A Beginners Guide to the Post-Installation Configuration of SAP Access Control

Hands-On Lab: Part 1: A beginners guide to the post-installationconfiguration of SAP Access Control Kurt Hollis, David Jayne, and Phil Dunbar [email protected] [email protected] [email protected] 1 SECTION 1 - Lab Contents  Section 1: o Lab Overview o Lab Schedule o Lab User Access Information     Section 2: Section 3: Section 4: Section 5: GRC Post-Installation Setup Steps and Verification GRC Risk Analysis Configuration and First Risk Analysis GRC Emergency Access Configuration and First Emergency Access GRC Access Request Configuration and First Access Request SECTION 1 - Lab Overview  GRC System for this lab is running locally on the laptops and not on a server across the network.  We have 50 GRC systems running here, one per laptop. o This was done to guarantee good performance and complete independence from others working on the same system.  The system is strictly yours and not shared.  Laptop is running VM Workstation 10.  The GRC system is running on Windows 2008 R2 Enterprise Server and uses MS SQL 2012 database.  The GRC system is based on SAP NetWeaver 7.40 SP09.  The GRC system is running GRCFND_A 10.1, SP07  The GRC plug-in is installed and is version 10.1, SP07.  The SAP GUI is installed and is version 7.30 SP4. 2 SECTION 1 - Lab Schedule Wednesday, March 18th 2015 (8:30-11:45)  Lab Overview I 15 Minutes (8:30-8:45)  Lab – Part 1 75 Minutes (8:45-10:00)  Short Break 15 Minutes (10:00-10:15)  Lab Overview-II 15 minutes (10:15-10:30)  Lab – Part 2 75 Minutes (10:30-11:45) SECTION 1 - Lab User Access Information • SAP System SID is “GRD” • Client number is 200 • Server host is “grc10train” in domain grc2014.com, Instance number is 00 • Login to start the SAP System is grdadm, password is “Deloitte.1” (alternate login is user grctrain) • Use the MMC Console to start the system • Start the SAP GUI • Launch the GRD system GUI • Login to client 200 as grctrain1, grctrain2, and grceamadm (for Section 4 only) with password of “grc2015lab" • Launch Transaction “NWBC” for the GRC Web Interface 3  Log in to the laptop  Navigate to folder C:\DRIVERS\SAP. not from the keyboard.OVF  Launch the GRC10_NEW. The instructors will notify the entire class about the status of the laptop systems.Steps to Bring Up the Lab System: Note: The steps below for starting up the lab system may have been done already in the classroom. and then log in to the system  You may want to go to the control panel display and increase the display size to 1024x768 or slightly greater.vmx by double clicking it in the above folder  The VMWARE Workstation control panel launches  Then power on the VM GRC10_TRAIN (USSLTCSNW1513) system (click the power on button)  Use the menu drop-down to log in (Control+Alt+Delete) from the menu. but not too much or you will be scrolling windows around to see everything  Start the SAP system using the MMC console  Launch the SAP GUI and login to GRD  Screen prints are in Section 2 of this lab guide 4 . SECTION 2 .GRC Post-Installation Setup Steps and Verification Bring System up and Login to the System Workflow Setup EMAIL Setup Verify the Client Copy is Completed Test NWBC user Interface System Connections Setup Activate Applications in Client New UI5 Odata Services Maintain Web Services in SMICM (HTTP) STRUST SSO Setup 5 . Start the SAP system using the MMC console in Windows. right-click on GRD and select Start from the menu.Steps Steps to be performed Section 2 Step 1 The lab system should have the Lab Image “GRC10TRAIN” loaded for you already. contact the instructor. password is “Deloitte. If not. Start SAP GUI and connect to GRD System. System starts in a few minutes. Using the MMC console. 6 . STARTUP LOGIN Log in to the SAP system using grdadm.1”. 7 .SAP Login screen. Log in client 200 with user grctrain1 (or grctrain2 for some parts of the lab) and password “grc2015lab”. Log in to the GRD system. CLIENT COPY First check is to verify the client copy from client 000 to client 200 has completed successfully. We previously made this copy using client copy profile SAP_ALL. Navigate the menu tree. NO CHANGES) Section 2 Step 2 After logging into the system. This is the recommended way to copy the client for a new system.Steps Steps to be performed (VERIFY STEP ONLY. Tools  Administration  Client Administration  Copy Logs. 8 . perform the post-installation steps for GRC. Screen is as shown above. 9 .Verify the copy was successful. Steps Steps to be performed (VERIFY STEP ONLY. Transactions are entered into the blank field in the upper left. NO CHANGES) Section 2 Step 3 Next step is done using transaction SPRO. SPRO Activate GRC Apps 10 . ” NOTE: Much of the configuration is done using transaction SPRO and the SAP Reference IMG during this session. 11 .Click on the button “SAP Reference IMG. Three applications exist in this setting: GRC-AC. Verify the setting only. go to the area Governance.In the menu that comes up. We are activating only GRC-AC for this system. no changes needed. GRC-PC. 12 . and GRC-RM. Risk and Compliance  General Settings  Activate Applications in Client. Exit this screen. It must be activated.Steps Steps to be performed (VERIFY STEP ONLY.) Maintain Services for Web Applications allows the content to be used in the system. Now enter transaction SICF. no need to do any changes here. (Just check it. Exit SPRO. bc. grc. ICF SETTING Verify the Services are activated. 13 . See the screen below: public. Click the EXECUTE button under Maintain Services. NO CHANGES) Section 2 Step 4 We are done with SPRO for a moment. Exit this screen. grc. and opu are bold. bc. No changes needed here.See that the public. 14 . iwbep. this means they are activated. verify only. Steps Steps to be performed (VERIFY STEP ONLY. ICM SETTING 15 . Go to menu Goto  Services. NO CHANGES) Section 2 Step 5 Now enter transaction SMICM. 1800 for Process Timeout. HTTPS. Exit this screen.Check the services. Verify the timeout settings are 3600 for Keep Alive. 16 . and SMTP services are enabled. No changes needed here. Verify the HTTP. verify only. and client SSL are green. verify only. This is needed for NWBC operation. No changes needed here. SSO SETTING 17 . NO CHANGES) Section 2 Step 6 Now enter transaction STRUSTSSO2. client. Check that the System PSE is green and the SSL server.Steps Steps to be performed (VERIFY STEP ONLY. Exit this screen. This setup requires entries in the system profiles and the SAPCRYPTO libraries to be installed in the Kernel at the operating system level of the SAP system. This is an example of settings in the system profile needed for NWBC and GRC. No need to verify this (provided as FYI). 18 . UI5 ODATA Gateway SETTING Go back into SPRO again. This is required for the new Access Control Request Screens in the NWBC and the Remediation View for the User Level Risk Analysis.Steps Steps to be performed (VERIFY STEP ONLY. 19 . NO CHANGES) Section 2 Step 7 Set up new User Interface (UI5) views and SAP Netweaver Gateway. Navigate to SAP Netweaver  Gateway  OData Channel  Administration  General Settings and execute Activate and Maintain Services . 20 . Exit this screen. The ICF Node needs to be active and the System Alias needs to have assigned LOCAL Alias. No need to make any changes here.Look at the ICF Nodes and System Aliases at the bottom of the screen. this step is verify only. 21 . Now that all the previous steps have been completed. NWBC SCREEN Enter transaction NWBC in the transaction window to the right of the green check. If you are currently not at the main menu and inside another screen. it is possible to test the NWBC interface. NO CHANGES) Section 2 Step 8 Launch and test the NWBC interface. enter /nNWBC to run the transaction.Steps Steps to be performed (VERIFY STEP ONLY. The NWBC screen should appear in a new browser window (pop up). Exit this screen. Setup. Reports. this step is verify only. See each sub-menu appear. and Analytics one at a time to test this access. 22 . No need to make any changes here.Navigate to each sub menu My Home. Access Management. Navigate to GRC  General Settings  Workflow. NO CHANGES) Section 2 Step 9 Workflow Customizing. Go back into SPRO IMG again.Steps Steps to be performed (VERIFY STEP ONLY. and execute Perform Automatic Workflow Customizing. WORK FLOW SETUP 23 . The following are just checks. click on them. 24 . Please see the sections of this menu. BEFORE AFTER We need to verify a few items. and read the text in the right-hand pane for instructions followed during setup. After it should look like screen print below on the right. no changes are needed.Before it looked like screen print below on the left. this is OK. The Event Queue job is optional and sometimes will not be running. These should all have green checks. Please take note of this user. see the USER used for this function. No changes required. The RFC destination is important. 25 .Check that the jobs are scheduled. into the IMG. Perform Task Specific Customizing by selecting Governance.Steps Steps to be performed (requires changes during this step) Section 2 Step 10 Go to transaction SPRO again. Risk and Compliance  General Settings  Workflow  Perform Task-Specific Customizing. Enter into Workflow. WORK FLOW TASKS 26 . Expand the GRC area. Click on Assign Agents across from the GRC-SPC area. 27 . We will explore the GRC-SPC agents and event linking. This procedure is only done for the tasks with IDs starting with letters TS.Select the line and click the Attributes button. not WS. A pop-up displays. 28 . Set General Task and click the Transfer button. 29 . Scroll down to the bottom of the list until you see the WS Events. go back to the screen before and select the “Activate event linking” for the GRC-SPC workflow. Check the setting in the screen. It should now say General Task Now. Click the white paper icon. You will need to create a transport request as part of this process. 30 .Click on the Deactivated button for the WS 75900005 event to activate it. Enter a Short Description and click Save. 31 . Click the save icon to save the request. These settings have already been made for your systems. In the pop-up. These are not covered in this lab due to time constraints. Exit this application. change the error feedback to “Do not change linkage” and click save.Click the Puzzle piece Icon. This exercise was an example of the settings needed in this area for the Workflow setup. Click the note with the glasses and review the documentation for this IMG activity. more steps need to be completed when the system has the plug-in installed. 32 . Then click the green check button. Note: For Access Control. These steps are very important for the integration of SAP systems with the GRC applications. CONNECT SYSTEMS The first part is in this area of the IMG. We are not covering the Portal integration. Risk and Compliance  Common Component Settings  Integrated Framework. you will have to make certain settings. or non-SAP integration in this lab due to time constraints and level of complexity. LDAP integration. These are pointed out to you. Setup of the connectors involves settings made in seven places. Go back into the SPRO IMG and navigate to the Integration Framework under Governance. 33 . Many of the settings are done already for you.Steps Steps to be performed (PARTS OF THIS STEP ARE PERFORMED) Section 2 Step 11 Set up the connectors to the other systems. However. 34 .” This is actually transaction SM59. Please verify the settings. Look at the ABAP connections and find GRDCLNT200.Part 1 .IMG area we are focusing on first. This step is already done for you. Enter the first IMG activity step “Create Connectors. Verify the settings.CREATE CONNECTORS . 35 . Double-click and verify the settings.RFC Connection is GRCCLNT200. This is possible because we have the GRC Plug-In installed is this system. We are actually connecting back to the same system GRC system to GRC system. Exit the connector settings after verifying them. 36 . The next setting is the “Maintain Connectors and Connection Types. The correct client 200 is filled in. The user must have the correct roles assigned in the remote system.” Here we are assigning the connectors to the connection types and the connector groups. verify only. No changes. 37 .See the details under the Login and Security tab. We are only using SAP type here. Verify the connector is GRDCLNT200.Click Define Connectors after selecting the SAP box on the left side. 38 . This is how you assign the connector to each connector type. See below for guidance. select the line SAP_BAS_LG. Please only assign the SAP_BAS_LG for this training class. and then click the ASSIGN CONNECTORS TO CONNECTOR GROUP FOLDER The connector group is based on the rule sets loaded. We are using only the GRAC_RA_RULESET_SAP_BASIS rule set for this training (SAP_BAS_LG).After clicking into the DEFINE CONNECTOR GROUP. 39 . Assign connector type SAP if blank. Please set up the connector GRDCLNT200 with integration scenario ROLMG. PROV. 40 . Maintain Connectors Settings: In the Work Area pop-up. Rule Sets (EXAMPLE ONLY) GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG) GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG) GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis (SAP_NHR_LG) GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG)  We are only using this one GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG) GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG) GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG) GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG) GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG) GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG) GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG) The last step in this top section of the connector settings is one of the most important. and SUPMG have already been set up for you. YOU MUST SET UP THE CONNECTOR FOR SCENARIO ROLMG! The connectors for AUTH. select each of the integration scenarios one at a time. Verify these. Steps are below. Select the ROLMG scenario and get to the screen below. Now click the box next to the ROLMG sub scenario definition and click the Scenario-Connector Link on the right. This brings up a screen where you assign the connector GRDCLNT200. 41 . select the connector GRDCLNT200 Click the Save icon on the top menu bar. A transport request comes up.Click New Entries on the screen. Click the green check and save it. Click the white paper icon and create a new request and fill in the description as shown below. From the selection box that pops up. 42 . This same process would be repeated for each scenario. it is needed to fill them out for all scenarios even if you are using only one of them.This is done. 43 . Now use the arrow keys to exit this step until you are back at the IMG menu. According to an SAP Note. Perform the validation of this next.Part 2 of the connector settings is under the Access Control area and contains four steps. 44 . Click in the Application Type area to see what the drop-down list provides. We are only using SAP type for this system. No changes needed. Click on configuration item “Maintain Connector Settings” and verify the target connector GRDCLNT200 is assigned. We are working with the SAP_BAS_LG group. 45 . open Maintain Mapping for Actions and Connector Groups. exit this screen. Select the SAP_BAS_LG group and click on the right side Assign default connector. In the next step in the IMG. Notice the connector group(s).When done reviewing. This system is also connected to itself using the GRC Plug-In. Click the green arrow back a few times to get to the IMG menu again. Now for the last item. such as Risk management. These are assigned for the connector group we are using. Click the Action drop-down to see the list of actions available.Here we have to fill in multiple entries. This section is very important for all applications in Access Control to function. and user provisioning functions. this was a big section to complete. So we are using the same GRC system to manage the GRC systems for Access Control applications. It needs one single entry for GRDCLNT200. END OF LAB SECTION 2 – Congratulations. Exit this screen back to the IMG menu. 2. One entry for each action 1. Verify the Plugin settings. Verify this is correct. 46 . The connection is now setup for the applications and will appear in the application screens when choosing the system. 4. 3. Plugin settings. Exit this screen. Super User management. which is SAP_BAS_LG. and must be done before configuring the applications. SECTION 3 .GRC Risk Analysis Configuration and First Risk Analysis Activate BC Sets (Rule Sets) Run the Full Batch Risk Analysis Run the Batch Risk Analysis Monitor Generate the Rules Test Risk Analysis Run the Risk Violation Dashboards Maintain Configuration Settings for ARA Run the Synchronization Jobs Check the Application Logs SLG1 47 . BCSET ACTIVATE We are only activating the two rules sets we are using. Access Risk Analysis GRAC_RA_RULESET_COMMON GRAC_RA_RULESET_JDE GRAC_RA_RULESET_ORACLE GRAC_RA_RULESET_PSOFT GRAC_RA_RULESET_SAP_APO GRAC_RA_RULESET_SAP_BASIS GRAC_RA_RULESET_SAP_CRM SOD Rules Set (We activate this one now) JDE Rules Set ORACLE Rules Set PSOFT Rules Set JDE Rules Set SAP BASIS Rules Set (We activate this one now) SAP CRM Rules Set 48 . Only the two needed for this section. enter transaction SCPR20. The other BCSETS will be actived during other lab steps when needed. The full table is shown for reference. DO NOT ACTIVATE THE GREYED OUT BCSETS YET.Steps Steps to be performed Section 3 Step 1 Activate BC Sets. At the main menu of the system (out of the IMG/SPRO screen). GRAC_RA_RULESET_SAP_ECCS GRAC_RA_RULESET_SAP_HR GRAC_RA_RULESET_SAP_NHR GRAC_RA_RULESET_SAP_R3 GRAC_RA_RULESET_SAP_SRM SAP ECCS Rules Set SAP HR Rules Set SAP R/3 less HR Basis Rules Set SAP R/3 AC Rules Set SAP SRM Rules Set Access Request Management GRAC_ACCESS_REQUEST_REQ_TYPE* GRAC_ACCESS_REQUEST_EUP* GRAC_ACCESS_REQUEST_APPL_MAPPING* GRAC_ACCESS_REQUEST_PRIORITY* Request Type EUP (Note: Only the value EU ID 999 is valid for this BC set.) Mapping BRF Function IDs and AC Applications Request Priority Business Role Management GRAC_ROLE_MGMT_SENTIVITY* GRAC_ROLE_MGMT_METHODOLOGY* GRAC_ROLE_MGMT_ROLE_STATUS* GRAC_ROLE_MGMT_PRE_REQ_TYPE* Sensitivity Methodology Process and Steps Role Status Prerequisite Types Superuser Management GRAC_SPM_CRITICALITY_LEVEL* Criticality Levels Workflow GRC_MSMP_CONFIGURATION* MSMP Workflow Configuration Rules Set 49 . A transport request may pop up. If it is to be a new request. Then fill in and save it. click the white paper icon to create a new request. 50 . fill this in and save using green check mark.Steps to activate the BCSETS Fill in the name GRAC_RA_RULESET_COMMON and click the Activation button. 51 .After activating this BC Set. You get the below message at the bottom of the screen. Activate it. That concludes the rule set activation. 52 .Perform the steps again for the other BC Set GRAC_RA_RULESET_SAP_BASIS. Steps Steps to be performed Section 3 Step 2 Generate Access Rules. For this exercise. you can generate the rule set rules there. Risk and Compliance  Access Control  Access Risk Analysis  SoD Rules  Generate SoD Rules. in the RULESET sub-menu. In the NWBC interface. Generate Rules Generate the rules by going to IMG under Governance. 53 . we are using the IMG method below. There are alternative methods to generating the rules. Execute this.Fill in the full range in the drop-down. A small message appears at the very bottom of the screen showing program is completed. 54 . from the first entry on the left to the last entry on the right. Config Settings 55 . Answer one question below.Steps Steps to be performed (No changes needed. Use SPRO to review the configuration settings. no changes needed. verify only) Section 3 Step 3 Maintain Configuration Settings. What is the Default Rule Set used? HINT – Look at Param ID 1025. 56 .Note the setting for the Risk Analysis. No changes needed here. only look at them. FYI – SAP has a guide dedicated to the configuration settings available for download. verify only. important step) Section 3 Step 4 Run the NWBC and check that the rules are loaded. 57 .Steps Steps to be performed (No changes needed. Check Rules The Web browser launches. See next three screens. Functions.Check that the Access Risks. and Rule Set exists. 58 . Check that the Functions exist. 59 .Check that the Access Risks exist. Check that the Rule Set exists. What is the Rule Set Name? If any of the above screens are empty. 60 . contact the instructor in the room immediately! This needs to be correct before proceeding. Value sync. profile. and authorizations data from the source systems. but we will run it in foreground during this lab exercise. role. In our case. 1st Job to run = Authorization Data Synchronization 61 . the source system is also the same GRC system.Steps Steps to be performed Section 3 Step 5 We need to run the Synchronization jobs to get the user. Transaction Sync. We run two jobs. and Objects sync. such as this training. This program contains three jobs: Org. Sync Jobs In IMG go to Access Control Synchronization Jobs and run Authorization Synch (program GRAC_PFCG_AUTHORIZATION_SYNC). It is recommended you run it in the background. This is fine for learning purposes. Note: Larger ERP systems may take 30-40 minutes to run. The result screen comes up in about three to five minutes. NOTE: These jobs can be scheduled to run in background using SM36 to create the background job. We run this in the foreground. It should not take that long for these systems. and SE38 to create the varients to store the values in the fields so they can be used over and over again.Fill in the Connector name and click Execute. (Note – screen above has GRDCLNT100 for example. That is why background processing is usually preferred. your screen should have GRDCLNT200) 62 . This job runs in one to three minutes. Be sure to select the Full Sync Mode. NOTE: On larger systems with many users and roles. this job may take 10-20 minutes to run. 63 .In the same path go to Repository Object Synch (program GRAC_REPOSITORY_OBJECT_SYNC). Usually a full sync is done weekly and an incremental sync is done daily. and SE38 to create the varients to store the values in the fields so they can be used over and over again. More frequent jobs can be scheduled to allow new users and roles to be used in the GRC analysis jobs. (Note – screen above has GRDCLNT100 for example. your screen should have GRDCLNT200) Completed job output above. reports. 64 .NOTE: These jobs can be scheduled to run in background using SM36 to create the background job. and ad-hoc analysis. Run Risk Analysis Let’s test this. Go to Access Management Workcenter and run a User Level Risk Risk Analysis on a specific user.Steps Steps to be performed Section 3 Step 6 Now you should be able to run a risk analysis. In the NWBC Browser window. 65 . Click the Access Management sub-menu. Run the NWBC again. Go to the main menu of the system and run the NWBC transaction. Run in foreground.Run the User Level anaylsis first. Use the minus button to remove unwanted items from the query screen. Check the settings carefully. Fill in the screen. Use system GRDCLNT200 and user GRCTRAIN1. Fill out as shown below. 66 . Example below: 67 .View the results. Run the same Risk Analysis – User Level. change the Report Options for REMEDIATION VIEW only. 68 . your screen will be actual system GRDCLNT200) 69 . it will look like the above.After choosing Remediatation view. (Note – screen above shows system GRDCLNT100 in this example. It may take longer to come up. Perform the same steps for the Role Level analysis. Use role SAP_GRC_SPC_SETUP for this analysis test. 70 Results of ROLE analysis above. 71 Steps Steps to be performed Section 3 Step 7 Set up Parallel Jobs capability. This is in preparation of running the full batch risk analysis. Setup Parallel Jobs Run RZ12 transaction (not in the IMG menu). Check if the Login Group parallel_generators exists. If so, verify the settings as shown below. Otherwise, click the white paper icon to create the group assignment. The name must be “parallel_generators” to be used in the applications. 72 You must press enter to save and get past this screen! INGORE WARNING and press enter to save it.Click Save. 73 . Go in and check the entry again to make sure it saved. A message will appear at bottom in yellow. 74 . Run Full Batch Risk Analysis Fill out the screen as shown and execute the job. move immediately to the next step on how to monitor the job. NOTE: It is possible to also run using a transaction GRAC_BATCH_RA (or program GRAC_BATCH_RISK_ANALYSIS) as an alternative. go into the SPRO transaction again and click on the Execute Batch Risk Analysis menu item. After running this job. It will take about 10-15 minutes to complete it. You will monitor the job during this time.Steps Steps to be performed Section 3 Step 8 To run the Full Batch Risk Analysis. 75 .Fill out the Batch Risk Analysis screen as shown above and execute it. Monitor Batch Risk Analysis Using SPRO (IMG) go to the menu Access Risk Analysis and run Monitor Batch Risk Analysis. Making the date range larger will help to pick up the jobs. you may miss picking up the jobs in the search. With time out of sync. We have noticed some time issues with the system time not matching the time in Vegas. Change the dates so the start date is one day earlier.Steps Steps to be performed Section 3 Step 9 Monitoring the Batch Risk Analysis. 76 . 77 . Click the box in front of the job row and click Show Details.Note: You can monitor the batch risk analysis job with transaction GRACRABATCH_MONITOR. Drill into the details to see the detailed status. 78 . For large systems. this job can take a long time.You can see what is going on while it is running. Below is SM50 screen. Use transaction SM50 while the job is executing in the background to see the two batch work processes running the job. 79 .Check that the job is using parallel processes. 80 . The data in the dashboards are only visible after running the batch risk analysis jobs. In the NWBC screen. and Role Analysis dashboards. one at a time. User Analysis. See below screens for examples.Steps Steps to be performed Section 3 Step 10 View the Risk Analysis dashboards. We will run the Risk Violations. go to the Reports and Analytics menu. View Dash Boards 81 . These pop up in another window. Run each one. The Risk Violations screen is interactive. You can click into the pie chart or bar chart items to see the detail below them. 82 . Check out the details. Try changing the Analysis Type from User to Role. Be sure to drill down in the next screens that open. Try this for both the pie chart HIGH and MEDIUM and BS00 in the bar chart. Explore the details.Check the User Analysis dashboard too. 83 . They begin with SAP_GRC. This job needs to be scheduled nightly to get the data updated.Find the GRC roles in the Role Analysis dashboard. 84 . The data in the dashboards is based on the Batch Risk Analysis job. Run transaction SLG1 in the GRD system. SLG1 Appl Errors 85 . Fill the screens as shown below and execute.Steps Steps to be performed Section 3 Step 11 Check the Application logs for errors. See examples of log output below. This is a very useful tool for GRC applications when problems are occurring. 86 . 2) Please log in using GRCEAMADM for all the steps except for Step 10.SECTION 4 . The users to be used for each step are pointed out in the documentation.GRC Emergency Access Configuration and First Emergency Access Special User Instructions: 1) The steps to configure the “Emergency Access Management” component of GRC 10. 87 .1 are illustrated in this section. where you will use GRCTRAIN1 and GRCTRAIN2 for configuration and testing the EAM functions. High Level Overview of the Configuration Steps A pictorial depiction of the high-level configuration steps is shown below: Activate BC Sets (Emergency Access) Assign Firefighter IDs to Firefighters Access Firefighter ID Add Connectors to Firefighting Scenario (SUPMG) Define Owners and Controllers Run Log Collection Job Maintain Configuration Settings Complete Synchronization Access and Review Firefighter Logs Maintain Criticality Levels Create Firefighter IDs in Target Systems 88 . On successful activation. a confirmation message is shown as below. 89 .Steps Steps to be performed Section 4 Step 1 Activate BC Sets. Use the Expert Mode under the Activation Options window and click OK to complete the activation. (Logged in as user GRCEAMADM) Activate BCSETS Enter transaction code SCPR20. Enter GRAC_SPM_CRITICALITY_LEVEL in the BC Set field and press F7 or click Activate. Create a new transport request or assign to an existing one. Risk and Compliance (Plug-in)Access ControlMaintain Configuration Settings. Review and ensure the values for the following parameters exist: 1089  1 1090SAP_GRAC_SPM_FFID 90 .Steps Steps to be performed Section 4 Step 2 Maintain Plug-in settings. (Logged in as user GRCEAMADM) Plug-In Settings Navigate to Tcode SPROSAP Reference IMG expand Governance. 91 . Risk and ComplianceCommon Component SettingsMaintain Connection Settings.Steps Steps to be performed Section 4 Step 3 Add Connectors to the Super user Management Scenario (SUPMG) (Logged in as user GRCEAMADM) SUPMG Connector Navigate to Tcode SPROSAP Reference IMG expand Governance. Review and confirm the entry for the target connection as shown in the screen below. If no entry exists. click on New Entries and add the Target Connector. Highlight the row that indicates the SUPMG scenario and double-click the Scenario-Connector Link folder. Enter SUPMG in Integration Scenario and click OK. but would require the creation of a new transport or addition to an existing transport. Risk and ComplianceAccess ControlEmergency Access Management Maintain Criticality Levels for Emergency Access Management. Changes can be made and saved. Confirm that criticality levels are populated in the table as indicated in the screen below.Steps Steps to be performed Section 4 Step 4 Review Criticality Levels for Emergency Access Management. 92 . (Logged in as user GRCEAMADM) Criticality Levels Navigate to Tcode SPROSAP Reference IMG expand Governance. 93 .Steps Steps to be performed Section 4 Step 5 Review Key Configuration Settings for Emergency Access Management. but would require the creation of a new transport or addition to an existing transport. Changes can be made and saved. Risk and ComplianceAccess ControlMaintain Configuration Settings. (Logged in as user GRCEAMADM) Config Settings For EAM Navigate to Tcode SPROSAP Reference IMG expand Governance. enter FF_TRAINGRC. Click Users (Top menu) and click Copy. 94 .Steps Steps to be performed Section 4 Step 6 Create Firefighter IDs. In the Logon data tab. In the To field. (Logged in as user GRCEAMADM) Use Tcode SU01 Create FF IDs Enter FF_TRAIN01 in the User field. Save the changes to complete the creation of the Firefighter ID. click on the Wizard button next to the Initial password field. Check all the boxes in the copy screen and click Copy (F5). 95 . (Logged in as user GRCEAMADM) Run FULL Repository Sync Job Choose Full Sync Mode.Steps Steps to be performed Section 4 Step 7 Synchronize Created Firefighter IDs using Tcode GRAC_REP_OBJ_SYNC. Click Execute (F8) to complete the sync. use the Search button to choose the connector. In the Connector field. Steps Steps to be performed Section 4 Step 8 Define Owners and Controllers for the created Firefighter ID. (Logged in as user GRCEAMADM) Define Owners And Controllers Execute Tcode NWBC to launch the SAP NetWeaver Business Client window. Navigate to the Setup tab and click “Access Control Owners” under Access Owners Sub menu. Confirm that GRCTRAIN2 is setup as a Firefighter ID Owner and a Firefighter ID Controller. Once confirmed close the window. Navigate back to the Setup tab and click Owners. Within the Owners window, click Assign at the top of the window. 96 Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. Choose FF_TRAIN01 and move it to the selected pane by highlighting it and using the directional arrow (shown above). Click Save on the Owner Assignment screen. To assign controllers, without leaving the Setup tab, click Controllers under Superuser maintenance. Within the Owners window, 97 click Assign at the top of the page. Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. Add the Firefighter ID FF_TRAIN01 and set the ‘Notification by’ to Log Display. 98 To define the systems for which the created reason code is applicable. Add the Reason Code and a long description within the respective text fields. Within the Setup folder tab. locate the Reason Codes link under Superuser Maintenance menu (bottom of the page) and click on it. click on Create to define a new reason code. 99 .Steps Steps to be performed Section 4 Step 9 Define Reason Codes for Firefighter Usage. Within the Reason Code window. (Logged in as user GRCEAMADM) Define Reason Codes Execute transaction NWBC. click Add within the system table. Click Save to save your changes once all the fields have been defined. Choose FF_TRAIN01 and move it to the selected pane by highlighting it and using the directional arrow.Steps Steps to be performed Section 4 Step 10 Assign Firefighter ID to Firefighter User. (Logged in as user GRCEAMADM) Assign Firefighter Execute Transaction NWBC. 100 . locate the Firefighters link under Superuser Maintenance menu (bottom of the page) and click on it. and click on it to choose it. Click on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. highlight it on the search screen. Click Assign at the top of the Firefighter window. Choose the Owner (GRCTRAIN1) from the search screen and click Save to save the assignment. Search for user GRCTRAIN2. Within the Setup folder tab. Click the Logon button within the Emergency Access Management Dashboard. 101 . ** (Logged in as user GRCTRAIN1 now) ** Use Firefighter Logout as GRCEAMADM. Enter the planned activity within the text area (use your own).) within the Actions field. SU01. Ensure you are logged in as GRCTRAIN1. Execute transaction GRAC_EAM. Choose a reason code from the Reason Code dropdown. SE38 etc. PFCG. SU10.Steps Steps to be performed Section 4 Step 11 Using a Firefighter ID. Enter transaction codes to be used (eg. Click OK to launch the remote session. Steps Steps to be performed Section 4 Step 12 Execute the Firefighter Log Synchronization job to complete collection of the Activity log. Enter the connector name and click Execute (F8) to initiate the job that collects the activities performed under the Firefighter ID. (Logged in as user GRCEAMADM) Run Log Sync Job Execute Tcode GRAC_SPM_LOG_SYNC. 102 . 103 . Click on ‘Run in foreground’ to view the generated log list. Execute Tcode NWBC. View FF Logs Locate the Firefighter Log Summary Report link under the Emergency Access Management Reports menu and click on it. View the log by highlighting the item on the list and click Open to see the details.Steps Steps to be performed Section 4 Step 13 View the Firefighter logs. Click the Reports and Analytics folder tab. GRC Access Request Configuration and First Access Request Activate BC Sets (User Provisioning) Create Access Request Approve Access Request Add Connectors to Firefighting Scenario (PROV) Complete Synchronization Review Auto Provisioning Maintain Configuration Settings Import Roles Maintain Provisioning Settings Activate MSMP Workflow 104 .SECTION 5 . Create a new transport request or assign to an existing one. one by one in the BC Set field and use F7 or click Activate. Activate BCSETS Enter transaction code SCPR20. a confirmation message is shown as below.     GRAC_ACCESS_REQUEST_APPL_MAPPING GRAC_ACCESS_REQUEST_EUP GRAC_ACCESS_REQUEST_PRIORITY GRAC_ACCESS_REQUEST_REQ_TYPE On successful activation. Select Expert Mode under the Activation Options window and click OK to complete the activation. Enter the BC Sets below. 105 .Steps Steps to be performed Section 5 Step 1 Activate BC Sets. Risk and ComplianceCommon Component SettingsMaintain Connection Settings. Enter PROV in Integration Scenario and click OK. Review and confirm the entry for the target connection as shown in the screen below. If no entry exists. Highlight the row that indicates the PROV scenario and double-click the Scenario-Connector Link folder. Navigate to Tcode SPROSAP Reference IMG expand Governance. Add Connector for Prov. click on New Entries and add the Target Connector. 106 .Steps Steps to be performed Section 5 Step 2 Add Connectors to the User Provisioning scenario (PROV). Role provisioning Type  Direct Auto Provisioning  Auto provisioning at end of request Role assignment  Check Provisioning Effective Immediately Save the settings and add to transport request.Steps Steps to be performed Section 5 Step 3 Maintain Provisioning Settings. Risk and ComplianceAccess ControlUser Provisioning Maintain Provisioning Settings. Settings Navigate to Tcode SPROSAP Reference IMG expand Governance. 107 . Maintain Prov. Set the values as shown below. Double-click Maintain Global Provisioning Settings. Risk and ComplianceAccess ControlWorkflow for Access Control Maintain MSMP Workflows. Activate MSMP Workflow Navigate to Tcode SPROSAP Reference IMG expand Governance. Go to Change mode and click on Step 7 (Generate Versions) and choose Activate. 108 .Steps Steps to be performed Section 5 Step 4 Activate the MSMP Workflow. 109 .Confirm activation of the approval workflow. Steps Steps to be performed Section 5 Step 5 Import Roles. under Role Mass Maintenance. In the Access Management tab. click Role Import. Execute Tcode NWBC. 110 . NWBC Role Import In the Role Import screen. populate the screen as indicated below for Stage 1. click Next to move to Step 4. enter the details as shown below: For Stage 3. In Step 4. 111 . A confirmation message is shown in Stage 5 indicating successful scheduling. set the job as a background job using the parameters shown below.For Stage 2. the log is shown (example below). 112 . On completion.Steps Steps to be performed Section 5 Step 6 Run the Synchronization job. Run Sync Jobs Click Execute (F8) to initiate the job. Execute Tcode GRAC_REP_OBJ_SYNC to initiate a repository sync job on completion of the background job from Step 5. Steps Steps to be performed Section 5 Step 7 Create an Access Request. Execute Transaction NWBC. Within the My Home tab, click on Access Request to launch the Access Request screen. Create Access Request In the Access Request screen, fill in the fields as shown below. To add roles, click on Add and choose Role. 113 Navigate to the User Details tab and fill in the First Name, Last Name and Email for the user. In the Add Role screen, click on Search to search for a role. Highlight one of the search results and use the arrow buttons to move them to the selected screen. 114 Click OK to return to the Access Request screen. Click Submit to submit the access request. \ 115 Approve Access Request In the Work Inbox. 116 . locate the request number and click on it to open the Request Approval window. click on Work Inbox.Steps Steps to be performed Section 5 Step 8 Approve the Access Request. From the My Home tab. Execute Tcode NWBC. Login as GRCTRAIN2. In the Approval window. 117 . review the request and click on Submit to approve the request. A confirmation message is shown on the approval.Enter comments in the Comments tab prior to approval. 118 . Navigate to the Roles tab and review the request role. enter GRCCONF01 and click Display. and thanks for attending!! 119 . Review Auto Provision. Execute Tcode SU01. you made it. Confirm that it was assigned to the user. End of Lab – Great Job. In the User field.Steps Steps to be performed Section 5 Step 9 Review the Auto Provisioning. no changes!) Step A Click on SMTP Node under the Settings Folder. (Validation Only in this section. NO CHANGES) Section Appendix Enter Transaction SCOT to set up email. Outbound Messages Folder. EMAIL SETUP 120 .APPENDIX – FOR YOUR REFERENCE: Steps Steps to be performed (VERIFY STEP ONLY. 121 .Verify the settings in the screen below (NO CHANGES). The settings for Internet should have * in the SET button. Check that the job is running. See the job runs every ten minutes. verify the settings. Exit this transaction.No changes needed. You can double click the Job Name to open the popup panel. (DO NOT PERFORM THE FOLLOWING COMMAND. SCOT. READ ONLY) 122 . . All rights reserved. Dedham. 20 Carematrix Drive. MA 02026 Copyright © 2015 Wellesley Information Services.Wellesley Information Services.