of Roles:
Business Role It carries all the roles related to a business process. This can be assigned to FFID
of that business process.
Composite Role Multiple roles are assigned here in case a separate authorization is to be
maintained in a derived role etc.
CUA Comp Role Common role irrespective to the backend servers
Derived Role Contains org value & inherits the T-Codes & Authorization from its Parent role
Group Role Group of all derived roles that is to access any org value (co code - * at BUKRS) PD
Profile:
Profile: Unique ID generated for each role
Single Role: Role has all T-Codes, authorization & org value & can assign to user
Template: A role created with common assignment in it without variables

T-Code

Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Deactivate Role Type
Click New Entries
Select required role type which is not required & select Inactive > SAVE

Sirish Vetcha, Consultant - GRC 10.0 150 of 186


Configuration document of GRC – Access Control 10.0

ii. Maintain Labels


Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Maintain Labels for Role Types
Click New Entries
Provide language by selecting from 41 options.
Select role type from which are in active
Description we provide to the role as per our business design

Sirish Vetcha, Consultant - GRC 10.0 151 of 186


Configuration document of GRC – Access Control 10.0

iii. Define length of Role for each role type


Path Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Specify Maximum Length for Role Type
Click New Entries:
The role types which require org value in its role name will have 30 characters & which don’t contain org values
can be 24 characters. & SAVE

Step: 060 > Prerequisite > Define Business Process & Sub Business Process:

Sirish Vetcha, Consultant - GRC 10.0 152 of 186


Configuration document of GRC – Access Control 10.0

Information This is mandatory to maintain the Business and Sub Business processes. If client don’t provide
sub processes, the business process only can be treated as sub business process. This is also maintained at
Step 005.

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Execute Maintain Business Process & Sub Process

Step: 061 > Specify Naming Convention:

Information We maintain the naming convention structure here as agreed with the client. This is an optional
requirement. This is maintained for the combination of connector group & role type enabling us to have separate
naming convention for each connector group & for same role type. If client requires separate convention for FI &
Basis single roles is possible now by selecting SAP_BAS_LG one convention & SAP_FI_LG another convention.
We maintain the naming convention to each role type with the maximum characters what we maintained in above
Step.
Z 1st Level – Norm of customized Role 1 Character 1-1
nd
B/C/A/D/S/T 2 Level – Role type is mentioned here 1 Character 2-2
_ 3rd Level – A underscore is used to separate 1 Character 3-3
FI00/ BS00 4th Level – Business Process is mentioned here 4 Characters 4-7
_ 5th Level – A underscore is used to separate 1 Character 8-8
th
AP/AR/BK/GL 6 Level – Sub Business Process is mentioned 2 Characters 9-10
_ 7th Level – A underscore is used to separate 1 Character 11-11
th
INV_PROCC 8 Level – Role function is described at this level 12 Characters 12-23
_ 9th Level – A underscore is used to separate 1 Character 24-24
CC1000 10th Level – Org value maintained in derived role 6 Characters 25-30

Based on the above naming convention the Role name examples are provided below:
Business Role: ZB_FI00_AP_BUSINESSROLE_CC1000
Composite Role: ZC_FI00_AP_INVOICEPROCC_CC1000
CUA Composite Role: ZA_FI00_AP_INVOICEPROCC_CC1000
Derived Role: ZD_FI00_AP_INVOICEPROCC_CC1000
Group:
PD Profile:
Profile:
Single Role: ZS_FI00_AP_INVOICEPROCC (At parent role level Org value is not maintained)
Template: ZT_FI00_AP_TEMPLATE0001 (At template role Org value is not maintained)

Sirish Vetcha, Consultant - GRC 10.0 153 of 186


Configuration document of GRC – Access Control 10.0

Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Specify Naming Conventions
Click New Entries
Give the Name to the Version, Description of the version, which type of role & the connector group
SAVE & come back

Then Click Naming Convention Position

Click New Entries & provide below information as explained above & SAVE

In the same way create for other role types also.

Step: 062 > Define other Role Attributes:

Sirish Vetcha, Consultant - GRC 10.0 154 of 186


Configuration document of GRC – Access Control 10.0

Information Other attributes-Values can assign to the roles. Some are mandatory & some are optional. These
facilities are explained to the client and to use as designed by client.

A Maintain Project Release: This is mandatory. As GRC is central administrator we require to provide
separate project release which will be used in further configuration

B Define Role Sensitivity: This is optional and can create 4 stages of sensitivity which can be selected at the
time of role creation based on the role.

C Maintain Role Status: This is mandatory. While creating the role the status of the role is selected & the
same status is to be assigned as Production here. On selecting this status while creating the role it is
eligible for provisioning and can be requested by the users through ARM. If the development roles also
are required to provide through ARM then the development roles are to be TICKED under PROD here.
The respective production status is required to select while creating the role through role methodology in
definition phase at additional details tab  Provisioning Tab.
If we have a project release for all the roles which are required to assign then can create a status with
project release name with TICK under production & can maintain the assignment roles to it.

D Critical Level: This is optional and can create different stages of sensitivity which can be selected at the
time of role creation based on the role.

E Define Companies: Companies are defined here which can be selected while creating the role. In case if
the company have different company codes and maintain same role structure this can be done through
Parent derived role system by maintaining Org. values in the derived roles. By selecting the company
here the role related to the same company will be provided.

F Functional Area: Create or maintain the functional areas to assign the roles
Function area can be mentioned while creating a role for which function it belongs to like AP, AR, GL etc
in FI00 business area. Here we provide all the function areas Codes, Description & abbreviations.
Abbreviations are available in 2 characters and also company can be mentioned here. It is recommended
not to provide the company against function area as same function area exists in all the companies. If any
function available in only one company then it can be maintained.

G Prerequisites: Predefined requisites available are CERTIF – Certification, NDA - & Training. Before
assigning a role to the user if he requires to complete any training or certification to execute the
transactions in the role this is maintained here. We also have the options to create new controls from
new entries. We can add ISO training in SoD procedure.

H Role Prerequisites: Under the prerequisite types created above we can create prerequisites list linking
the type. We can maintain system wise by providing the RFC destination and with course ID. After
providing RFC destination also to be provided the connection type > it is ABAP 3 if asked.

I Define Organizational Value Maps: we need to create this mapping for creation of derived roles. We
require defining our company code here to get them into role creation screen.

A. Maintain Project Release:


Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Project and Product Release Name
Click New Entries

Sirish Vetcha, Consultant - GRC 10.0 155 of 186


Configuration document of GRC – Access Control 10.0

Give Project Release ID & Description & SAVE

B. Define Role Sensitivity:


Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Define Role Sensitivity
Click New Entries

C. Maintain Role Status: To maintain other name for Role Status use New Entries & Tick.
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Role Status

Sirish Vetcha, Consultant - GRC 10.0 156 of 186


Configuration document of GRC – Access Control 10.0

D. Specify Critical Level: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Role Status

E. Define Companies: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Define Companies

Sirish Vetcha, Consultant - GRC 10.0 157 of 186


Configuration document of GRC – Access Control 10.0

F. Maintain Functional Areas: New Entries > provide information as below. Abbr is 2 characteristics & Co is not
required to provide as the function area belongs to all company codes. If any function exclusively present in a
single company then that function area can be mentioned with that company code. Like HQ will have Corp. Tax
role > SAVE
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas

G. Define Prerequisite type: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas

Sirish Vetcha, Consultant - GRC 10.0 158 of 186


Configuration document of GRC – Access Control 10.0

H. Define Role Prerequisite: New Entries > provide information as below > SAVE
CERTIF is a Certification
NDA is a Non-Disclosure Agreement
TRAINING is Training
Path SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas

I. Define Organizational Value Maps: New Entries > provide information as below > SAVE
Path SPRO
SAP Ref IMG
Governance Risk and Compliance

Sirish Vetcha, Consultant - GRC 10.0 159 of 186


Configuration document of GRC – Access Control 10.0

Access Control
Role Management
Execute Define Organizational Value Maps

After saving the above double click the Org Level Mapping Details & provide below information & SAVE

Step: 063 > Maintain MSMP Workflow:


Information The Process ID we have to select for maintaining here is SAP_GRAC_ROLE_APPR. This is the
process ID SAP is provided for role maintenance.
Here we have to maintain the workflow settings as we have done in ARM at Step 36. Detailed
explanation on the maintenance of each page is discussed in Step 36 – Please refer.
Ideally to understand the performance of MSMP workflow as well as role methodology we
will do below steps:

1) After selecting the process ID and changing to change mode by clicking ‘Change/Display’ at process Global
settings page.

Sirish Vetcha, Consultant - GRC 10.0 160 of 186


Configuration document of GRC – Access Control 10.0

2) On Maintain Rules > Select default rule ID

Under Rule Results Select Default Result Value

Under Global Rules > Select default Process Initiator & Notification Rule:

Sirish Vetcha, Consultant - GRC 10.0 161 of 186


Configuration document of GRC – Access Control 10.0

3) Go to maintain Agents page.


Click Add Under Agents

Provide new Agent ID


Provide Agent Name
Agent Purpose > Notification (Acknowledgement) or Approval
Agent Type: Select Directly Mapped User

Immediately you will find appearance of the new field APPROVERS GROUP

Sirish Vetcha, Consultant - GRC 10.0 162 of 186


Configuration document of GRC – Access Control 10.0

A Window will be opened and Click button ADD

Provide the Approvers Group Name as per the Naming Convention


Provide the Users proposed to be in the group & SAVE
Note:
Here the provided user is the role content owner who approves the creation of the role
Before mentioned here he has to be assigned as a role owner in Access Control Owners under Access Owners
Next he has to assign as a Assignment Owner & Role Content Owner in Role Owners under Access Owners

Sirish Vetcha, Consultant - GRC 10.0 163 of 186


Configuration document of GRC – Access Control 10.0

Find the created Approvers Group presence in the exiting list


Drag down to find the group
Click the Approvers Group appeared like a Hyper Link

Finally appears as below & Click SAVE

4) Go to Variables & Templates > Ignore & Click Next

Sirish Vetcha, Consultant - GRC 10.0 164 of 186


Configuration document of GRC – Access Control 10.0

5) Go to maintain Paths: Select the default path provided for this process ID and find the stages in the path.
Go to the stage and click ‘modify task settings’.

Go to Agents ID field and maintain the Agent ID created by us.

Sirish Vetcha, Consultant - GRC 10.0 165 of 186


Configuration document of GRC – Access Control 10.0

After maintaining the Agent ID


Update the Approve Type as “Any One Approver” & other task settings
Click SAVE

Update the comments column Mandatory at Approval/ Rejection/ Both & SAVE

6) Go to Maintain Route Mapping > Select Default Rule ID & Click NEXT

7) GO to > Generate version and Activate & Click SAVE/ SIMULATE

Sirish Vetcha, Consultant - GRC 10.0 166 of 186


Configuration document of GRC – Access Control 10.0

Click ACTIVATE

Find the message > Version Generated

Before going ahead with role methodology verify the default target connector under connector group for Action
Role Generation
This is discussed in the step 11 of Common Configuration in this document
The role will be placed in the targeted backend server maintained here.

Sirish Vetcha, Consultant - GRC 10.0 167 of 186


Configuration document of GRC – Access Control 10.0

Step: 064 > Role Methodology:

Information Creating the role through role methodology from GRC server by line of business. This is possible in
BRM once after maintaining the values like naming convention, role type settings etc. Once after creating the role
from GRC server after the approval process the role gets generated automatically & placed in the required
backend server.
Creation of the role will happen in certain steps. SAP has given 9 standard steps from which we can select required
steps & can set the sequence. We can also maintain this based on the role type. Explained to the client and
configured as agreed.
The standard phases available in the GRC are:
Definition: We can give the name of this phase as Role Definition or Define Role
Action and Permission: We can give this phase name as Maintain authorization data
Risk Analysis: We gave define this phase as Run Role Risk Analysis
Derivation: Derived Role can be defined in this phase
Approval: Approval is ok to have here
Generation: Can said as Role Generation
Testing: Role Testing
Provisioning: Provisioning is ok to this phase
We can select certain steps and activate them to maintain them as different phases in role methodology (Role
Maintenance).
Path SPRO
SAP REF IMG
GOVERNANCE, RISK AND COMPLIANCE
ACCESS CONTROL
ROLE MANAGEMENT
DEFINE METHODOLOGY PROCESS AND STEPS
Double click “Define Steps” at left pan

Sirish Vetcha, Consultant - GRC 10.0 168 of 186


Configuration document of GRC – Access Control 10.0

Find the available processes in a drop down under Action. Provide our own name for that phase and activate by
providing Tick mark

After activating the required steps


We can define different methodology processes for each type of role.
Each process is maintained with unique number in 3digits

Path SPRO
SAP REF IMG
GOVERNANCE, RISK AND COMPLIANCE
ACCESS CONTROL

Sirish Vetcha, Consultant - GRC 10.0 169 of 186


Configuration document of GRC – Access Control 10.0

ROLE MANAGEMENT
DEFINE METHODOLOGY PROCESS AND STEPS
Click New Entries

As decided the Methodology process for each role type


Fill the Number of Methodology Process
Fill the description & long description if required
Use the drop down and select “Active”
Suggested not to click default as already some other version may be in default & system will be confused.
SAVE

After saving the methodology with the number


We can maintain the steps as agreed with the client with their sequence.
The steps are selected among the activated once by us in the previous steps
The ideal steps/ phases in the role methodology can be as below:
1st Stage - Definition: In this phase we will provide the information that role belongs to which application
in the backend server. Which landscape – connector group, Business process & sub process, project release etc.
Based on this information the system will consider the naming convention we configured and prefill the role name
except the free text.
In this stage only we have to mention the role owner in the stage of:
Authorization Approver
Role Content Approver

Sirish Vetcha, Consultant - GRC 10.0 170 of 186


Configuration document of GRC – Access Control 10.0

nd
2 Stage- Action & Permission: Here we give the T-Codes to be maintained in the role with its
authorizations. So that profile is created & role will not be generated. Profile creation is required to run the risk
analysis. Here synchronization and access between backend server and GRC server takes place.
rd
3 Stage - Run Risk Analysis: Running the role risk analysis after maintaining the t-codes and
authorizations in the parent role is required to ensure that it doesn’t have risks within the role before creating the
derived roles.
It is suggested to have the risk analysis running phase before creating derived role because the actions and
permissions are maintained at parent role level and risk analysis also is maintained at parent role level only to
uniform the derived roles enterprise wide.
If any rule set is maintained at company code level like country Japan had a compliance of JSOX which may differ
with standard SARBOX act. Then a separate rule set is required in this case for particularly to that company code.
In such case it is suggested to run the risk analysis for all required rule sets at parent level only. When any
deviation found in any rule set it is strictly suggested to split the role and ensure that no rule set shows the SoD
violation for a parent role.

4th Stage - Derived Role: Now can create require derived roles

5th Stage – Approval: We can initiate the approval process now. To find the status of the request go to
NWBC  Access Request  Access Request  Request Status
Approval is to be done by the role content approver

6th Stage- Role Generation: Once the approving is done the generation of the role is also placed.

After saving the methodology - Double click Methodology Process Step

Click New Entries

Sirish Vetcha, Consultant - GRC 10.0 171 of 186


Configuration document of GRC – Access Control 10.0

Provide the sequence & Give the steps one after another. Action gets updated automatically
SAVE

Again go to the main screen or use the path & Activate the version created by us:

Sirish Vetcha, Consultant - GRC 10.0 172 of 186


Configuration document of GRC – Access Control 10.0

Step: 065 > Role creation through Methodology:

Information: Now it’s the time for us to use the role methodology. We will create the role using this
methodology & find the working of phases we configured

Path NWBC  SAP_GRAC_NWBC  Access Management  Role Management  Role Maintenance


Click ‘Create’ and it will ask what role to create > find the activated roles present here with
its labels & not redefined role type names. Deactivated roles will not be displayed for
choosing option. Labels will display & not the SAP defined role types

Selected Simple Role – ZS which we labeled for Single Role


Find the wide options to fill as we configured above:

 Application Type: Select SAP among other GRC supporting backend server types
 Landscape: Is a Connector Group & displayed the description here to choose > Select GRC predefined
SAP_BAS_LG or SAP_R3_LG etc
 Business Process: Select one of the predefined business process which we have created in step 005
 Subprocess: Select one of the created sub business process which we have created in step 005 under BP

Sirish Vetcha, Consultant - GRC 10.0 173 of 186


Configuration document of GRC – Access Control 10.0

 Project Release: Select the release created by us


 Role Name: Provide the naming convention designed at Step 048 for Single Role

Click ‘SAVE & CONTINUE’

Click SAVE & Go to Owners & Approvers Tab

Go to the Owners/Approvers tab & maintain the owner

Click help under User > Give the role owner name & Click Start Search
Select the owner & Click OK

Sirish Vetcha, Consultant - GRC 10.0 174 of 186


Configuration document of GRC – Access Control 10.0

Select the owner as Assignment owner & role content owner


Click Save & Continue

Click Maintain Authorization Data

Find the window opened at bottom of the screen & click OPEN

Sirish Vetcha, Consultant - GRC 10.0 175 of 186


Configuration document of GRC – Access Control 10.0

A window will be opened with User Name & Provide Password & Click Logon

If a small window opens maximize

Sirish Vetcha, Consultant - GRC 10.0 176 of 186


Configuration document of GRC – Access Control 10.0

If it asks for password again > Provide & login Ensure we give the right client ID where role got pushed & we have
accesses to the server

If it asks for continue with this login, Select it & continue – previous session will close

Directly it will take us to PFCG screen of this role> go to Menu screen & give the T-Codes:

Sirish Vetcha, Consultant - GRC 10.0 177 of 186


Configuration document of GRC – Access Control 10.0

Go to Authorizations Tab:

If it asks for field values of Org levels > Give full authorization (* gets updated) & Click SAVE

Maintain missing authorizations by clicking as shown in the below screen & save. Please don’t Generate

Sirish Vetcha, Consultant - GRC 10.0 178 of 186


Configuration document of GRC – Access Control 10.0

Profile gets created & role will not generate on saving. If profile creates risk analysis can run for the role to find out
SoD violations with in the role.

Click back after saving


Then message pops up saying profile not generated & saved Click Continue

Sirish Vetcha, Consultant - GRC 10.0 179 of 186


Configuration document of GRC – Access Control 10.0

Click ‘Sync with PFCF’

System asks for a Ticket Number > Provide a number & description > Click OK – will go to next phase

Will go to Analyze Access Risks Phase >


Select required rule set
Select Format of report
Tick Action Level & Permission level
Run the risk analysis in Foreground

Sirish Vetcha, Consultant - GRC 10.0 180 of 186


Configuration document of GRC – Access Control 10.0

Find the risks in the role & ensure that no risks exist within the role.
Ensure we run the report in all the rule sets exists for various geographical locations (co code level)
If the risk exists ensure split the role even if not possible to place the risk creating T-Code in any other role
Click Save & Continue

We go to Derived Role phase & as we are creating a single role just ignore the stage & Click Save & Continue

Sirish Vetcha, Consultant - GRC 10.0 181 of 186


Configuration document of GRC – Access Control 10.0

Next phase is Request Approval & Just click Initiate Approval Request

Provide the reason for creation of the role & click OK in window popped up

Find the message that request is processes successfully:

Sirish Vetcha, Consultant - GRC 10.0 182 of 186


Configuration document of GRC – Access Control 10.0

Go to NWBC  SAP_GRAC_NWBC  Access Management  Under Access Request  Click Request Status

Find a window opens with list of requests raised by us with their status:

Find the details of the request we have raised & under Audit log we can find the approvers where the request
landed.

Sirish Vetcha, Consultant - GRC 10.0 183 of 186


Configuration document of GRC – Access Control 10.0

Login through the owner user ID for Approving the role:

Go to NWBC  SAP_GRAC_NWBC  My Home  Work Inbox under Work Inbox

Sirish Vetcha, Consultant - GRC 10.0 184 of 186


Configuration document of GRC – Access Control 10.0

Will find the request with a hyper link: Click the Hyper link of the Request

Click APPROVE

Fill the Notes in the window popped up & Click OK

Sirish Vetcha, Consultant - GRC 10.0 185 of 186


Configuration document of GRC – Access Control 10.0

For confirmation:
Login through our ID again
Go to NWBC  SAP_GRAC_NWBC  Access Management  Under Access Request Go to the Request Status again 
Select our current request  Click Instance Request:

The same procedure of Role Methodology screen shots are placed with no highlights in the attached file here.
Can use if required:

Sirish Vetcha, Consultant - GRC 10.0 186 of 186

You might also like