Configuration Access Control

Maintaining ConfigurationSettings in Access Control Applies to: Access Control 10.1 SP08 (revised) Summary: This guide contains additional information about the parameters used when configuring Access Control. The information covers the configuration parameters available as of Access Control 10.1. Created: March 2015 Version 1.7.0 © 2015 SAP AG Document History Document Version Description 1.00 Initial release 1.10 Modified parameter 1048, 1049, 1050 1.20 Modified parameter 2013 1.30 Added parameter 5031 1.40 Added parameter 1124 Added parameter 5026 Added parameter 5027 Added parameter 5028 Added parameter 5032 1.4.1 Added parameter 1014 Added parameter 1047 Added parameter 1125 Added parameter 1073 Added parameter 2008 Added parameter 3027 Added parameter 4016 Added parameter 4017 Added parameter 4019 Added parameter 5022 Added parameter 5023 1.5.0 Removed parameter 1000 Added parameter 1015 Added parameter 1054 Updated parameter 1071 Added parameter 1302 Added parameter 2048 Added parameter 2060 Added parameter 2061 Added parameter 2401 Added parameter 3028 Added parameter 4018 Added parameter 5033 © 2015 SAP AG 1.6.0 Modified parameter 1050 Added parameter 1126 Added parameter 1127 Added parameter 2020 Added parameter 4020 © 2015 SAP AG 0 Modified parameters:  1027  1038  1048  1062  1063  1064  1080  1081  1082  1083  1084  1085  1086  1087  1088  1101  1102  1103  1104  1105  1106  1107  1108  1109  1110  1111  1112  1302  2009  2011  2023  2038  2040  2047  2048 © 2015 SAP AG .7.1. 7.0 Continued  2050  3005  3019  3029  4000  4001  4002  4003  4004  4005  4006  4007  4008  4009  4010  4012  5026  5027  5028  5033 © 2015 SAP AG .1. upgrade and database tools. Example text User entry texts. names of variables and parameters. pushbuttons labels. graphic titles. F2 or ENTER. Example menu names. menu paths. screen titles. messages. These are words or characters that you enter in the system exactly as they appear in the documentation. EXAMPLE TEXT Keys on the keyboard. © 2015 SAP AG . <Example Variable user entry. Cross-references to other documentation Example text Emphasized words or phrases in body text. These Note or Important include field names.Typographic Conventions Icons Type Style Description Icon Description Example Text Words or characters quoted Caution from the screen. Angle text> brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. for example. and table titles Example text File and directory names and their paths. and names of installation. Recommendation or Tip and menu options. source text. ................................. 1 1......................................... 9 2..................................... Maintain Configuration Settings ........ 1 1..............2 Activities .................1 Standard Settings ...........................Table of Contents 1.... Copyright .................................................................................................................................................................................................................... 9 1.................... 93 © 2015 SAP AG ..............3 Details of Configuration Parameters............................................................................................. In this activity. Note: Values labeled as <empty> have no default value. Maintain Configuration Settings This document covers the use of the Customizing activity available through the transaction SPRO.Access Request 21 Management Dashboard Reports 10 Role Management 22 Access Request Validations 11 Risk Analysis – Risk Terminator 23 Simplified Access Request 12 Access Request Role Selection 24 Access Control – General Settings 1. and Compliance > Access Control.1 Standard Settings The following table lists the delivered parameters and default values. Parameter Group Parameter Description Default Value ID Change Log 1001 Enable Function Change Log YES Change Log 1002 Enable Risk Change Log YES Change Log 1003 Enable Organization Rule Log YES Change Log 1004 Enable Supplementary Rule Log YES Change Log 1005 Enable Critical Role Log YES Change Log 1006 Enable Critical Profile Log YES Change Log 1007 Enable Rule Set Change Log YES Change Log 1008 Enable Role Change Log YES Change Log 5001 SLG1 Logs for HR Trigger HIGH March 2015 1 . you maintain the global configuration settings and parameters used in Access Control. Access the Maintain Configuration Settings activity under Governance.1 1. The activity includes settings for the following parameter groups: 01 Change Log 13 Access Request Default Roles 02 Mitigation 14 Access Request Role Mapping 03 Risk Analysis 15 SOD Review 04 Risk Analysis . Risks.Spool 16 LDAP 05 Workflow 17 Assignment Expiry 06 Emergency Access Management 18 Access Request Training Verification 07 UAR Review 19 Authorizations 08 Performance 20 Access Request Business Role 09 Risk Analysis .Maintaining Configuration Settings in Access Control 10. 1 Parameter Group Parameter Description Default Value ID Mitigation 1011 Default expiration time for 365 mitigating control assignments (in days) Mitigation 1012 Consider Rule ID also for NO mitigation assignment Mitigation 1013 Consider System for mitigation NO assignment Mitigation 1014 Enable separate authorization NO check for mitigation from access request Mitigation 1015 Get data for Invalid Mitigation NO Report from Management Summary table Risk Analysis 1021 Consider Org Rules for other NO applications Risk Analysis 1022 Allow object IDs for this <empty> connector to be case sensitive Risk Analysis 1023 Default report type for risk 2 analysis Risk Analysis 1024 Default risk level for risk analysis 3 Risk Analysis 1025 Default rule set for risk analysis <empty> Risk Analysis 1026 Default user type for risk A analysis Risk Analysis 1027 Enable Offline Risk Analysis NO Risk Analysis 1028 Include Expired Users NO Risk Analysis 1029 Include Locked Users NO Risk Analysis 1030 Include Mitigated Risks NO Risk Analysis 1031 Ignore Critical Roles and Profiles YES Risk Analysis 1032 Include Reference user when YES doing user analysis Risk Analysis 1033 Include Role/Profile Mitigating YES Controls in Risk Analysis Risk Analysis 1034 Max number of objects in a 100 package for parallel processing Risk Analysis 1035 Send e-mail notification to the YES monitor of the updated mitigated object Risk Analysis 1036 Show all objects in Risk Analysis NO Risk Analysis 1037 Use SoD Supplementary Table YES for Analysis Risk Analysis 1038 Consider FF Assignments in NO Risk Analysis Risk Analysis 1046 Extended objects enabled <empty> connector Management Dashboard 1047 Default Management Report P Reports Violation Count Risk Analysis 1048 Business View for Risk Analysis NO (Technical View) is Enabled Management Dashboard 1049 Default Management Report ALL Reports Risk Type March 2015 2 .Maintaining Configuration Settings in Access Control 10. Spool 1051 Max number of objects in a file 200000 or database record Risk Analysis .Risk 1081 Enable Risk Terminator for NO Terminator PFCG Role Generation Risk Analysis .Risk 1088 Default report type for Risk 2 Terminator Terminator Authorizations 1100 Enable authorization logging NO Workflow 1101 Create Request for Risk 12 Approval Workflow 1102 Update Request for Risk 13 Approval Workflow 1103 Delete Request for Risk 14 Approval Workflow 1104 Create Request for Function 15 Approval Workflow 1105 Update Request for Function 16 Approval Workflow 1106 Delete Request for Function 17 Approval March 2015 3 .Access 1073 Enable SoD violations detour on NO Request risks from existing roles Risk Analysis .Spool 1053 Spool Type D Risk Analysis .Access 1071 Enable risk analysis on form NO Request submission Risk Analysis .Spool 1052 Spool File Location <empty> Risk Analysis .Risk 1086 Comments are required in case NO Terminator of violations Risk Analysis .Risk 1087 Send Notification in case of NO Terminator violations Risk Analysis .Risk 1083 Enable Risk Terminator for SU01 NO Terminator Role Assignment Risk Analysis .Risk 1080 Connector enabled for Risk <empty> Terminator Terminator Risk Analysis .Risk 1082 Enable Risk Terminator for NO Terminator PFCG User Assignment Risk Analysis .1 Parameter Group Parameter Description Default Value ID Risk Analysis 1050 Default Report View for Risk Remediation View Analysis Risk Analysis .Maintaining Configuration Settings in Access Control 10.Risk 1085 Stop role generation if violations NO Terminator exist Risk Analysis .Access 1072 Mitigation of critical risk required NO Request before approving the request Risk Analysis .Risk 1084 Enable Risk Terminator for SU10 NO Terminator multiple User Assignment Risk Analysis .Spool 1054 Max number of violations 500000 supported in Organization Rule Analysis Workflow 1061 Mitigating Control Maintenance NO Workflow 1062 Mitigation Assignment NO Workflow 1063 Risk Maintenance NO Workflow 1064 Function Maintenance NO Risk Analysis . review required before YES sending tasks to reviewers UAR Review 2008 Number of line items per UAR 100 request Access Request Default 1302 Add default roles only for NO Roles systems specified in the access request Access Request Default 2009 Consider Default Roles YES Roles Access Request Default 2010 Request type for default roles <empty> Roles Access Request Default 2011 Default Role Level REQ&ROL Roles Access Request Default 2012 Role Attributes <empty> Roles Access Request Default 2013 Request Attributes <empty> Roles Access Request Role 2014 Enable Role Mapping YES March 2015 4 .Maintaining Configuration Settings in Access Control 10.1 Parameter Group Parameter Description Default Value ID Workflow 1107 Create Request for Mitigation 18 Assignment Approval Workflow 1108 Update Request for Mitigation 19 Assignment Approval Workflow 1109 Delete Request for Mitigation 20 Assignment Approval Workflow 1110 High 2 Workflow 1111 High 3 Workflow 1112 High 4 Workflow 1113 Access Control E-mail Sender WF-BATCH Authorizations 1114 Display Authorization Message YES in Reports Performance 1120 Batch size for Batch Risk 1000 Analysis Performance 1121 Batch size for User Sync 1000 Performance 1122 Default batch size for Role 1000 Synchronization Performance 1123 Default batch size for Profile 1000 Synchronization Performance 1124 Default batch size for 1000 Authorization Synchronization Performance 1125 Pre-aggregate Access Risk NO Information Performance 1126 Number of background jobs 1 created for one Ad-Hoc Risk Analysis job Performance 1127 Minimum number of objects 1000 considered for splitting into multiple background jobs in Ad- Hoc Risk Analysis UAR Review 2004 Request Type for UAR <empty> UAR Review 2005 Default Priority UAR_PRIORITY UAR Review 2006 Who are the reviewers? MANAGER UAR Review 2007 Admin. My Profile and Model User Access Request Role 2045 Default provisioning action 010 Selection after adding roles/profiles/FFID from existing assignments and My Profile Access Request Role 2046 Field type for business process <empty> Selection and system fields.Maintaining Configuration Settings in Access Control 10. in access request role search March 2015 5 .1 Parameter Group Parameter Description Default Value ID Mapping Access Request Role 2015 Applicable to Role Removals YES Mapping SOD Review 2016 Request Type for SoD <empty> SOD Review 2017 Default priority for SoD <empty> SOD Review 2018 Who are the reviewers? MANAGER SOD Review 2019 Admin. review required before YES sending tasks to reviewers SOD Review 2020 Unique number of line items per <empty> SOD request (Maximum 9999) SOD Review 2023 Is actual removal of role YES allowed? Access Request Training 2024 Training and verification <empty> Verification Access Request Role 2031 Allow All Roles for Approver YES Selection Access Request Role 2032 Approver Role Restriction <empty> Selection Attribute Access Request Role 2033 Allow All Roles for Requestor YES Selection Access Request Role 2034 Requestor Role Restriction <empty> Selection Attribute Access Request Role 2035 Allow Role Comments YES Selection Access Request Role 2036 Role Comments Mandatory YES Selection Access Request Role 2037 Display expired roles for existing YES Selection roles Access Request Role 2038 Auto Approve Roles without YES Selection Approvers Access Request Role 2039 Search Role by Transactions NO Selection from Backend System Access Request Role 2040 Assignment Comments NO Selection mandatory on rejection Assignment Expiry 2041 Duration for assignment expiry in <empty> Days Access Request Role 2042 Visibility of Valid from/Valid to 0 Selection for profiles Access Request Role 2043 Authorization object for role GRAC_ROLED Selection search .provisioning Access Request Role 2044 Display profiles in Existing YES Selection Assignments. YES end system Role Management 3010 Allow attaching files to the role YES definition Role Management 3011 Conduct Risk Analysis before YES Role Generation Role Management 3012 Allow Role Generation on NO Multiple Systems Role Management 3013 Use logged-on user credentials NO for role generation Role Management 3014 Allow role generation with NO Permission Level violations Role Management 3015 Allow role generation with NO Critical Permission violations Role Management 3016 Allow role generation with Action NO Level violations Role Management 3017 Allow role generation with NO Critical Action violations Role Management 3018 Allow role generation with NO Critical Role/Profile violations March 2015 6 .1 Parameter Group Parameter Description Default Value ID Access Request Role 2047 Filter Business Process and NO Selection systems based on application area Access Request Role 2048 Default provisioning environment <empty> Selection for business role Performance 2050 Enable Real time LDAP Search NO for Access Request User Workflow 2051 Enable User ID Validation in YES Access Request Against Search Data Sources Performance 2060 Organization Rules -Maximum 50000 allowed to be generated in foreground Performance 2061 Duration for display of 1000 confirmation message (in milliseconds) LDAP 2052 Use LDAP domain forest NO Role Management 3000 Default Business Process <empty> Role Management 3001 Default Sub process <empty> Role Management 3002 Default Criticality Level <empty> Role Management 3003 Default Project Release <empty> Role Management 3004 Default Role Status <empty> Role Management 3005 Reset Role Methodology when YES Changing Role Attributes Role Management 3006 Allow add functions to an YES authorization Role Management 3007 Allow editing organizational level NO values for derived roles Role Management 3008 A ticket number is required after YES authorization data changes Role Management 3009 Allow Role Deletion from back.Maintaining Configuration Settings in Access Control 10. Value NO Maps without leading org. Role Management 3028 Generate derived roles after NO Creation/Update Emergency Access 4000 Application Type 1 Management Emergency Access 4001 Default Firefighter Validity Period <empty> Management (in days) Emergency Access 4002 Send E-mail Immediately PARAMETER IS OBSOLETE Management PARAMETER IS OBSOLETE Emergency Access 4003 Retrieve Change Log YES Management Emergency Access 4004 Retrieve System Log YES Management Emergency Access 4005 Retrieve Audit Log YES Management Emergency Access 4006 Retrieve O/S Command Log YES Management Emergency Access 4007 Send Log Report Execution YES Management Notification Immediately Emergency Access 4008 Send Firefight ID Logon YES Management Notification Emergency Access 4009 Log Report Execution YES Management Notification Emergency Access 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID Management Access Request 4011 Allow deletion of technical roles YES Business Role if part of business roles Emergency Access 4012 Default users for forwarding the 2 Management Audit Log workflow Emergency Access 4013 Firefighter ID owner can submit YES Management request for Firefighter ID owned Emergency Access 4014 Firefighter ID controller can YES Management submit request for Firefighter ID controlled March 2015 7 . Role Management 3026 Save Role Provisioning Details YES While Copying Role Role Management 3027 Automate authorization copy NO from master role to derived roles.Maintaining Configuration Settings in Access Control 10.1 Parameter Group Parameter Description Default Value ID Role Management 3019 Overwrite individual role Risk NO Analysis results for Mass Risk Analysis Role Management 3020 Role certification reminder 10 notification Role Management 3021 Directory for mass role import <empty> server files Workflow 3022 Request Type for Role Approval 21 Workflow 3023 Priority for Role Approval 5 Role Management 3024 Enforce methodology process YES for derived roles during generation Role Management 3025 Allow selection of Org. Maintaining Configuration Settings in Access Control 10.1 Parameter Group Parameter Description Default Value ID Emergency Access 4015 Enable decentralized Firefighting NO Management Access Request 4016 Consider only the NO Business Role approved/completed version of a business role when provisioning Emergency Access 4017 Enable CUP request number to YES Management show in Firefighter ID/Role Assignment Screen Emergency Access 4018 Enable detailed application NO Management logging (SLG1) for Firefighter log synchronization programs Emergency Access 4020 Send EAM log review workflow NO Management for blank firefighter sessions as well Emergency Access 5033 Allow creation of firefighters with YES Management no controller Access Request Exclude manual changes to role 4019 assignments or profiles from NO Business Role repository sync Access Request 5021 Validate the manager ID for the YES Validations specified user ID. Access Request Consider the password change 5022 YES Validations in access request Access Request 5023 Consider details from multiple NO Validations data sources for missing user details in access requests Access Request 5024 Enable in-line editing for user NO Validations group and parameters in Access Request Access Request 5026 Make system and provisioning NO Validations actions visible for filtering user assignments for model users Access Request 5027 Default value for filtering by NO Validations system Access Request 5028 Default value for filtering by NO Validations provisioning action Simplified Access 5031 Enable "Open in Advanced YES Request Mode" option Simplified Access 5032 Disable Type-ahead search in NO Request Simplified Access Request Access Control – 2401 Allowed extensions for * General Settings attachments March 2015 8 Maintaining Configuration Settings in Access Control 10.1 1.2 Activities To maintain the configuration settings: 1. Choose the New Entries pushbutton and select a parameter group from the dropdown list. 2. In the Parameter ID column, select a parameter ID for use with the parameter group. The short description appears on the right-hand side. 3. Select a Parameter Value from the dropdown list, or enter values in the field. 4. In the Priority field, enter a number for the priority. 5. Choose Save. 1.3 Details of Configuration Parameters This section explains in detail the configuration parameters. The table is formatted and ordered to match the table displayed in the Customizing activity. For each parameter, the table includes the purpose of the parameter, the available option values, and screenshots to provide context about how the parameter affects the application. Note: The application provides a set of work centers; however, your system administrator can customize them according to your company’s processes and structures. Additionally, Access Control is available both as a standalone application and as part of the GRC 10.1 application. Depending on the GRC applications you have licensed, different areas of the access control application are displayed. The navigation paths included in this document and in the screenshots may differ from yours. # Parameter Group Parameter ID Description Default Value Change Log 1001 Enable Function Change Log YES Set to YES to display the Change History tab on the Function screen. 1 March 2015 9 Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Change Log 1002 Enable Risk Change Log YES Set to YES to display the Change History tab on the Access Risk screen. 2 Change Log 1003 Enable Organization Rule Log YES Set to YES to display the Change History tab on the Organization Rules screen. 3 March 2015 10 Maintaining Configuration Settings in Access Control 10. 4 March 2015 11 .1 # Parameter Group Parameter ID Description Default Value Change Log 1004 Enable Supplementary Rule Log YES Set to YES to display the Change History tab on the Supplementary Rules screen. 1 # Parameter Group Parameter ID Description Default Value Change Log 1005 Enable Critical Role Log YES Set to YES to display the Change History tab on the Critical Role screen.Maintaining Configuration Settings in Access Control 10. 5 Change Log 1006 Enable Critical Profile Log YES Set to YES to display the Change History tab on the Critical Profile screen. 6 March 2015 12 . 7 Change Log 1008 Enable Role Change Log YES Set to YES to display the Change History link on the Additional Details tab of the Role Maintenance screen.1 # Parameter Group Parameter ID Description Default Value Change Log 1007 Enable Rule Set Change Log YES Set to YES to display the Change History tab on the Rule Sets screen. 8 March 2015 13 .Maintaining Configuration Settings in Access Control 10. When this parameter is set as High. The screen shot below shows the detail SLG1 logs that are captured when the parameter is set to High. When this parameter is set as Medium. 9 March 2015 14 .1 # Parameter Group Parameter ID Description Default Value Change Log 5001 SLG1 Log Level for HR Triggers HIGH The available values are High and Medium. all the HR Trigger logs are captured under SLG1 whether or not the info types from the HR System satisfy BRF rules. the system only captures those logs that occur after the BRF rules are satisfied.Maintaining Configuration Settings in Access Control 10. 10 March 2015 15 . You can overwrite this quantity in the Valid To field.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Default expiration time for mitigating Mitigation 1011 365 control assignments (in days) The default quantity of days you are allowed to mitigate any object (selection on service map). the application includes all rules when it mitigates the access risk.Maintaining Configuration Settings in Access Control 10. Setting the value to YES allows you to specify the specific Rule ID to be included when mitigating the risk.1 # Parameter Group Parameter ID Description Default Value Consider Rule ID also for mitigation Mitigation 1012 NO assignment By default. 11 March 2015 16 . when risk mitigation was done during request approval. As the data is already at a summary level. The data is very granular (low level) and may take time and more system resources to get. the mitigation is transferred to the user mitigation table. the mitigation remained in the user mitigation table even though it was then invalid. Setting the value to NO saves the mitigations directly to the user mitigation tables and activity 88 is not checked. Previously.Maintaining Configuration Settings in Access Control 10. 12 Enable separate authorization check Mitigation 1014 NO for mitigation from access request This parameter controls how authorization checks are done during the access request risk mitigation process. For more information. If the request was later rejected or cancelled.1 # Parameter Group Parameter ID Description Default Value Consider System for mitigation Mitigation 1013 NO assignment Setting the value to YES allows you to apply mitigating controls to risks originating from specific systems. At that point. March 2015 17 . Setting the value to YES enables activity 88 and mitigations are saved to an intermediate table until the request is fully approved. The report gets the offline data from the detailed violations table from the last batch risk analysis. see SAP Note 1996151 Get data for Invalid Mitigation Report Mitigation 1015 NO from Management Summary table SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls with the option to use Offline Data. you tell the application to save the mitigation in intermediate tables until the request is fully approved. Set value to No to get the data from the detailed violations table. it takes less time and less resources to produce the report. By using this parameter. the mitigation was saved directly to user mitigation tables. 13 This parameter works in conjunction with an activity (88) that is added to authorization object GRAC_MITC. Set value to Yes to get the data from the Management Summary table. 14 This parameter allows you to get the Offline Data from the Management Summary table. 15 March 2015 18 .Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Consider Org Rules for other Risk Analysis 1021 NO applications Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and Role Maintenance screens. Maintaining Configuration Settings in Access Control 10. you can perform risk analysis. In the example below. This parameter allows you to specify for which systems the information entered is case sensitive. March 2015 19 . and so on.1 # Parameter Group Parameter ID Description Default Value Allow object IDs for this connector to Risk Analysis 1022 <empty> be case sensitive On the Risk Analysis screen. You specify the system and the analysis criteria such as User. Risk Level. z_cup_USR001 is case sensitive for system NCACLNT001. enter additional instances of the parameter. 16 Note: To enter more than one system or connector. press F4 to display the available types. Permission Level. 17 Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk Analysis screens. The screenshot below shows the report being run with a default value of 2. This parameter allows you to choose one or more report types that are selected by default.Maintaining Configuration Settings in Access Control 10.  If you define one or more values for parameter 1023 in the IMG. such as Permission Level. It works as follows:  If you do not define a value for parameter 1023 in the IMG. and so on. such as Access Risk Analysis. Note: In the IMG value cell. you must set these separately. Action Level. the report type defaults to those values. the report type defaults to 2. and Permission Level. Permission Level.1 # Parameter Group Parameter ID Description Default Value Risk Analysis 1023 Default report type for risk analysis 2 The Risk Analysis screen allows you to select several report type options for the risk analysis. March 2015 20 . Risk Analysis 1029 Include Locked Users NO 23 Set to YES to include locked users from plug-in systems for risk analysis. This parameter allows you to choose the Rule Set that is selected by default. and additional criteria. This parameter allows you to choose the Risk Level that is selected by default. then this parameter must also be set to Yes. such as analysis criteria. and the mitigating control assigned to it. Risk Analysis 1027 Enable Offline Risk Analysis NO The Risk Analysis screen allows you to select several options for the risk analysis. report options. and additional criteria. On the Risk Analysis screen. report options. report options. On the Risk Analysis screen. Risk Analysis 1026 Default user type for risk analysis A 20 The Risk Analysis screen allows you to select several options for the risk analysis. and additional criteria.1 # Parameter Group Parameter ID Description Default Value Risk Analysis 1024 Default risk level for risk analysis 3 18 The Risk Analysis screen allows you to select several options for the risk analysis. Set the parameter value to YES to include Mitigated Risks in the risk analysis by default. and additional criteria. March 2015 21 . such as analysis criteria. Risk Analysis 1025 Default rule set for risk analysis <empty> 19 The Risk Analysis screen allows you to select several options for the risk analysis. the Include Mitigated Risks checkbox is automatically selected.Maintaining Configuration Settings in Access Control 10. 21 Risk Analysis 1028 Include Expired Users NO 22 Set to YES to include expired users from plug-in systems for risk analysis. Risk Analysis 1030 Include Mitigated Risks NO The Risk Analysis screen allows you to select several options for the risk analysis. The application displays the SoD violations. report options. such as analysis criteria. the 24 mitigated risks. such as analysis criteria. and additional criteria. such as analysis criteria. Note If Parameter 2023 is set to YES. This parameter allows you to choose the User Type that is selected by default. report options. the Offline Data checkbox is empty by default. The parameter value is set to NO to exclude Offline Data in risk analysis by default. Include Role/Profile Mitigating Risk Analysis 1033 YES Controls in Risk Analysis 27 Set the value to YES to include the mitigating controls assigned to the user’s roles and profiles for risk analysis. For example. March 2015 22 . Three packages initially and then one by one to each process. then the application ignores the parameter in this setting and uses the value 2 instead. which is available to the application via the application group. # Parameter Group Parameter ID Description Default Value Include Reference user when doing Risk Analysis 1032 YES user analysis 26 Set the value to YES to include referenced users when performing SoD risk analysis for users.1 Risk Analysis 1031 Ignore Critical Roles and Profiles YES 25 Set the value to YES to exclude critical roles and profiles for risk analysis. 100 packages are submitted one by one to these processes. if there are 10. This is also valid for Batch Risk Analysis.Maintaining Configuration Settings in Access Control 10. If instead. which complete the package execution. Each package is submitted to a separate background process. 28 Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Maximum number of objects in a Risk Analysis 1034 100 package for parallel processing The application uses this parameter in conjunction with the Number of Tasks specified in the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determine the distribution of objects that are processed per job. if the RZ10 parameter is set to 2. then there will be 100 packages created each having 100 users. we specify three background processes are available to GRAC_SOD.000 users to analyze and this value is 100. Therefore. 29 March 2015 23 . such as the user/role.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Send e-mail notification to the Risk Analysis 1035 monitor of the updated mitigated YES object Set the value to YES to send e-mail notifications to the owner of the mitigating control when the mitigated object is updated. 30 The objects that do not have violations are displayed with the Action: No Violations. Note: This setting applies to SoD Batch Risk Analysis. Use SoD Supplementary Table for Risk Analysis 1037 Analysis YES Set value to YES to use supplementary rules for SoD risk analysis.Maintaining Configuration Settings in Access Control 10. 31 March 2015 24 .1 # Parameter Group Parameter ID Description Default Value Risk Analysis 1036 Show all objects in Risk Analysis NO Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default. 1 # Parameter Group Parameter ID Description Default Value Consider FF Assignments in Risk Risk Analysis 1038 Analysis NO You can use this parameter to select whether or not to include firefighter (FF) assignments in risk analysis. the Include FFIDs checkbox is not part of the Risk Violation tab on the Access Request screen. On the Access Management > Access Risk Analysis screens. the application does not display the Include FFIDS checkbox.Maintaining Configuration Settings in Access Control 10. or not include. If you set the parameter value as YES. As illustrated in the graphic below. On the Access Management > Access Risk Analysis screens. FFIDs for risk analysis. the application displays the Include FFIDS checkbox. but it will not display the checkbox on the screen. March 2015 25 . the application automatically includes FFIDs in the risk analysis. 32 Note: For Access Requests.  Select NO to exclude FF assignments for risk analysis. the application does not allow users to choose whether to include.  Select YES to include FF assignments for risk analysis. the application displays the violation count by access risk level. This parameter allows you to specify the connectors for non-SAP systems. If the parameter is set to P. 33 Note: You can set multiple connectors by adding multiple instances of the parameter. Default Management Report Management Dashboard Reports 1047 P Violation Count This parameter is used by the Access Risk Violations Dashboard. The possible values are P and R. The connectors can have object lengths greater than SAP objects. the application displays the violation count by permission as shown in the example below.1 # Parameter Group Parameter ID Description Default Value Risk Analysis 1046 Extended objects enabled connector <empty> Extended objects are objects from non-SAP systems. It controls the default behavior for how the application displays the violation count. but the extended object length may be 50. For example. SAP User ID length is 12.Maintaining Configuration Settings in Access Control 10. 34 March 2015 26 . If the parameter is set to R. Maintaining Configuration Settings in Access Control 10.1 March 2015 27 . Critical Actions and Critical Permission. March 2015 28 . User Analysis and Role Analysis. If parameter 1049 is set to 2. If parameter 1049 is set to 1. all three types of access risk types are captured. SOD.Maintaining Configuration Settings in Access Control 10. If the parameter is set to Yes. 36 If parameter 1049 is set to *.1 # Parameter Group Parameter ID Description Default Value Business View for Risk Analysis is Risk Analysis 1048 NO (Technical View) Enabled The available values are Yes and No. Critical Permissions will be captured. 35 Default Management Report Risk Default Management Reports 1049 ALL Type Management reports consider all three types of access risk types. the system displays the Business View format on the Risk Violations tab during creation or approval of a request as shown in the screen shot below. Critical Actions will be captured. If parameter 1049 is set to 3. The inclusion of all risk types does pie chart calculations for all the management reports: Risk Violations. Segregation of Duties will be captured. This parameter provides a way to restrict the access risk types in the management reports. such as 39 \\ <ip_address>\public\SoD\.Spool 1051 200000 database record You can use this parameter to specify the maximum number of analytics data objects the application stores. If parameter 1053 is set to F. you can do that through this parameter.Spool 1052 Spool File Location <empty> You can specify the file location the application stores the analytics data. 37 Max number of objects in a file or Risk Analysis . You can change the default view on a case-by-case basis for the ad hoc reports through the User Interface (as shown below). Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table. the value is the maximum number of objects stored in the REPCONTENT column of the 38 GRACSODREPDATA table. If you want to change the global default to something other than the Technical View. This parameter affects the dashboard drill-down for Risk Analysis. the value is the maximum number of objects stored in the file. Note: This parameter is only valid if parameter 1053 is set to F.Maintaining Configuration Settings in Access Control 10. business and remediation). Prerequisite: You have configured parameters 1052 and 1053. Risk Analysis . Prerequisite: You have configured parameter 1053. If parameter 1053 is set to D.1 # Parameter Group Parameter ID Description Default Value Default Report View for Risk Risk Analysis 1050 Remediation View Analysis There are three types of views for Risk Analysis reports (technical. March 2015 29 . Max number of violations supported Risk Analysis .1 # Parameter Group Parameter ID Description Default Value Risk Analysis .000. you can still read the data up to the point the files or database records were created. Set the value to F to store the data on the file system.  If you change the location type (such as from D to F) in mid-course. This gives you an opportunity to see if the desired records are created and choose to stop or cancel the job.000 violations threshold is reached. a feature has been added to enable the application to gracefully exit the analysis before the system runs out of memory. For example.Spool 1053 Spool Type D You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for access control. The default is 500. which may cause the system to run out of memory and 41 result in a dump. March 2015 30 .  If you cancel the job before the report is finished. it is possible the analysis will generate a very large number of violations. If the 500. Depending on the total number of org rules. Index tables keep track of the source of the records when the data was generated. such as ad hoc SoD violations. (You set the file location in parameter 1052). you can perform User Level risk analysis and choose the option to Consider Org Rule. You use this parameter to set the threshold limit.Maintaining Configuration Settings in Access Control 10. With SP07. Set the value to D to store the data in the GRACSODREPDATA table. 40 Note:  You see the intermediate results while risk analysis is running.Spool 1054 500000 in Organization Rule Analysis SAP Access Control allows you to consider Organizational Rules when performing access risk analysis. the application stops the analysis for that particular user and displays the message “Too many violations”. the report will still read the previously generated files or database records. Note: On the Mitigating Control screen. Set the value to YES to require that when users create or change mitigating controls. and Compliance > Access Control > Workflow for Access Control.1 # Parameter Group Parameter ID Description Default Value Workflow 1061 Mitigating Control Maintenance NO The application allows users to create and change mitigating controls. Figure B below shows you can use Maintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER). the Create button is replaced by a Submit button. Risk. Figure A 42 Figure B March 2015 31 . Figure A below shows that on the control Owners tab the Mitigation Control Approver points to the Approver.Maintaining Configuration Settings in Access Control 10. You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance. the application sends a workflow item to an approver to approve the action. and Compliance > Access Control > Workflow for Access Control.  Set the value to YES to require the application to send an approval workflow item to the mitigating control approver. and 1112. If this parameter is set to Yes. you must also configure parameters 1107. and so on). 1108.1 # Parameter Group Parameter ID Description Default Value Workflow 1062 Mitigation Assignment NO The application allows users to mitigate risks for objects (user. Risk. profile. The screen displays a Submit button. The screen displays a Save button. 1109. 43 March 2015 32 .  Set the value to NO and the users can mitigate risks without approval. role. Note: You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance.Maintaining Configuration Settings in Access Control 10. 1103. The screen displays a Save button. and 1110. 1102. Note: You can configure the role that receives the approval workflow item using the Customizing activity Maintain MSMP Workflows under Governance. The screen displays a Submit button.1 # Parameter Group Parameter ID Description Default Value Workflow 1063 Risk Maintenance NO The application allows users to create and modify risks.Maintaining Configuration Settings in Access Control 10. Risk. and Compliance > Access Control > Workflow for Access Control. 44 March 2015 33 . you must also configure parameters 1101.  Set the value to YES to require the application to send an approval workflow item to the Risk Owner (or to any alternate workflow agent you set) for approval.  Set the value to NO and then users can create and modify risks without approval. If this parameter is set to Yes. Maintaining Configuration Settings in Access Control 10. 1106. and Compliance > Access Control > Workflow for Access Control. 1105. Risk. Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER. and 1111. You can change the approver agent by using the Customizing activity Maintain MSMP Workflows under Governance. If this parameter is set to Yes.1 # Parameter Group Parameter ID Description Default Value Workflow 1064 Function Maintenance NO The application allows users to create and change functions. Set the value to YES to require the application to send an approval workflow item to the specified workflow agent for approval when functions are created or modified. you must also configure parameters 1104. 45 March 2015 34 . If an SoD risk exists in an access request.Access Request 1072 NO before approving the request 47 Set the value to YES to require mitigation of Risks of the type Critical Access. The user must wait for the risk analysis to finish before proceeding. Set the value to YES to consider risks from new and existing roles for the detour.Access Request 1073 NO risks from existing roles The possible values for this parameter are YES and NO.Access Request 1071 NO submission You can use this parameter to set the application automatically to perform risk analysis on the access request the user submitted. Enable SoD violations detour on Risk Analysis .Maintaining Configuration Settings in Access Control 10. the risk analysis results appear on the approver’s screens but not on the requestor’s screens. Set to Yes to enable automatic risk analysis. 46 Mitigation of critical risk required Risk Analysis . The risk analysis results are added to the access request for the approver to review. SoD risks may arise from the new roles the user is requesting and they may arise from the existing roles that are already assigned to the user.1 # Parameter Group Parameter ID Description Default Value Enable risk analysis on form Risk Analysis . March 2015 35 . Note: This does not change the workflow for the request. Set the value to NO to consider risks only from new roles (and not existing roles) for the detour. 48 However. This triggers a risk analysis. The request will only proceed to the approver after the risk analysis is completed in the background. the application considers it a special condition and sends it to a detour path in the workflow. Set to No to disable automatic risk analysis. Therefore. Set to Asynch to enable automatic risk analysis and allow the user to proceed to the next screen without waiting. The risk analysis is performed in the background and the results are attached to the request. but not a requirement.  Parameter 1002 is the rule set to be used. as follows: Note: The following parameters must be configured in the relevant target systems: 1000. 49 March 2015 36 .  Parameters 1081 – 1088 should be the same in both GRC and the target systems.1 # Parameter Group Parameter ID Description Default Value Connector enabled for Risk Risk Analysis – Risk Terminator 1080 <empty> Terminator Enter the name of the connector in the value field to enable it for risk terminator.Maintaining Configuration Settings in Access Control 10. 1001. 1002. you must also configure parameters 1081 – 1088. You can enter multiple values by entering multiple instances of the parameter. To use this parameter. This is a recommendation.  Parameter 1001 is the GRC Connector ID.  Parameter 1000 is the target Connector ID (Plug-in Connector). 1081 – 1088. This parameter is only valid if parameter 1080 is configured with at least one connector. Authorizations 1100 Enable the authorization logging NO 58 If set to YES. the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1.Risk Terminator 1081 NO Role Generation 50 Set to YES to trigger the risk terminator service for PFCG Role Generation. Use F4 help to display the available report types. The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs. This parameter is only valid if parameter 1080 is configured with at least one connector. For example. This parameter is only valid if parameter 1080 is configured with at least one connector. This parameter is only valid if parameter 1080 is configured with at least one connector. Enable Risk Terminator for SU10 Risk Analysis .Risk Terminator 1082 NO User Assignment 51 Set to YES to trigger the risk terminator service for PFCG User Assignment.Risk Terminator 1086 NO violations 55 Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with role generation or role assignment.Risk Terminator 1084 NO multiple User Assignment 53 Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment.Risk Terminator 1087 NO violations 56 Set the value to YES to enable the application to send e-mail notifications to the role owner when violations occur. Send Notification in case of Risk Analysis .Risk Terminator 1085 NO exist 54 Set to YES the risk terminator service stops generating roles if violations exist. Default report type for Risk Risk Analysis . Enable Risk Terminator for PFCG Risk Analysis . This parameter is only valid if parameter 1080 is configured with at least one connector.1 # Parameter Group Parameter ID Description Default Value Enable Risk Terminator for PFCG Risk Analysis .Maintaining Configuration Settings in Access Control 10. This parameter is only valid if parameter 1080 is configured with at least one connector.Risk Terminator 1083 NO Role Assignment 52 Set to YES to trigger the risk terminator service for SU01 Role Assignment. March 2015 37 . Stop role generation if violations Risk Analysis . an owner wants to perform an action and is missing the necessary authorizations. Comments are required in case of Risk Analysis .Risk Terminator 1088 2 Terminator 57 Select the default report type the risk terminator service uses to report SoD violations. This parameter is only valid if parameter 1080 is configured with at least one connector. Enable Risk Terminator for SU01 Risk Analysis . This parameter is only valid if parameter 1080 is configured with at least one connector. and Compliance > Access Control > User Provisioning. Risk. Update Request for Function Workflow 1105 16 Approval Use F4 help and choose the request type the workflow uses to update requests for function approval. (See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes. Risk. and Compliance > Access Control > User Provisioning. This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR. The request type is associated with an MSMP process ID. (See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes. 63 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. (See also parameter 1101). The request type is associated with an MSMP process ID. 59 # Parameter Group Parameter ID Description Default Value Workflow 1102 Update Request for Risk Approval 13 Use F4 help and choose the request type the workflow uses to update requests for risk approval. This parameter is only valid if parameter 1063 is set to Yes. March 2015 38 .1 Workflow 1101 Create Request for Risk Approval 12 Use F4 help and choose the request type the workflow uses to create requests for risk approval. Workflow 1103 Delete Request for Risk Approval 14 Use F4 help and choose the request type the workflow uses to delete requests for risk approval. and Compliance > Access Control > User Provisioning. 61 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Risk. 62 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. The request type is associated with an MSMP process ID.Maintaining Configuration Settings in Access Control 10. Risk. Create Request for Function Workflow 1104 15 Approval Use F4 help and choose the request type the workflow uses to create requests for function approval. and Compliance > Access Control > User Provisioning. and Compliance > Access Control > User Provisioning. 60 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. This parameter is only valid if parameter 1064 is set to Yes. This parameter is only valid if parameter 1063 is set to Yes. (See also parameter 1101). Risk. (See also parameter 1101. and Compliance > Access Control > User Provisioning. Risk. (See also parameter 1101). Risk. (See also parameter 1101). The request type is associated with an MSMP process ID. 66 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. The request type is associated with an MSMP process ID. 64 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Delete Request for Mitigation Workflow 1109 20 Assignment Approval Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. This parameter is only valid if parameter 1062 is set to Yes. and Compliance > Access Control > User Provisioning. 67 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Create Request for Mitigation Workflow 1107 18 Assignment Approval Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. March 2015 39 . and Compliance > Access Control > User Provisioning. and Compliance > Access Control > User Provisioning. This parameter is only valid if parameter 1064 is set to Yes. 65 You maintain the list of available request types in the Customizing activity Define Request Type under Governance.Maintaining Configuration Settings in Access Control 10. Risk. (See also parameter 1101). The request type is associated with an MSMP process ID.1 Delete Request for Function Workflow 1106 17 Approval Use F4 help and choose the request type the workflow uses to delete requests for risk approval. This parameter is only valid if parameter 1062 is set to Yes. The request type is associated with an MSMP process ID.) This parameter is only valid if parameter 1062 is set to Yes. Update Request for Mitigation Workflow 1108 19 Assignment Approval Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval. Risk. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. Use F4 help to display the list of available priorities. (See also parameter 1121 for an example). Workflow 1111 High 3 You use this parameter to set the default workflow request priority for Creating and Updating Functions. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. Risk. You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function approval priorities. Workflow 1112 High 4 You use this parameter to set the default workflow request priority for Mitigation Control Assignments. Risk. Note This parameter is only valid if parameter 1064 is set to Yes. 72 Performance 1120 Batch size for Batch Risk Analysis 1000 73 The application uses this value to determine the size of the batch when performing batch risk analysis.1 Security Guide for information about required authorizations for the WF-BATCH user. 68 and Compliance > Access Control > User Provisioning. March 2015 40 . 70 and Compliance > Access Control > User Provisioning. Risk. You can use this parameter to display a message and link that displays the objects the user is authorized to view.Maintaining Configuration Settings in Access Control 10. 69 and Compliance > Access Control > User Provisioning. See the Access Control 10. Note This parameter is only valid if parameter 1063 is set to Yes. Use F4 help to display the list of available priorities. Note This parameter is only valid if parameter 1062 is set to Yes.  Set the value as YES to display the message and link. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. Display authorization message in Authorizations 1114 YES reports The Access Control reports and dashboards display data based on the user’s authorizations. Workflow 1113 Access Control E-mail sender WF-BATCH 71 The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk approval priorities.1 # Parameter Group Parameter ID Description Default Value Workflow 1110 High 2 You use this parameter to set the default workflow request priority for Updating and Creating Risks.  Set the value as NO if you do not want to display the message and link. if the batch size is 1000 and there are 10. For example. March 2015 41 . Risks. Each batch is processed in its entirety before continuing with the next. and Compliance > Access Control > Synchronization Jobs.1 Performance 1121 Batch size for User sync 1000 The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository.Maintaining Configuration Settings in Access Control 10.000 users. the application divides the total users (10.000) by the batch size (1000). 74 and then processes the job in 10 batches of the range 0 to 1000. 1001 to 2000 so on. To synchronize users to the GRC AC Repository. you use the Customizing activity Repository Object Synch under Governance. See also parameter 1121. Each batch is processed in its entirety before moving on to the next.Maintaining Configuration Settings in Access Control 10. Each batch is processed in its entirety before moving on to the next. When performing risk analysis. See also parameter 1121. Default batch size for profile Performance 1123 1000 synchronization 76 The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Default batch size for authorization Performance 1124 1000 synchronization The application uses this value to determine the size of the batch when synchronizing authorization master data from the backend ERP systems to the GRC AC Repository. the risk count shows the number of risks per access request. 77 Performance 1125 Pre-aggregate Access Risk NO Information Setting the parameter to YES renders the SAP Fiori for SAP GRC transactional applications Compliance Approver and Access Approver more quickly. Each batch is processed in its entirety before moving on to the next. see SAP Note 1976368. Setting the parameter to NO can adversely affect the rendering of the SAP Fiori for SAP GRC transactional applications Compliance 78 Approver and Access Approver. This parameter stores the risk count more efficiently. March 2015 42 .1 # Parameter Group Parameter ID Description Default Value Default batch size for role Performance 1122 1000 synchronization 75 The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. For more information. See also parameter 1121. if you have over 1000 objects. 80 Add default roles only for systems Access Request Default Roles 1302 specified in the access request NO Default roles are automatically assigned to users on a system. roles. profiles). you want everyone with access to System_A to have authorization to view data. roles. these roles have little to no risk and contain authorizations you want everyone to have. the one job is split into 2 background jobs for faster processing. someone requests access to System_A. if you have over 1000 objects. The application assigns them the default roles for System_A and the default roles for all other systems. Typically. the application only adds system-specific roles to the request. Previously. For example. The rationale is that all default roles are safe so the risk is low and it saves you from having to assign the roles in separate requests. Then. the application adds default roles for all systems into the request. March 2015 43 . 79 Minimum number of objects considered for splitting into multiple Performance 1127 1000 background jobs in Ad-Hoc Risk Analysis This parameter works with parameter 1126 for faster processing of Ad-Hoc Risk Analysis jobs. when someone requests access to System_A the application automatically assigns the default roles to him or her in addition to whatever roles they requested.1 # Parameter Group Parameter ID Description Default Value Number of background jobs created Performance 1126 1 for one Ad-Hoc Risk Analysis job This parameter works with parameter 1127 for faster processing of Ad-Hoc Risk Analysis jobs. Therefore. the one job is split into 2 background jobs for faster processing. you might set parameter 1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users. you might set parameter 1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users. profiles). For example. For example. Note This parameter is only valid if parameter 2009 is set to Yes. You can use this parameter to have the application add default roles only for systems explicitly included in the access request. Then. For example. the application would assign all default roles for all systems in one request even if the systems were not specified in the 81 request. If the parameter is set to NO. If the parameter is set to YES.Maintaining Configuration Settings in Access Control 10. 1 # Parameter Group Parameter ID Description Default Value UAR Review 2004 Request Type for UAR <empty> All request types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressing F4.Maintaining Configuration Settings in Access Control 10. 82 This is important for tagging the workflow in MSMP for UAR Review. March 2015 44 . and Compliance > Access Control > User Provisioning. and 36 are relevant for UAR Review. Use F4 help to display the list of available priorities for UAR Requests. 24.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value UAR Review 2005 Default Priority UAR_PRIORITY You use this parameter to set the default priority for user access request reviews. In this example. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. 22. Risk. 83 March 2015 45 . priority IDs 10. 1 # Parameter Group Parameter ID Description Default Value UAR Review 2006 Who are the reviewers? MANAGER Select either Manager or Role Owner as the approver type for user access review requests. Managers receive review requests sorted by USER. The application creates a review workflow for the specified approver type.Maintaining Configuration Settings in Access Control 10. 84 March 2015 46 . and Role Owners receive review requests sorted by ROLE. see SAP Note 1938273. (You specify reviewers in parameter 2006). For more information. 85 Number of line items per UAR UAR Review 2008 100 request 86 This parameter allows you to specify the maximum number of items per UAR request when creating a UAR request.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Admin. March 2015 47 . review required before UAR Review 2007 YES sending tasks to reviewers Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. 2010. 2012. 2011. the value for the attribute Functional Area maps to a relevant default role. In this example. Prerequisites: You have maintained the following parameters as needed: 1302. March 2015 48 .1 # Parameter Group Parameter ID Description Default Value Access Request Default Roles 2009 Consider Default Roles YES If set to YES. and 2013. 2012. the application automatically adds the relevant default roles to the access request. Enter multiple request types by adding additional instances of the parameter. Risk. The application adds default roles only for the specified roles. 88 Use F4 help to display the available request types. 87 Access Request Default Roles 2010 Request type for default roles <empty> Enter the request types that are relevant for default roles functionality. and 2013. so the application adds the role to the request. 2011. You maintain the list of available request types in the Customizing activity Define Request Type under Governance.Maintaining Configuration Settings in Access Control 10. See also parameters 2009. and Compliance > Access Control > User Provisioning. 1 # Parameter Group Parameter ID Description Default Value Access Request Default Roles 2011 Default Role Level REQ&ROL Select which attribute type the application uses to determine the relevance of the default roles. 89 In this example. the role is added when the request is displayed for the approver. That is. the user will see it after adding it to the request.  Role – The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the user adds the roles to the request. the user does see the added default roles at the time they create the request.  Request & Role – The application uses both the request and the role attributes to determine the default roles. The manager receives a request with the default role z_user_admin already added. You define the relevant role attributes in parameter 2012. March 2015 49 . If a default role is added due to a request attribute.  Request . On the request screen. If a default role is added due to a role attribute. the application shows the default roles as Existing and adds them to the request. You define the relevant request attributes in parameter 2013. In this example.Maintaining Configuration Settings in Access Control 10. because Functional Area is a relevant attribute.The application uses the request attributes to determine the relevant default roles and adds the default roles when the request is displayed for the approver. You define the relevant role attributes in parameter 2012 and the relevant request attributes in parameter 2013. the value is set to Request. the value is set to Role. That is. the user does not see the added default roles at the time they create the request. and 2013. 2010.1 See also parameters 2009. March 2015 50 .Maintaining Configuration Settings in Access Control 10. 2012. 90 See also parameters 2009. The mapped role AC_C_ROLE1 is automatically added to the request. You can add multiple request attributes by adding additional instances of the parameter.Maintaining Configuration Settings in Access Control 10. Note: The Source System dropdown list is from the same landscape you chose on the Detail tab. 2010. Note: On the Role Maintenance screen. These are mutually exclusive of the request attributes maintained in parameter 2012.1 # Parameter Group Parameter ID Description Default Value Access Request Default Roles 2012 Role Attributes <empty> Enter the role attributes the application considers for Default Role Attribute mapping. the user is requesting the role BS_BS_123 of system GF1->GO7. This allows anyone who is assigned this role to be assigned the authorizations and access for the child roles. The user can choose to remove the role from the request. 2011. 2011. Set the parameter value to YES to enable this functionality. Access Request Default Roles 2013 Request Attributes <empty> Enter the request attributes the application considers for Default Role Attribute mapping. The role mappings are applicable for provisioning access requests. 92 March 2015 51 . 2010. and 2012. Access Request Role Mapping 2014 Enable Role Mapping YES The application allows you to assign roles as child roles (or map the roles). you can select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles. You can add multiple role attributes by adding additional instances of the parameter. These are mutually exclusive of the request attributes maintained in parameter 2013. In the following example. and 2013. 91 See also parameters 2009. For more information. 99 SOD Review 2023 Is actual removal of role allowed YES March 2015 52 . and Compliance > Access Control > User Provisioning. and Risk Owners receive review requests sorted by Risk. review required before SOD Review 2019 YES sending tasks to reviewers Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. For example. You specify reviewers in parameter 2018. see SAP Note 1994429 . Admin. The user can choose to keep the mapped roles by deleting them from the removal request.1 # Parameter Group Parameter ID Description Default Value Access Request Role Mapping 2015 Applicable to Role Removals YES 93 Set the value to YES to allow users to include mapped roles in requests for role removal. SOD Review 2017 Default priority for SoD <empty> 95 Use F4 help and select the default priority used for SoD review requests. and the role has mapped roles. SOD Review 2016 Request Type for SoD <empty> Use F4 help and select the request type when SoD review requests are created.Maintaining Configuration Settings in Access Control 10. if a user creates a request to remove a role assigned to them.UAM: Running Batch Risk Analysis is mandatory for SOD Review Request creation. 97 Number of unique line items per SOD Review 2020 <empty> SOD request (Maximum 9999) 98 You use this parameter to control the number of unique line items an approver wants to see in a SOD Review Request. Managers receive review requests sorted by USER. then the mapped roles are automatically included in the request. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. SOD Review 2018 Who are the reviewers? MANAGER 96 Select either Manager or Risk Owner as the approver type for user access review requests. 94 You maintain the list of available request type values in the Customizing activity Define Request Types under Governance. Risk. Risk. The possible values are all numeric values between 0001 and 9999. and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW. The application creates a review workflow for the specified approver type. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW. Warning: Reviewers do not have the ability to view the source of the risks. the application displays the Propose Removal button. The workflow goes to the security administrator who is able to view the source of the risk before deciding whether to remove the role. March 2015 53 . Reviewers can only propose the removal of roles associated with a SoD risk violation..Maintaining Configuration Settings in Access Control 10.  Set value as YES This setting is not recommended.1 You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the roles associated with an SOD risk or only propose removal of the roles. On the SoD Review screen. therefore. then Parameter 1027 must also be set to Yes. they have the risk of potentially deleting relevant roles. Note If this parameter is set to Yes. the application displays the Remove Role button. On the SoD Review screen. This allows the reviewer to delete the roles directly without going through approval by the security administrator.  Set value as NO This is the recommended setting. If the required training is not completed for a particular role.1 # Parameter Group Parameter ID Description Default Value Access Request Training 2024 Training and verification <empty> Verification The application allows you to require that users complete training courses before the application provisions specific roles to them. March 2015 54 . To configure the connectors.  Set the value to BAdI and the application uses the specified BAdI to perform the verification. You specify the restriction criteria in parameter 2032. and Compliance > Common Component Settings > Integration Framework. and Compliance > Access Control > Workflow for Access Control. Note: You can configure the routing in the Customizing activity Maintain MSMP Workflows under Governance. Configuring the data source systems for verifying if the training requirements are completed Example 1: The user is requesting a role that has a TRAINING prerequisite. Access Request Role Selection 2031 Allow All Roles for Approver YES The application allows approvers to add additional roles to access requests when reviewing them. The workflow does not take any routing paths. the application does not provision the role.  Set the value to WS and the application uses the specified web service to perform the verification. 101 Set the value to YES to allow approvers to view and select all roles. and Verify on Request is set to Yes. use the Customizing activity Maintain Connectors and Connector Types under Governance. Setting training requirements (See Example 1 below.  Leave the value field empty to disable the function. The connector must be of the type WS and associated with a logical port. Set the value to NO to restrict the roles the approvers can view and select for request creation. sends the request to the routing path. You enable this functionality by : 1. and instead. Configuring MSMP routing rule 3.Maintaining Configuration Settings in Access Control 10. Risk. Prerequisite: You have implemented the BAdI or web service (WS) as needed. You can define the logical port in transaction SOAMANAGER. Risk. The application will not allow them to submit the request until all the prerequisites are met.) 2. The routing checks this parameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add. Note: Specify the prerequisite system in the connector configuration. 100 The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). Approvers can view and add only those roles with business process attributes that match those in the request  Set the value to F to Restrict on Functional Area. March 2015 55 .  Set the value to B to Restrict on Business Process. If parameter 2031 is set to YES. Prerequisite: You have set parameter 2031 to NO. Approvers can view and add only those roles with functional area attributes that match those in the request. You can add multiple restriction values by adding additional instances of the parameter.Maintaining Configuration Settings in Access Control 10. the application ignores the restrictions specified here. You can restrict the roles approvers can view and select for request creation. Set the value to NO to restrict the roles the user can view for request creation. Approvers can view and select only those roles for which they are the role approver.  Set the value to A to Restrict on Role Approver. You specify the restriction criteria in parameter 2034. 102 Access Request Role Selection 2033 Allow All Roles for Requestor YES 103 Set the value to YES to allow the user to view all roles for request creation.1 # Parameter Group Parameter ID Description Default Value Access Request Role Selection 2032 Approver Role Restriction Attribute <empty> The application allows approvers to add additional roles to access requests when reviewing them. Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Access Request Role Selection 2034 Requestor Role Restriction Attribute <empty> This parameter allows you to require that. 106 Note: This is a GLOBAL setting and is required for all roles included on requests.  Set the value to F to Restrict on Functional Area. Mandatory comments can also be determined at the individual role level. the application ignores the restrictions specified here. You can add multiple restriction values by adding additional instances of the parameter. 104 Access Request Role Selection 2035 Allow Role Comments YES 105 Set value to YES to allow the user to enter Role Comments when creating access requests.  Set the value to B to Restrict on Business Process. for access request creation. The application displays only the roles that match the requestor’s functional area attribute. If parameter 2033 is set to YES. Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. March 2015 56 . Access Request Role Selection 2036 Role Comments Mandatory YES Set value to YES to require Role Comments when creating access requests. the application displays only the roles that have attributes that match the specified requestor attributes. The application displays only the roles that match the requestor’s business process attribute. Prerequisite: Parameter 2035 must be set to YES.  It makes the System criteria mandatory. This has the following effect:  It adds the Transaction from Backend System criteria to the Select Roles screen.1 # Parameter Group Parameter ID Description Default Value Display expired roles for existing Access Request Role Selection 2037 YES roles Set the value to YES to include the roles for which the user assignment is expired when the user chooses the Existing Assignment button on the Access Request. Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time.  It fetches role information from the specified system in real time. 107 Auto Approve Roles without Access Request Role Selection 2038 YES Approvers 108 Set the value to YES to allow the application to approve access requests for roles without role assignment approvers. Search Role by Transactions from Access Request Role Selection 2039 Backend System NO Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository.Maintaining Configuration Settings in Access Control 10. 109 March 2015 57 . which may have an effect on performance. you must enter a comment if you reject a role. you are not required to enter a comment if you reject a role. You use this parameter to specify the timeframe (in days) that triggers the application to display the status as Expiring.3. a system. Roles that are about to expire displays the status of Expiring.1 # Parameter Group Parameter ID Description Default Value Assignment comments mandatory Access Request Role Selection 2040 NO on rejection The available values are YES and NO. In the following example.2. the application displays the Status field for the roles. or a Firefighter ID assignment. or a Firefighter ID assignment. when you open an access request. 110 If the value is set to NO. Visibility of Valid from/Valid to for Access Request Role Selection 2042 0 profiles The available values are: 0. Duration for assignment expiry in Assignment Expiry 2041 <empty> Days On the My Profile and Existing Assignment screens.4 The effect on the user experience is based on the value the user selects – The visibility of dates and editable property of Valid from and Valid To field will depend on the value selected for the parameter as indicated in the screen shots below. If the value is set to YES.Maintaining Configuration Settings in Access Control 10.1. the My Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to the 111 user that is about to expire in 1 to 45 days. a system. 112 March 2015 58 . Maintaining Configuration Settings in Access Control 10.1 March 2015 59 . For more information about the authorization objects. and Model User as illustrated by the screen shots below. and Model YES User The available values are Yes and No.  BOTH Enter this value enforce role search authorizations during both role definition and role provisioning.1 Security Guide. My Profile.Maintaining Configuration Settings in Access Control 10. see the Access Control 10. Display profiles in Existing Access Request Role Selection 2044 Assignments. 113  GRAC_ROLEP Enter this value to enforce role search authorizations during role provisioning. My Profile. Based on the parameter value. the system displays or hides Profiles for Existing Assignments.  GRAC_ROLED Enter this value to enforce role search authorizations during the role definition. 114 (continued) March 2015 60 .1 # Parameter Group Parameter ID Description Default Value Authorization object for role search - Access Request Role Selection 2043 GRAC_ROLED provisioning This parameter allows you to determine the behavior of role search based on authorizations and the roles the user can see during role definition and role provisioning. 1 March 2015 61 .Maintaining Configuration Settings in Access Control 10. 010 Based on the parameter value the provisioning action is set for roles/profiles/FFID from existing assignments and My Profile as indicated in the screen shots below. 115 March 2015 62 .009.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Default provisioning action after Access Request Role Selection 2045 adding roles/profiles/FFID from 010 existing assignments and My Profile The available values are: 006. 116 Filter business process and systems Access Request Role Selection 2047 NO based on application area 117 Default provisioning environment for Access Request Role Selection 2048 <empty> business role Use this parameter to set the default provisioning environment for business roles.Maintaining Configuration Settings in Access Control 10. March 2015 63 . in access request role <empty> search This parameter allows you to choose the field type for the Business Process and System search criteria on the Access Request Role Search screen. and the System field as a text field.1 # Parameter Group Parameter ID Description Default Value Field type for business process and Access Request Role Selection 2046 system fields. or else the application ignores this parameter. For example.)  Set the value to one to display the Business Process field as a dropdown list. the application searches for the access request user on the specified LDAP source and in real time.  Set the value to three to display both the Business Process and System fields as a dropdown list. (See example below. if you set the parameter to TST then when a user submits a request for a business role the default provisioning environment is Test. If set to YES. Note Since the search is performed in realtime. You can choose the field types as a Text field with F4 help or a dropdown list.  Set the value to zero to display the field types for both Business Process and System as a text field. and the System field as a dropdown list.  Set the value to two to display the Business Process field as a text field. 119 Prerequisite You have specified the first user search data source as LDAP. 118 The possible values for this parameter are: DEV . it can negatively affect performance.Development PRD .Test Enable Real-time LDAP Search for Performance 2050 NO Access Request User.Production TST . 122 Generating the rules in the foreground may use up system resources for other activities or affect performance.1 # Parameter Group Parameter ID Description Default Value Enable User ID Validation in Access Workflow 2051 Request against Search Data YES Sources If set to YES. the application does not allow the request to continue.000. If the user does not exist. You can use this parameter to set a threshold for the maximum organizational rules that can be generated in the foreground. For example. the application halts the task and displays options to either run the job in the background or cancel it. you can use the Organizational Rule Creation Wizard to generate organizational rules. If the value is Yes.Maintaining Configuration Settings in Access Control 10. users can search from multiple domains when the user data source is LDAP. 120 LDAP 2052 Use LDAP domain forest NO 121 The available values are Yes and No. If the threshold is reached when someone is generating organizational rules in the foreground. Organization Rules -Maximum allowed to be generated in Performance 2060 foreground 50000 In SAP Access Control. The validation is performed when you select Submit or Enter. You can choose to generate the rules in the foreground or the background. you set the threshold value at 20. thereby keeping it from negatively affecting the system resources. The effect on the user experience is based on the value set in configuration. the application validates the UserID exists on the specified source system. March 2015 64 . You can use this parameter to restrict the types of files users can attach.Maintaining Configuration Settings in Access Control 10. Enter the allowed file types in this parameter. Below is an example of the confirmation message. See SAP Note 2058231. To restrict file types: 124 1. xlsx 2.1 # Parameter Group Parameter ID Description Default Value Duration for displaying confirmation Performance 2061 message (in milliseconds) 1000 This parameter applies to the SAP Fiori for SAP GRC transactional application. For example: docx. Compliance Approver. it allows all file types. March 2015 65 . By default. You use this parameter to set how long the confirmation message appears on the screen. Implement the BAdI GRFN_DOCUMENT to enable the logic and configure the wording for the error message. Separate each file type by a comma. The default is 1000 milliseconds. 123 Access Control – General Settings 2401 Allowed extensions for attachments * The application allows users to attach files. pdf. Use F4 help to display the available role status.1 # Parameter Group Parameter ID Description Default Value Role Management 3000 Default Business Process <empty> Select the business process the application displays by default on the Role Import screen. Use F4 help to display the available project 128 releases. This parameter determines whether the role methodology step is reset to the first step (Definition) after a mass update. Reset Role Methodology when Role Management 3005 Changing Role Attributes YES The possible values are YES and NO.Maintaining Configuration Settings in Access Control 10. You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance. Use F4 help to display the available sub processes. Setting it to YES causes the system to create one approval request for each role updated. Risk and Compliance > Access Control > Role Management. Risk and Compliance > Access Control > Role Management. Role Management 3003 Default Project Release <empty> Select the project release the application displays by default on the Role Import screen. Risk and Compliance > Access Control. Use F4 help to display the available business processes. we recommend that you set the parameter to NO to leave the role methodology intact at the current step. Recommendation When approvals are not required. Use F4 help to display the available criticality 127 levels. Role Management 3002 Default Criticality Level <empty> Select the criticality level the application displays by default on the Role Import screen. It is particularly 130 useful to avoid creating mass approval requests. Risk and Compliance > Access Control. You maintain the list of sub processes in the Customizing activity Maintain Business Processes and Suppresses under Governance. You maintain the list of project releases in the Customizing activity Maintain Project and Product Release Name under Governance. You maintain the list of business processes in the Customizing activity Maintain Business Processes and Sub processes under Governance. Role Management 3004 Default Role Status <empty> 129 Select the role status the application displays by default on the Role Import screen. March 2015 66 . Risk and Compliance > Access Control > Role Management. 125 Role Management 3001 Default Sub process <empty> 126 Select the sub process the application displays by default on the Role Import screen. You maintain the list of sub processes in the Customizing activity Specify Criticality Level under Governance. Note: The Ticket Number field is a free text entry field. 131 Allow editing organizational level Role Management 3007 NO values for derived roles 132 The maintenance screen for derived roles displays organizational levels from the parent role. A ticket number is required after Role Management 3008 YES authorization data changes Set the value to YES to require a ticket number when role authorizations are modified in PFCG and the user chooses the Synch with PFCG button. 133 March 2015 67 . Set the value to YES to allow the derived roles to change the values for the organizational levels. You can enter information appropriate for your company’s change request processes.Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Allow add functions to an Role Management 3006 YES authorization Set the value to YES to display the Add/Delete Function button on the Maintain Authorizations tab of the Role Maintenance screen. The application only provides the field and does not have any specific requirements. Setting this value to Yes deletes the roles in each of the systems the role resided individually. the role is DELETED directly from PRD instead of having a delete request transported through CTS.1 # Parameter Group Parameter ID Description Default Value Allow Role Deletion from back-end Role Management 3009 YES system Set the value to YES to allow users the option to roles from both Access Control and relevant plug-in systems. 135 March 2015 68 .Maintaining Configuration Settings in Access Control 10. For example. Set the value to NO to allow users to delete roles only from Access Control. 134 Allow attaching files to the role Role Management 3010 YES definition Set the value to YES to allow users to attach files by displaying the Attachments tab on the Role Maintenance screen. 137 March 2015 69 .1 # Parameter Group Parameter ID Description Default Value Conduct Risk Analysis before Role Role Management 3011 YES Generation Set the value to YES to automatically perform risk analysis when the user generates roles.Maintaining Configuration Settings in Access Control 10. which are available for role generation action. 136 Allow Role Generation on Multiple Role Management 3012 NO Systems Set the value to YES to allow users to select multiple systems when generating roles. The application displays systems in the landscape. or the username/password of the person generating the role. March 2015 70 . The advantage of setting this parameter to Yes is that when you open a role in the ERP system.1 # Parameter Group Parameter ID Description Default Value Use logged-on user credentials for Role Management 3013 NO role generation When generating a role. Set the value to NO to prohibit role generation if critical role/profile violations are present. You can use this parameter to specify whether the application uses a generic username/password for all role generation connections to the ERP system. Risk. the application connects to back-end systems to push the authorization data. Allow role generation with critical Role Management 3017 NO action violations 142 Set the value to YES to allow the application to generate roles even if critical action violations are present. Set the value to NO to prohibit role generation if permission level violations are present. Allow role generation with Role Management 3014 NO Permission Level violations Set the value to YES to allow the application to generate roles even if Permission Level violations are present. Set the value to NO to prohibit role generation if action level violations are present. Allow role generation with critical Role Management 3018 NO role/profile violations 143 Set the value to YES to allow the application to generate roles even if critical role/profile violations are present. 139 Allow role generation with critical Role Management 3015 NO permission violations 140 Set the value to YES to allow the application to generate roles even if permission level violations are present. with the generic username/password who generated it. you can view exactly who generated it. Set the value to NO to prohibit role generation if permission level violations are present.  Set the value to YES to allow the application to use the username/password of the person who is generating the role. If the parameter is set to No. they can see only that the connector.Maintaining Configuration Settings in Access Control 10. Set the value to NO to prohibit role generation if critical action violations are present. 138  Set the value to NO to use a generic username/password for the connection to the ERP system. You maintain the generic username/password for the connector in the Customizing activity Create Connectors under Governance. Allow role generation with action Role Management 3016 NO level violations 141 Set the value to YES to allow the application to generate roles even if action level violations are present. and Compliance > Common Component Settings > Integration Framework. The application needs a username/password to open the connection to the back-end ERP system. 145 Note – Additional information about Certification Notifications: You can use the following Customizing activities to maintain custom notification e-mails under Governance. and Compliance > March 2015 71 . The application does not automatically overwrite the results for all roles.1 # Parameter Group Parameter ID Description Default Value Overwrite individual role risk analysis Role Management 3019 NO results for mass risk analysis The possible values are YES and NO. When you next perform mass risk analysis. xxxx. The application stores the results of the analysis. 144 Role certification reminder Role Management 3020 10 notification You use this parameter to set how many days prior to the Next Certification. if the next certification is June 15. Note The above actions are done per individual role.Maintaining Configuration Settings in Access Control 10. then the application sends the reminder notification to the role owner on June 5. In this case. You can choose whether the application overwrites the risk analysis results. the application searches the stored data to determine if there are previous risk analysis results for each role. Risks. results are only stored during the risk analysis phase of role maintenance or during ad-hoc role risk analysis. and this parameter value is 10. date the application sends a reminder to the role owner. You set the Certification Period in Days and Next Certification date in the Define Role phase. xxxx. For example. (See also parameters 1052 and 1053). The application allows you to perform ad hoc risk analysis for multiple roles under Access Management > Role Mass Maintenance > Run Risk Analysis.  Set the parameter to YES to write or overwrite stored results during mass role risk analysis  Set the parameter to NO if you do not want to overwrite the stored results during mass role risk analysis. on the Properties tab. the application displays the following results screen: March 2015 72 . Risk. For certification notifications to be delivered. and Compliance > Access Control > Workflow for Access Control. Risks. If you run the program in the foreground.1 Access Control > Workflow for Access Control:  Maintain Custom Notification Messages  Maintain Text for Custom Notification Messages  Maintain Background Job for E-mail Reminders The following is an example of a notification e-mail: The application provides notification templates.Maintaining Configuration Settings in Access Control 10. you must run the GRAC_ERM_ROLE_CERTIFY_NOTIF program in either the foreground or the background. You can assign custom notification templates in the Customizing activity: Maintain Custom Notification Messages under Governance. and Compliance > Access Control > Workflow for Access Control. You can customize the notification text by using the Customizing activity Maintain Text for Custom Notification Messages under Governance. and Compliance > Access Control > Workflow for Access Control. Risk. You can schedule background jobs to run periodically using the Customizing activity Maintain Background Job for E-mail Reminders under Governance. Maintaining Configuration Settings in Access Control 10.1 March 2015 73 . The request type is associated with an MSMP process ID. Workflow 3022 Request Type for Role Approval 21 Use F4 help and choose the request type the workflow uses for role approval. Set the value to YES to display only the derived roles that reach the role generation phase of the methodology process. You use this parameter to specify the location of the files on the server. Figure A shows five derived roles available. Workflow 3023 Priority for Role Approval 5 Priority of the request for Role Approval You use this parameter to set the default workflow request priority for Role Approvals. In the following example. 149 March 2015 74 . regardless of their phase in the methodology process. You assign the MSMP Process ID of SAP_GRAC_ROLE_APPR to role approval priorities. Use F4 help to display the list of available priorities. and Compliance > Access Control > User Provisioning. Risk. two of the roles are in Role Generation phase. Enforce methodology process for Role Management 3024 YES derived roles during generation You use this parameter to determine the derived roles displayed in the role generation phase of the master role. Risk. Figure B shows that if the value is set to YES. 148 You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. You can select the Import Source as File on Server. only the two roles in Role Generation phase are displayed. Set the value to NO to display all derived roles. 147 You maintain the list of available request types in the Customizing activity Define Request Type under Governance. (See also parameter 1101).1 # Parameter Group Parameter ID Description Default Value Directory for mass role import server Role Management 3021 <empty> files 146 The application allows you to perform mass role import under Access Management > Role Mass Maintenance > Role Import.Maintaining Configuration Settings in Access Control 10. and Compliance > Access Control > User Provisioning. If the AC Configuration parameter 3025 = YES. Set the value to YES to allow role derivation using Org Value Maps that do not contain a leading organization. Single Role Derivation Choose Access Management Role Management  Role Search  Search and open any role.1 # Parameter Group Parameter ID Description Default Value Allow selection of Org. Value Maps Role Management 3025 NO without leading org. Go to the role derivation phase and choose Derive.Maintaining Configuration Settings in Access Control 10. the screen appears as below: 150 If the AC Configuration parameter 3025 = NO. Set the value to NO to require that role derivation is performed using Org Value Maps that do contain a leading organization. the screen appears as below: March 2015 75 . You use this parameter to determine if users may derive roles by using Org Value Maps that do not contain a leading organization. Search and select any map and choose Next to go to the Select Master Role screen.Maintaining Configuration Settings in Access Control 10. the screen appears as below: If the AC Configuration parameter 3025 = NO. If the AC Configuration parameter 3025 = YES.1 Mass Role Derivation Choose Access Management Role Mass Maintenance Role Derivation. the screen appears as below: March 2015 76 . Automate authorization copy from Role Management 3027 No master role to its derived roles 152 Possible values are YES and NO. To generate the profiles in the backend system. Generate derived roles after Role Management 3028 No Creation/Update In SAP Access Control. If the parameter is set to NO.  Choose 2 for Role-based firefighting. 154 Default Firefighter Validity Period Emergency Access Management 4001 <empty> (Days) Set the default validity period (in days) of firefighter ID assignments to a firefighter.Maintaining Configuration Settings in Access Control 10. 155 Notes:  This is only the default period. and if 153 not done.  Configuration of Parameter 4001 in any relevant target system is also required March 2015 77 . You can override the validity period for each assignment as needed in the front-end. Emergency Access Management 4000 Application type 1 You use this parameter to set the firefighting configuration:  Choose 1 for ID-based firefighting.1 # Parameter Group Parameter ID Description Default Value Save Role Provisioning Details While Role Management 3026 Yes Copying Role 151 You use this parameter to specify whether you wish to copy the role details such as the system validity period when copying roles. you must use Role Generation to create the background job. This parameter allows you to schedule the background job for Role Generation automatically. Values Update. the application does not copy the authorization data from the master role to its derived roles. you can create derived roles and update them using Role Derivation and Derived Role Org. the application automatically copies authorization data from the master role to its derived roles. Note: Configuration of Parameter 4000 in any relevant target system is also required. If the parameter is set to YES. This is a manual step. The default value is YES – copy the details when creating a new role. the profiles are not generated and the changes to the derived roles are not implemented. Set this parameter to Yes to schedule the background job automatically at the time you create or update a derived role. Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Emergency Access Management 4002 Send E-mail Immediately 156 THIS PARAMETER IS OBSOLETE. IT IS NO LONGER USED IN SAP ACCESS CONTROL. March 2015 78 Maintaining Configuration Settings in Access Control 10.1 # Parameter Group Parameter ID Description Default Value Emergency Access Management 4003 Retrieve Change Log YES The possible values are YES and NO. If set to YES, the application fetches the Change Log when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Note Plug-in systems must have the O/S time and R/3 time zone matched for the logs to be properly collected. This is because STAD stores the logs in O/S files. 157 Emergency Access Management 4004 Retrieve System Log YES The possible values are YES and NO. 158 If set to YES then the application fetches the System Log (debug changes) when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Emergency Access Management 4005 Retrieve Audit Log YES The possible values are YES and NO. If set to YES then the application fetches the audit (security) log when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. 159 The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Note You can activate Audit Logs using the transaction SM19. Emergency Access Management 4006 Retrieve O/S Command Log YES The possible values are YES and NO. If set to YES then the application fetches the O/S Command Log when a user chooses the Update Firefighter Log button or when the 160 program GRAC_SPM_LOG_SYNC_UPDATE is executed. The O/S Command Log tracks information when O/S commands (SM49) are created, changed, or executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Send Log Report Execution Emergency Access Management 4007 YES Notification Immediately The application can send log reports to controllers. The application sends the notifications as e-mails or workflow items based on the configuration of the controllers. (See figure below.)  Set the value to YES and the application sends email notifications or executes workflow when a user chooses the Update Firefighter 161 Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports.  Set the value to NO and the application only collects the logs when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The application sends the e-mail notifications or executes the workflow when the GRAC_SPM_WORKFLOW_SYNC program is executed. March 2015 79 Maintaining Configuration Settings in Access Control 10.1 Notes  This parameter is only valid if parameter 4009 is set to YES  A separate email or workflow is created for each EAM session performed Send Firefighter ID Logon Emergency Access Management 4008 YES Notification The possible values are YES and NO.  Set to YES and the application sends an email notification to the controller whenever a firefighter executes a firefighting 162 session.  Set to NO if you do not want the application to send an email notification to the controller whenever a firefighter executes a firefighting session. Emergency Access Management 4009 Log Report Execution Notification YES The possible values are YES and NO. If set to YES then the application sends email notifications to the controller or executes workflow when a user chooses the Update 163 Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Recommendation Consider parameter 4007 if this parameter is set to YES. # Parameter Group Parameter ID Description Default Value Emergency Access Management 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID Enter the name of the role assigned to the firefighter ID in the target systems. This informs the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC system and reads this configuration to check if the user has this role assigned to them. 164 Notes  Configuration of parameter 4010 in any relevant target systems is also required  If IMG Activity Maintain Firefighter ID Role Name Per Connector is utilized, parameter 4010 is not considered and therefore does not need to be configured  See SAP Note 2106895 for more information. Allow deletion of technical roles if Access Request Business Role 4011 YES part of business role The possible values are YES and NO. Business roles are logical roles that exist only in the Access Control application. They allow you to create relationships with multiple technical roles, and thereby granting the authorizations from multiple roles by assigning a single business role. 165 Use this parameter to set whether to allow the deletion of technical roles if they are assigned to a user as part of business role.  Set the value to NO to prohibit the deletion of such technical roles. The application displays an error message: Role TechRole01 cannot be deleted; it is part of BusinessRole_AB.  Set the value to YES to allow the application to delete the technical roles. March 2015 80  If it is set to 2.Maintaining Configuration Settings in Access Control 10. Based on the parameter value. the firefighter ID owner can submit request for himself (Yes) or not (No). the workflow can only be forwarded to users who are designated as controllers in the Access Control Owners table. March 2015 81 . Emergency Access Firefighter ID owner can submit Management 4013 request for Firefighter ID owned YES 167 The available values are Yes and No. the firefighter ID controller can submit a request for himself (Yes) or not (No). Firefighter ID controller can Emergency Access submit request for Firefighter ID Management 4014 controller YES 168 The available values are Yes and No.1 Emergency Access Default users for forwarding the Management 4012 Audit Log workflow 2 Configuration parameter 4012 is used to restrict the users to whom the EAM log workflow can be forwarded. Emergency Access Enable decentralized Management 4015 firefighting NO 169 The possible values are YES and NO. the workflow can be forwarded to any user in the GRC system. Based on the parameter value. Based on the parameter value. you can enable the EAM launchpad on non-GRC systems (Yes) or not (No). 166  If it is set to 1. Set the parameter to Yes to enable detailed logging in SLG1. Errors may occur that disrupt the synchronization of the logs from the plug-in systems to the central system. March 2015 82 . irrespective of whether it is Approved or Complete. The logs are synchronized back to the central system and 172 the data goes into firefighting reports. Enable detailed application Emergency Access logging (SLG1) for Firefighter Management 4018 log synchronization programs NO SAP Access Control keeps logs of firefighting activities on the plug-in systems. The possible values are YES and NO. For more information. Setting the parameter to YES ensures that this request number is visible in the Firefighter ID and Firefighter maintenance screens in the Comment column. You can use the additional information to determine the cause of the disruption.Maintaining Configuration Settings in Access Control 10. If 4016 is set to YES: 4016 Setting in IMG BRM Setting Behavior During Provisioning Only the Approved version of the YES Approval is configured business roles is considered for provisioning. 171 Setting the parameter to NO will result in the request number not being visible in the Firefighter ID and Firefighter maintenance screens in the Comment column. Enable CUP request number to Emergency Access 4017 show in Firefighter ID/Role YES Management Assignment Screen The Firefighter ID is requested to be assigned to the Firefighter User during the Access Request process (formerly CUP). see SAP Note 1781696. This provides a way to track the progress of the request.1 # Parameter Group Parameter ID Description Default Value Consider only the Access Request Business approved/completed version of 4016 NO Role a business role when provisioning This parameter allows the system to consider only the Approved or Completed versions of a Business Role for provisioning. For more information. see SAP Note 1840064. If 4016 is set to N0: 4016 Setting in IMG BRM Setting Behavior During Provisioning The system considers the current version NO Not equal to Approval or Complete of the business role when provisioning. 170 Only the Complete version of the YES Approval is not configured business roles is considered for provisioning. Send EAM log review workflow Emergency Access for blank firefighter sessions as Management 4020 well NO 174 This parameter controls whether to send EAM log review workflow even if the firefighter has not performed any activity.Maintaining Configuration Settings in Access Control 10. 173 Set the parameter to No to include the manual changes to role assignments or profiles in the synch job. Set the parameter to Yes to exclude the manual changes to role assignments or profiles in the synch job.1 # Parameter Group Parameter ID Description Default Value Exclude manual changes to role assignments or profiles Access Request Business Role 4019 from repository sync NO This parameter controls whether manual changes to role assignments and profiles done in SU01 and SU10 on the backend system are synched to the GRC repository. The application takes the value from the Manager field on the Access Request > User Details page. see SAP Note 1874160. Validate the manager ID for the Access Request Validations 5021 specified user ID YES The application allows you to choose whether to validate the manager ID against the specified user ID when submitting an access request. For more information. Set the value to No to disable the validation. For more information. and checks it against the information from table USR01 in the current system. Set the parameter to Yes to generate the EAM log review even if there is no activity. 175 March 2015 83 . see SAP Note 2017105. Set the value to Yes to enable the validation. 1 # Parameter Group Parameter ID Description Default Value Access Request Consider the password change in Validations 5022 access request YES On the Access Request screen. and Compliance  Access Control  Maintain Data Sources Configuration : March 2015 84 . 176 Consider details from multiple data sources for missing user details in Access Request Validations 5023 access requests NO This parameter controls where the system looks for user details when an access request is created using the standard access request method. the application sends an email notification to the user.Maintaining Configuration Settings in Access Control 10. Set the value to YES to allow users to change passwords in the request. When the request is created and approved. For more information. Risk. 177 The User Details are defined in the SAP IMG under Governance. The possible values are YES or NO. users can change their account information including their password. Set the value to NO to prevent users from changing their passwords in the request. see SAP Note 1696143. It does not apply to access requests that are created using templates. If the parameter is set to YES.Maintaining Configuration Settings in Access Control 10. If the parameter is set to NO. the application obtains the user details from the first connector (User Detail Data Source) where the user exists. March 2015 85 .1 The application only searches the entries for User Detail Data Sources. if the application finds only partial data from the first data source. There can be several entries in this table. It does not check if the user exists in any additional connectors even if it needs more details. it continues to retrieve data from additional data sources until there are no more data sources or until the data for the user is complete. the application searches the user details of all data sources where the user exists. For example. NO This parameter applies to the Access Request screen.1 # Parameter Group Parameter ID Description Default Value Enable in-line editing for user group and parameter Access Request Validations 5024 in access request. It enables you to choose whether or not users may freely enter values on the User Group and Parameter tabs or whether they must choose from predetermined values. Set the value to Yes to allow users to enter any value on the screen.Maintaining Configuration Settings in Access Control 10. Set the value to No to force users to choose from predetermined values 178 March 2015 86 . March 2015 87 . You must enter a value or YES or NO. the Model User Access screen looks like this: Recommendation If this parameter is set to YES.Maintaining Configuration Settings in Access Control 10. If you choose NO. review parameters 5027 and 5028. the Model User Access screen looks like this: 179 If you choose YES.1 # Parameter Group Parameter ID Description Default Value Make system and provisioning actions visible for filtering user assignments for Access Request Validations 5026 model users NO Parameter 5026 allows Access Control to display system and provisioning actions that you can use to filter user assignments for model users. Note This parameter is only valid if parameter 5026 is set to YES. 180 March 2015 88 . Valid values are any systems in your landscape. NO This parameter applies to the Model User Access screen.Maintaining Configuration Settings in Access Control 10. the user access is not filtered by system. If you leave the value as BLANK. It enables you to choose a default system for filtering when you define the user access.1 # Parameter Group Parameter ID Description Default Value Default value for Access Request Validations 5027 filtering by system. 181 Enable "Open in Advanced Mode" Simplified Access Request 5031 option YES This parameter applies to the Simplified Access Request screen. the screen display looks like the image below. the Open in Advanced Mode button is missing as shown in the image below: March 2015 89 . Note This parameter is only valid if parameter 5026 is set to YES.1 # Parameter Group Parameter ID Description Default Value Default value for filtering by Access Request Validations 5028 provisioning action NO This parameter applies to the Model User Access screen.Maintaining Configuration Settings in Access Control 10. Valid values are Assign. The Open in Advanced Mode button is present. Retain. Remove. Set the value to Yes if you want to display the button Open in Advanced Mode on the Simplified Access Request screen. If you leave the value blank. Set the value to No if you do not want to display the button Open in Advanced Mode on the Simplified Access Request screen. the user access is not filtered by the system. It enables you to choose whether to display the button Open in Advanced Mode. If 5031=Yes. 182 If 5031=No. It enables you to choose a default provisioning action for filtering when you define the user access. and Blank. Maintaining Configuration Settings in Access Control 10.1 The screenshot below shows what users see if they select the Open in Advanced Mode button. March 2015 90 . 1 # Parameter Group Parameter ID Description Default Value Disable Type-ahead search in Simplified Access Request 5032 Simplified Access Request NO This parameter influences how the search function works when you search for roles during Simplified Access Request. Set the parameter value to No if you want to use type-ahead search. Role. the system proposes possible values from which you can choose. As illustrated below.Maintaining Configuration Settings in Access Control 10. The image below shows how you access the role search screen. as you enter text. You can also decide to have the system anticipate your search value by setting the parameter value to No. if parameter 5032 is set to NO. 183 Choose a search key such as Role. System. Set the value to Yes if you do not want to use type-ahead search. Begin to type a value. With this feature. you are given a choice to search by User. or Key Word. March 2015 91 . the system finds one or more possible matches for the text and presents these to you as possible choices. When you choose the Select Roles for Addition button. Maintaining Configuration Settings in Access Control 10. the controller is the user who reviews and approves log files from firefighting activities. Set the parameter to NO to prevent the creation of firefighters without a controller. March 2015 92 .1 # Parameter Group Parameter ID Description Default Value Allow creation of firefighters with no Emergency Access Management 5033 controller YES In SAP Access Control. 184 Set the parameter to YES to create firefighters without requiring a controller. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. PowerPC. GPFS. DB2. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. iAnywhere. POWER5+. WebSphere. HACMP. OpenPower. PartnerEdge. HTML. XHTML and W3C are trademarks or registered trademarks of W3C®. These materials are subject to change without notice. Netfinity. pSeries. without representation or . JavaScript is a registered trademark of Sun Microsystems. Outlook. and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase. Parallel Sysplex. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. System i5. System i. Inc. SAP. S/390. Windows. POWER6.Maintaining Configuration Settings in Access Control 10. z10.. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only. Linux is the registered trademark of Linus Torvalds in the U. Program Neighborhood. All rights reserved. Inc. Sybase 365. All other product and service names mentioned are the trademarks of their respective companies. iSeries. Sybase is an SAP company. and Motif are registered trademarks of the Open Group. z9. WinFrame. ICA. System z10. System x. System p5. Power Architecture. Intelligent Miner. AS/400. eServer. Web Intelligence. Citrix. S/390 Parallel Enterprise Server. used under license for technology invented and implemented by Netscape. AIX. and MultiWin are trademarks or registered trademarks of Citrix Systems. National product specifications may vary. UNIX. Xcelsius. i5/OS. World Wide Web Consortium. Data contained in this document serves informational purposes only. Redbooks. Business Objects and the Business Objects logo. Massachusetts Institute of Technology. Oracle is a registered trademark of Oracle Corporation. Sybase and Adaptive Server. X/Open. SAP NetWeaver. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. z/OS. System Storage. POWER6+. Inc. DB2 Universal Database. OS/390. SQL Anywhere. POWER. OS/400. POWER5. Adobe. Excel. RACF. StreamWork. VideoFrame. OSF/1. BladeCenter. Crystal Reports. IBM. Inc. BatchPipes. Duet. XML. zSeries. Crystal Decisions. Acrobat. xSeries. z/VM. MetaFrame. ByDesign. System z. RETAIN. System z9. PostScript. Business Objects is an SAP company. MVS/ESA. The information contained herein may be changed without prior notice. Microsoft. Copyright © 2015 SAP AG. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. SAP Explorer. R/3. DB2 Connect.S. the Adobe logo. PowerVM. OS/2.1 2. BusinessObjects. Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Java is a registered trademark of Sun Microsystems. and PowerPoint are registered trademarks of Microsoft Corporation. System p. and other countries. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services. .1 warranty of any kind.Maintaining Configuration Settings in Access Control 10. and SAP Group shall not be liable for errors or omissions with respect to the materials. Nothing herein should be construed as constituting an additional warranty. if any.