INSTALLATION OF GRC SERVER

installation of main components of ac/pc/rm

1. main installation components:

GRCFND_A V1000 GRC FOUNDATION ABAP

GTS (GLOBAL TRADE SYSTEM)

SLL-LEG

NFE (NOTA FISCAL ELECTRONICA)

SLL-NFE

SAP NW AS 7.02 WITH SP6 OR HIGHER

SAP GRC10.1
SAP NW AS 7.40 SP02
GRCFND_A V1100

installation of plug-in for ac/pc/rm on erp or nw as

GRCPINW SAP GRC NW PLUGIN

GRCPIERP

R/3 4.7 SAP_BASIS SP 63 620

ECC5 SAP_BASIS SP 18 640
ECC6 SAP_ABAIS SP 13 700
NW 7.01 " 02
01

SAP GUI 7.30 IS RECOMENDED

000-----------------------------DDIC
SAINT/SUM Tool - ADD ONS
add ons available .sar file

sapcar -xvf <abc.sar>

post installation activities:

client copy

*** 400 frontend system in BPD

399 backend system in EH6*****

a. now establish the communication between 400 (front grc server) and 399 (backend
ecc system) client through RFC

b. creating logical systems------ sale/bd54

c. assigning logical systems to clients-----sale/scc4
now perform the same in other client
d. creating rfc connections-------sale/sm59

2. ACTIVATING APPLICATIONS

SPRO
sap reference img
GRC
GENERAL SETTINGS

EXECUTE ACTIVATE APPLICATIONS IN CLIENT

CLICK ON NEW ENTRIES

GRC-PC
GRC-RM
GRC-AC NOW SELECT THE CHECK BOX: ACTIVATE

NOW SAVE.

3. SICF (sap internet communication framework)

T-CODE SICF

EXECUTE

EXPAND DEFAULT HOST

EXPAND SAP

NOW SELECT GRC, RIGHT CLICK ON IT, CLICK ON ACTIVATE

4. activate bc sets (business configuration sets)

SCPR20

ARA----1 1
ARM----4 7
BRM----5 6
EAM----1 1

BACKEND SYSTEM----1

front end: EC5CLNT200 test1234

back end: ec5clnt800
5. creating and maintaining connectors

batclnt800 backend system

batclnt100 frontend system
spro
sap reference img
GRC
COMMON COMPONENT SETTINGS
INTEGRATION FRAMEFORK
CREATE CONNECTORS NOW IT WILL TAKE U TO SM59

connector groups

SRM DEV QUA PRO

ECC DEV QUA PRO
CRM DEV QUA PRO

6. maintain connectors and connection types

GRC- COMMON COMPONENT SETTINGS- INTEGRATION FRAMEWORK- MAINTAIN CONNECTORS

AND CONNECTION TYPES
SELECT SAP-
DOUBLE CLICK ON DEFINE CONNECTORS
CLICK ON NEW ENTRIES:
TARGET CONNECTOR CONNECTION TYPE SOURCE CONNECTOR LOGICAL PORT
MAX. NO. OF BW PS
EH6CLNT455 SAP EH6CLNT455 EH6CLNT455
3

now save
note: source connector and logical port must be the same
NOW SELECT EH6CLNT455
NOW DOUBLE CLICK ON DEFINE CONNECTOR GROUP
CLICK ON NEW ENTRIES

CONN. GROUP CONNECTION TEXT CON. TYPE

JAINY JAINY GROUP SAP
SAVE

NOW SELECT JAINY CONNECTOR GROUP

DOUBLE CLICK ON ASSIGN CONNECTOR GROUP TO GROUP TYPES
CLICK ON NEW ENTRIES

CONNECTOR GROUP TYPE

SELECT LOGICAL GROUP
SAVE

DOUBLE CLICK ON ASSIGN CONNECTORS TO CONNECTOR GROUPS

TARGET CONNECTOR CONNECTION TYPE
 EH6CLNT800 SAP
SAVE NOW

7. maintain connection settings

spro-grc-common component settings- integration framework

maintain connection settings

integration scenario: AUTH

CONTINUE

NOW SELECT AUTH

NOW DOBLE CLICK ON SCENARIO CONNECTOR TYPE LINK

NOW SELECT SAP

NOW DOBLE CLICK ON SCENARIO CONNECTOR LINK

CLICK ON NEW ENTRIES

NOW SELECT TARGET CONNECTOR: <RFC DISTINATION OF TARGET SYSTEM>

ENTER

NOW SAVE IT, IT WILL PROMPT FOR CUSTOMIZING REQUEST.

CREATE AND SAVE

AUTH - ARA
PROV - ARM
ROLMG - BRM
SUPMG - EAM

UNICODE

TABLE:
GRFNCGRPCONLK Connector Group and Connector Type Link
GRFNCONNGRP Connector Group definition

GRFNCONNGRPT Connector Group Description

GRFNCONNGRPTYPE Connector Group Type Definition

GRFNCONNSCNLK Connector Scenario Link

GRFNFLDHR HR Configurable Fields

GRFNFREQUENCYS Timeframe Frequencies - SAP delivered entries

8. MAINTAIN CONFIGURATION SETTINGS

SPRO-SAP REFERENCE IMG- GRC- ACCESS CONTROL

MAINTAIN CONFIGURATION SETTINGS

HERE U CAN CREATE THE NEW PARAMETER BY CLICKING NEW ENTRIES

PARAMETER GROUP PARAMETER ID PAR. VALUE

RISK ANALYSIS 1024 1

SAVE.

OR

U CAN CHANGE THE EXISING PARAMETERS

SAVE.

MAINTAIN RISK ANALYSIS PARAMETERS 1023,1024,1025,1026,1027,1036,1048

ARA 1024 1 (HIGH)

ARM 20
BRM 30
EAM 40

Configuration Parameters: GRACCONFIG table contains the defaults

9. MAINTAIN CONNECTOR SETTINGS

SPRO-SAP REFERENCE IMG- GRC- ACCESS CONTROL

MAINTAIN CONNCETOR SETTINGS

CLICK ON NEW ENTRIES

TARGET CONNECTOR APP. TYPE ENVIRONMENT

RFCDEST. (BACK END SYS.) 001 (SAP) DEVELOPMENT

FROM THIS STEP WE SPECIFY THE SYSTEM BELONGS TO WHICH TYPE OF ENVIRONMENT, WHETHTER
IT IS DEV, QUA, PRO

10. MAINTAIN MAPPING FOR ACTIONS AND CONNECTOR GROUPS:

Usage and Activities for Field Mapping

Field Mapping Usage?
In Role Management there are four phases that require you to choose a connector

The phases are associated with the following actions:

0001 Role Generation
0002 Role Risk Analysis
0003 Authorization Maintenance
0004 Provisioning
0005 HR Triggers

In this Customizing activity, you can assign the actions to a connector group and
then choose the default connector for each group.

SPRO - SAP REF IMG- GRC- ACCESS CONTROL- MAINTAIN MAPPING FOR ACTIONS AND CONNECTOR
GROUPS

CLICK ON NEW ENTRIES

CONNECTOR GROUP ACTIVE APPL. TYPE

BATCH10 CHECK MARK 001

NOW SELECT BACTH10 CONN. GROUP

NOW DOBLE CLICK ON: ASSIGN DEFAULT CONNECTORS TO CONNECTOR GROUPS

NEW ENTRIES

CONNECTOR GROUP ACTION TARGET CONNECTOR DEFAULT

BATCH10 0001 RFC DEST SELECT
BATCH10 0002 " "
BATCH10 0003 " "
BATCH10 0004 " "

save

11. MAINTAIN PLUG-IN SETTINGS

PERFORM THIS STEP IN BACKEND SYSTEM.

SPRO- SAP REF. IMG- GRC (PLUGINS)- MAINTAIN PLUG-IN CONFIGURATIN SETTINGS

NEW ENTRIES

PARMETER ID: 1001

SEQUENCE: 2
PARAMETER VALUE: jainy900 (RFC DEST. OF GRC SYSTEM)
again

NEW ENTRIES

PARAMETER ID: 1000

SEQUENCE: 1
PARAMETER VALUE: jainy455 (RFC DEST. OF BACK END SYSTEM)

SAVE

IT WILL PROMPT FOR CUST. REQUEST, CREATE AND SAVE.

THIS IS THE ONLY STEP WE PERFROM IN THE BACKEND SYSTEM.

NOW GO TO FRONT END SYSTEM

12. SYNCHRONIZATION JOBS:

AUTHORIZATIN SYNCH

BY THIS STEP WE ARE GOING TO SYNCH BACK END SU24 DATA INTO THE GRC SYSTEM.

USOBT AND USOBX TABLES, CUSTOMER TABLE ARE USOBT_C AND USOBX_C.

SPRO- SAP REF. IMG- GRC- ACEESS CONTROL- SYNCHRONIZATION JOBS- AUTHORIZATION SYNCH

CONNECTOR: BATCH800 (BACK END RFC DEST.)

PROGRAM MENU- EXECUTE IN BACKGROUND

CONTINUE AND IMMEDIATE

NOW GRAC_PFCG_AUTHORIZATION_SYNC JOB IS SHEDULE WHICH WILL SYNCH SU24 DATA FROM
BACKEND TO FRONT END SYSTEM.
PROGRAM: GRAC_PFCG_AUTHORIZATION_SYNC

13. NOW SYNCH REPOSITORY OBJECTS

ACCESS CONTROL- SYNCHRONIZATION JOBS- REPOSITORY OBJECT SYNC

BY THIS STEP WE SYNCH ROLES, USERS AND PROFILES

CONNECTOR: BATCH800 (RFC DEST. OF BACK END SYTEM)

PROGRAM MENU- EXECUTE IN BACKGROUND

CONTINUE AND IMMEDIATE

NOW GRAC_REPOSITORY_OBJECT_SYNC JOB IS SCHEDULE WHICH SYNCH USERS, ROLES AND

PROFILES FROM BACK END SYSTEM TO GRC.

THE FOLLOWING ARE THE PROGRAMS INCLUDED IN REPOSITORY OBJECT SYNCH:

GRAC_ROLEREP_PROFILE_SYNC
GRAC_ROLEREP_ROLE_SYNC
GRAC_ROLEREP_USER_SYNC

FOLLOWING ARE THE TABLES connector specific users, roles and profiles

USER TABLE: GRACUSERCONN

ROLE TABLE: GRACRLCONN
PROFILE TABLE: GRACPROCONN

14. GENERATING RULE SET:

SPRO- SAP REF IMG- GRC- ACCESS CONTROL- ACCESS RISK ANALYSIS- SOD RULES- GENERATE
SOD RULES

RISK ID: *
SCHEDULE IT IN BACKGROUND JOB

GRAC_GENERATE_RULES IS A BACKGROUND JOB WHICH GENERATES RULE SETS.

RULE SET TABLE: GRACACTRULE (RISK)

RULE SET
BUSINESS PROCESS BASIS related
Z_RISK

FUNCTION1 FUNCTION2

SU01, SU10, SUGR PFCG, SUPC

ACTIONS/PERMISSIONS A/P

ACTIONS - T-CODES

PERMISSIONS - AUTHORIZATION OBJECTS

USER1- SU01, PFCG

standard rule set - global rule set

check out all standard roles: sap_grac*

TABEL: GRACRULESET
15. CREATION OF BUSINESS PROCESS:

SPRO- SAP REF IMG- GRC- ACCESS CONTROL- MAINTAIN BUSINESS PROCESS AND SUB PROCESS

CLICK ON NEW ENTRIES

BUSINESS PROCESS: BATCH10BUS DESCRIPTION: BATCH10 BUSINESS PROCESS

IT WILL PROMPT U TO CREATE REQUEST

SAVE

TABLE
GRACBPROC Business Process
GRACBSUBPROC SUB BUSINESS PROCESS
GRACBPROCT Business Process Text

16. CREATION OF FUNCTIONS:

NWBC- SETUP- UNDER ACCESS RULE MAINTAINANCE-

FUNCTIONS

CREATE-
FUNCTION ID: B10FUN1
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS

DESCRIPTION: SU01

UNDER ACTION TAB

CLICK ON ADD

SYSTEM: RFC DESTINATION

ACTION: SU01

SAVE

NOW CREATE ONE MORE FUNCTION WITH PFCG T-CODE (ACTION)

CREATE-
FUNCTION ID: B10FUN2
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS

DESCRIPTION: pfcg

UNDER ACTION TAB

CLICK ON ADD

SYSTEM: RFC DESTINATION

ACTION: pfcg

SAVE
NOW GENERATE FUNCTIONS

TABLE: GRACFUNC

17. NOW CREATE A RISK AND ATTACH THE ABOVE TWO FUNCTIONS TO THIS RISK:

NWBC- SETUP- ACCESS RULE MAINTAINANCE- ACCESS RISKS- CREATE

ACCESS RISK ID: B10RISK

RISK TYPE: SOD
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS
DESCRIPTION: BACTH10 SEC RELATED
RISK LEVEL: MEDIUM

DESCRIPTION: RISK FOR FUNCTION

UNDER FUNCTION TAB

CLICK ON ADD:
B10FUN1
B10FUN2

NOW IT WILL ASK U FOR RULE SET

NOW WE WILL CREATE RULE SET:

18. NWBC- SETUP- ACCESS RULE MAINTAINANCE- RULE SET

CREATE

RULE SET ID: B10RULE

DESCRIPTION: BATCH10 RULE SET

save

GENERATE RISK AS WELL

20. NOW MAINTAIN ACCESS OWNERS:

NWBC- SETUP- ACCESS OWNERS

ACCESS CONTROL OWNER

CREAT

OWNER: GRCUSER4

SELECT THE CHECK BOX: RISK OWNER

SAVE CLOSE

NOW GO TO BACKEND SYSTEM AND CREATE ROLE WITH THE COMBINATION OF SUO1 AND PFCG
COME TO FRONT END SYSTEM AND PERFORM SYNCHRONIZATION

SPRO- GRC- ACCESS CONTROL- SYNCHRONIZATION JOBS- REPOSITORY OBJECT SYNCH

CONNECTOR: RFC DESTINATION

PROGRAM MENU- BACKGROUND.

EAM:

FF:lara
FFID: backend as service user
FFOWNER:
FFCONTROLLER:

create 3 users by su01 t-code in grc system

ff
ffowner
ffcontroller

and assign the respective roles to the above users.

now go to backend system

create ffid as service user.

/N/VIRSA/VFAT 5X

GRAC_SPM

SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
The Background Job for Log Collection can be scheduled periodically from SM36
using program GRAC_SPM_LOG_SYNC_UPDATE.

BUSINESS ROLE MANAGEMENT

1. VERIFY DEFAULT CONFIGURATION PARAMETERS

2. Maintain AC owners

Go to NWBC ?Access Management ?Access Control Owners and maintain the owners

After this is done it is possible to configure these users as role owners

Configuration steps for BRM

3. Maintain Role Type Settings

In this customizing activity, you can activate or deactivate role types.

All role types are set as active by default
The following role types are pre delivered:
BUS -Business Role
COM -Composite Role
CUA -CUA Composite Role
DRD �Derived Role
GRP �Group
PRF �Profile
SIN �Single Role
TPL -Template

Deactivate Role Types

In the deactivate role type, check the inactive checkbox for the role types
that you do not want to include in the role types definition.

4. Maintain Labels for Role Types

In this customizing activity, you can maintain the description and language
for the role types and is displayed on the role maintenance screen

5. Specify Maximum Length for Role Type

Here you can specify the maximum length for the name of a role based on the role
type.
For example, you can specify that for Business Role type, the role can have maximum
length of 70 characters.

6. Role Naming Convention

Naming Convention for naming roles can be maintained here:
You can maintain a different naming convention for each role type

7. Role AttributesMaintain Project and Product Release Name

Project and Product release name are attributes that you can assign to roles.
You can create and edit the list of available projects and product releases with
this customizing option
8. Role Attributes Define Role Sensitivity
Role sensitivity is an attribute that you assign to roles.
This provides the ability to organize the authorization structure in the company
with transaction PFCG

ARM Access Request Management

Mandatory configuration for model user:
1. Configuration parameter: 2051 NO
2. Maintain Data Source Configuration:
SPRO-GRC-AC-Maintain Data Source Configuration
- 1. User Search Data Source - New Entries-
- Target Connection: bpdclnt455
- Sequence: 1
- User Data Type: SU01
- 2. User Detail Data Source (same as above)
- 3. User Authentication Data Source (same as above)
- 4. End User validation: YES

BRF+
Please check table FDT_ADMN_0000 for Object Type AP (Application) and FU
(Function). See if you ZINIT_CUST01 exists already

GRFNMW_DBGMONITOR_WD
slg1
sost

CREATE APPROVER:
ROLES:
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRC_NWBC
SAP_GRAC_ACCESS_APPROVER

GRFNMW_CONFIGURE

Prepared by Shahid (service.sap.grc10@gmail.com)

The GRACROLE table stores the methodology for the role

RSUVM002
TUTYP
USMM
GRC_MSMP_CONFIGURATION
https://www.youtube.com/watch?v=9vWiJ3tNTTg