Quantcast
Channel: SCN : Document List - Governance, Risk and Compliance (SAP GRC)
Viewing all 459 articles
Browse latest View live

Top 10 most viewed SAP KBAs for GRC Process Control in January 2015

February 3, 2015, 10:47 am
$
0
0

Purpose

The purpose of this document is to provide a list of the top ten most viewed SAP KBA's for GRC Process Control in the month of January 2015.


Overview

Below are the top 10 most viewed SAP KBA's for GRC Process Control.

 

KBA NumberKBA Title
1884797   System is throwing runtime error "SYSTEM_NO_SHM_MEMORY"
2105791   Consolidated Note for Process Control 10.1 Master Data
2104086   Consolidated Note for Process Control 10.0 Master Data
2022567   Access using a 'ZERO' object reference is not possible
2006772   Automated Monitoring Job with status Error
1922636   With Exceptions Status in Planner Assessments
2085529   OWP ASSERTION_FAILED Master Note
2047097   Communication failure with remote system (SAP Query)
1781991   How to deactivate the New Work Item Notifications
1884827   Automated job created stays in "In Progress" state

 

Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

 

 

See Also

Top 10 most viewed SAP KBAs for GRC

 

Search

GRC Weekly News - 01/19/2015

February 4, 2015, 10:58 am
$
0
0

RELEASED NOTES AND KBAs


GRC-SAC-ARA

   1986732  GRC 10.0: Risk Violations - Number of Analyzed Users

    2099999  Remediation View screen shows blank while Risk Analysis

    2113597  Tuning Organization Rules for better performance

    2116171  Rule Set is not considered for Critical Role/Profile Risk Analysis

    2117916  Incorrect status in Access rule detail report

 

GRC-SAC-ARQ

   1791296  Note for SAP GRC AC PORTAL PI GRCPIEP in AC10 for NW 730/731

   1806141  GRC 10.0: EUP not supported for Multiple Users requests

   1973753  UAM: Incorrect default roles added into request

   1982339  UAM: End user is able to submit request for business role with retain provision

   2058184  Request with conflict and mitigation report not working

   2069094  Fix related to User details, Default role, system description and unlock action type

   2115282  UAM: Portal role name incomplete in audit log after provisioning

   2116145  Fiori Check Request Status - Cancelled requests displays as "Pending"

   2116262  UAM: Request approval possible with risks

   2116829  Mass load of Business role assignments to users

   2116843  GRC 10.0: Maintain Guided Procedures Gateway

 

GRC-SAC-BRM

   2083724  Program GRAC_CHECK_BROLE_ASSIGNMENT does not exist

   2117294  AC10.1 - Poor performance of Repository Sync

   2117340  Default role import not working

   2058957  Enable manual editing in EAM maintenance screens

   2113707  Remove non working print button

   2116307  Background job status does not change on RFC time out error


    

GRC-SPC

   1899028  Notification goes to Owner if there is no deficiency in Sap Query Scenario in Automated Monitoring

   1954054  Can’t Cancel Event Trigger Automated Monitoring Job

   1988286  Currency amount issue error in ad-hoc query

   2096980  Unreserve the work item for process control work items

   1948002  PC task get reserved on Approver Delegation to a AC user

   2117375  Navigate to Subprocess Tab into Organization details causes short dump

   2117756  Risk template cut not reflected on sub process risks

   2079702  PC10.1SP07: Dump in Evaluation Status Bar Chart

   2104886  Reporting: Long running traverses of Process

   1949265  GRC PC: How to enable multilingual test steps in test plan

   1951090  Problem with period in a copy of recurring plan

   2112383  Empty comments for assessments/surveys

 

GRC-RM

   2114201  Risk OIF - create new risk with Influenced risks - error on save

   2114360  Bow tie builder - entering big number causes dump

   2116408  Risk OIF - Start risk validation in one click

   2117409  WF monitor application for managers - activation/deactivation

   2117687  RM reporting - performance improvement of KRI instance reports

   2118235  Risk template cut - related local risks remains locked

   2118325  Deleted loss events are shown in the "Loss Event Structure" dashboard

   1847859  Reporting: More detail logging of errors in reporting engine

   2117051  Reporting: Performance improvement when processing merged nodes

   2117742  Number of losses and/or loss events in the dashboards are not correct

   2118287  Response Upload: Wrong risk check

 

RELATED INFORMATION


   2094723  Consolidated Note for SAP Access Control 10.0 Master Note

   2096196 Consolidated Note for SAP Access Control 10.1 Master Note

   2104086  Consolidated Note for Process Control 10.0 Master Data

   2105791  Consolidated Note for Process Control 10.1 Master Data

GRC10.1 How Reassign functionality works in Emergency Access Management in GRC

February 9, 2015, 9:02 am
$
0
0

GRC 10.1 How Reassign functionality works in Emergency Access Management in GRC Access Control


1. Reassignment of Owner Id’s to Firefighter Id’s
2. Reassignment of Controller Id’s to Firefighter Id’s
3. Reassignment of Firefighter Id’s to Firefighter User and vice versa

Reassign Functionality has been introduced due to the Organizational changes and replacement of one user by another in the organization.

Suppose due to some organizational changes in the company one user has been replaced by another user.

Or else some user left the organization and he was the Firefighter Owner/Controller of multiple firefighter Ids.

So to avoid the effort of making changes one by one , the Reassign functionality has been introduced in GRC Access Control 10.1 which replaces the old user by new one and thus save your effort in one shot.

CAUTION: The functionality is intended to use by the Admin user only because the admin user should have the authorization to make changes in the existing assignments.

Firefighter Owner, Controller ,Users and Id’s should not be given any such authorization to make changes in the existing data.


Example:
Owner A having Firefighter ID 1 and 2
Owner B having Firefighter ID 3
On Reassigning Owner A with Owner B, the Owner B should get Firefighter ID 1, 2 and 3 assigned
Owner A shouldn’t be available in the POWL but fresh assignments can be done on Owner A

The same functionality works for Controller , Firefighters and Firefighter ID links.

Note: On reassigning new Owner to any Firefighter ID, the same Onwer ID should gets updated automatically in the Owner Column     of           Firefighters link assignments.


Find the detailed step by step screenshots below:


The POWL screens of Owner, Controller, Firefighters and Firefighter ID’s links in GRC application are provided with Reassign button.

In Owner link, select the existing Owner-Firefighter ID assignment and click Reassign button.

111.png

 

Make sure you get confirmation popup with options Yes/No

2.png


In the Reassignment Screen, the Owner ID text field should be blank and all the already existing firefighter ID’s to that owner ID should be available in the table below.

3.png


Select the new Owner ID using F4 help and click on Save button.

4.png


Now in the POWL screen, there should be multiple entries/lineitems for that new replaced Owner ID corresponding to the number of assigned Firefighter ID’s.
The others line items are available on scrolling down (not included in screenshot)

 

5.png

 

On opening this Owner, it should have all the Firefighter ID assigned which includes his own old assignments and new assignments from the other user.

6.png


Related code fixes/notes on similar area:


2108258 - EAM 10.1, functionality of reassign button on FFID screen
24644 - Reassign should validate the current value at FFuser screen

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

October 1, 2014, 7:03 am
$
0
0

The motivation to write this document comes with the Community Collaboration for GRC Blogs and Documents project that we have started recently in the GRC space. Leo (S A) has requested a document that elaborates which tools and transactions are used by a GRC consultant. I have extended the request to also name some programs and tables I regularly use to complete my job. The following listing will give you an overview of transactions, tools, programs and tables used by a GRC consultant. Each table is sortable by clicking on headings.


 

Transactions

 

TransactionDescriptionKey AreaWhy is this useful?Further details, links, etc.
NWBCLaunch Netweaver Business ClientAlllaunch NWBC HTML. You will need to have work centre roles assigned or build you own.
SPROCustomizingAllSelf explanatory - configuration entry point for both GRC and plug-in systems
GRAC_UPLOAD_MIT_ASGNUpload Mitigation AssignmentsARAUpload a huge number of mitigation (user, role, profile) in one shot. You can either append your current mitigations or overwrite. Program GRAC_UPLOAD_MIT_ASSIGNMENTS.Mass change of Mitigation Assignments
GRAC_DWLOAD_MIT_ASGNDownload Mitigation AssignmentsARADownload a huge number of mitigation (user, role, profile) in one shot. Program GRAC_DOWNLOAD_MIT_ASSIGNMENTS.Mass change of Mitigation Assignments
GRFNMW_CONFIGURE_WDMSMP Workflow ConfigurationWFMSMP Workflow Configuration - standard view (web dynpro will launch)
GRFNMW_CONFIGUREMSMP Workflow Config ExpertWFSAP GUI expert mode to configuration workflow configuration. Do not use this transaction if you not familiar or strong with MSMP configuration as you will risk corrupting your build. This is useful if you need to retransport or transport all of the MSMP in one go as you can select it like an IMG table.
GRFNMW_DBGMONITOR_WDMSMP Instance Runtime MonitorWFComprehensive view of the workflow execution for MSMP evaluation including Stage/Path calculation, provisioning notes, notifications and agents. This is useful for an Administrator to track issues with an MSMP after a request has been submitted.
SWDDWorkflow BuilderWF

Unlikely you will need to go into this transaction as the Worfklows for SAP are out of the box and MSMP is used. You can identify the MSMP integration from here.

SWIAWFSAP standard workflow. This will allow you to check the current Workflow and Task numbers. If the MSMP Instance Runtime shows the workflow is completed but SWIA is not completed then there is an issue with the workflow configuration. Check Marketplace incase there is a correction.
GRAC_ROLE_MASS_IMPRTMass Role Import from Backend SystemBRM
GRAC_SPM_CLEANUPCleanup EAM Application DataEAMProgram to clean up EAM tables.
GRAC_EAM/GRAC_SPM and /GRCPI/GRIA_EAMEAM Logon PadEAMFor centralized firefighting, you use GRAC_EAM to open the EAM Launchpad on the GRC system. For decentralized firefighting, you use /GRCPI/GRIA_EAM to open the EAM Launchpad on the plug-in systems. The launchpad for centralized firefighting displays all the plug-in systems to which you have access. The launchpad for decentralized firefighting does not display any systems because it allows you to access only the current plug-in system.
GRAC_UPLOAD_RULESUpload Access Control RulesARAThis is available in the IMG navigation and allows you to import the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.
GRAC_COPY_RULESCopy Access Control RulesARAUtility for copying SOD rules from one system to another of same type.
GRAC_RULE_DELETEDelete Access Control RulesARAThis is available in the IMG navigation and allows you to delete the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.
GRAC_DOWNLOAD_RULESDownload Access Control RulesARAThis is available in the IMG navigation and allows you to download the rule set. Recommend you save a selection variant with the file name and paths so you do not have to continually maintain them.
GRAC_GENERATE_RULESGenerate Access Control RulesARAThis is available in the IMG navigation and allows you to mass generate the rules. You can also execute this via NWBC, however, this program would allow you to schedule in background via SM36/37
GRAC_RULE_TRANSPORTTransport Access Controls RulesARAThis is available via IMG navigation and allows to mass transport the rule set.
GRAC_EXPORT_RAExport Risk Analysis Data (e.g. when the file is too big for the web)ARAProgram to download the results of the risk analysis to a local file.
GRAC_BATCH_RARisk Analysis in Batch ModeARAThis is available in the IMG navigation and triggers the program for you to schedule batch risk analysis. Ensure your configuration parameters are set
GRAC_GENERATE_RULESWFBuild MSMP rules (usually BRF+). Refer to comment below for creating application first.
GRAC_GEN_ERM_BRFRULEWF/BRMBuild the BRF+ Rules for BRM role methodology and approval conditions groups. Note, before running to to BRF+ and create a shell application that has been assigned to a transport and activated. Use this application in your definition. If not, it gets created in $TMP
BRFPLUSBRFplus WorkbenchWFAlternative transactions: BRF+ and FDT_Workbench. You can maintain the BRF+ rules here and transport through to Production.
STZADCustomizing Time ZonesBCDiscuss with Basis before making any changes to timezone as it can impact EAM log collections, etc.
SLG1Display Application LogsBCApplication log display. It is useful to track error messages. Most GRC authorisations errors will show in the application log
SE61SAP Documentation (Email templates, etc.)AllDocument maintenance.
SE63TranslationsAllThis transaction enables you to directly translate individual objects.
SCPR20Activate BC SetsBasisActivation of BC Sets.Activate BC Sets - Business Configuration Sets (BC-CUS) - SAP Library
PPOMMaintain Organizational PlanBasisMaintain Organizational Plan
SOST/SOSBSAPconncet Send RequestsCheck if there has been an issue with sending on email notifications or reprocess requests. Transaction SOSB can be restricted to limited functionality.Tcode SOST
SCOTSAPconnect AdministrationBasisConfiguration of SAPConnect. Discuss with your Basis team. Take care in enabling in Non-Production environment so you do not accidentally send emails to users and add confusion. If enabled for Non-Prod, recommend you put dummy email addresses on the user accounts.
ST01/STAUTHTRACE/ST05System TraceTrace for an application server. ST01 is useful for authorisation checks and include database calls, kernel and RFC. STAUTHTRACE is new version for security tracing with ALV functionality and drill down (heaps easier to intepret than ST01). ST05 comes in handy to trace SQL calls to find the table where information has been stored.
SM12Enqueue LocksBasisYou can access this in display mode only. It can be a quick way to find which tables your data is stored in. Go into the NWBC screen in change mode so it puts a lock on the tables. Open a new session and go to SM12 to find the tables.
STADDisplay Statistics for all systemsBasisEAM FF logs import STAD information
SCC4Client Administration

Ability to change client setting to enable cross-client changes. Do not make changes to these settings without discussing with Basis. Depending on your landscape strategy you may need to maintain some IMG settings directly in the client (such as integration framework)

SNOTENote AssistantBCImport and apply SAP Notes. You will need to check with your company's policy for note application responsible. If you have not applied and OSS note before, it is strongly recommended your talk to your developer or Basis to learn about pre-requisite and post-processing activities. In some cases, a developer key will be necessary.
SE01/SE09Transport OrganizerBCManage your transports
SE16 / SE16NData BrowserTransaction to easily browse thru data tables.
SM01Lock TransactionsSECLock transaction to prevent users (even if authorised) from executing the transaction. Usually security is responsible for this activity.
SM36Schedule Background JobsBCGRC Access Controls uses a job scheduler via NWBC. SM36 jobs for connector sync,etc can be set up via SM36
SM37Overview of Background JobsBCAllow you to view background jobs. All jobs runtimes will show here, even if scheduled via NWBC.
SA38ABAP ReportingABAPExecute SAP ABAP programs.
SE38ABAP EditorABAPProgram Editor
SE80Object NavigationABAPSAP Development workbench, most development functionality is available from this transaction.
SE37ABAP FunctionABAPMSMP SAP standard rules are usually function modules. You can look at the code if you want to better understand what is being evaluated. Also comes in handy for break point if you need to debug.
SE24ABAP ClassABAPuseful if you need to check the code and add a breakpoint to a method
OOCUTask Customizing
BD54Logical SystemsBasisRFC connections have to be defined as a logical system (usually same name) to then reference in the integration framework configuration
SM59RFC DestinationsBasisRFC Configuration
SM66/SM50WorkprocessBasisView the number of background work process available to define as part of the integration framework for background job processing
SUIMSECUser Information Reporting system
S_BCE_68001426Transactions for UserSECReport shows a list of all transactions assigned to a user. This is a very helpful report to identify critical transactions as user has access to.
S_BCE_68001418Roles by Role NameSECReport to find roles by complex selection criterias. This report can be used to find roles by description, etc.
S_BCE_68001419Roles by User AssignmentSECReport shows a list of all roles assigned to a user. This is very helpful to have an overview of all authorized roles a user have.
S_BCE_68001420Roles by Transaction AssignmentSECReports shows a list of all roles that includes a specific transaction. This is very helpful to easily find possible roles to assign a transaction.
SICFHTTP ServicesBCDiscuss with Basis and Security before activating these as it poses a security risk. If you receive a 403 Forbidden error in NWBC it means a service needs to be activated for the webdynpro. You can also test the services here. For PSS/End User Login screens, the SICF services need to be configured with the Service Account Username and Password stored
GRAC_REP_OBJ_SYNCObject Rep SyncAllUser + Role + Profile Synchronization Job
GRAC_USER_SYNCUser SyncAllUser Synchronization Job
GRAC_ROLE_SYNCRole SyncAllRole Synchronization Job
GRAC_ROLE_USAGE_SYNCRole Usage SyncAllRole Usage Synchronization Job
GRAC_ACT_USAGE_SYNCAction Usage SyncEAM/ARAAction Usage Synchronization Job
GRAC_PROFILE_SYNCProfile SyncAllProfile Synchronization Job
GRAC_AUTH_SYNCAuth SyncAllAuthorization data Synchronization Job
GRAC_SPM_SYNCEAM SyncEAMEmergency Access Management Master Data Synchronization Job
GRAC_SPM_WF_SYNCEAM Workflow SynchronizationEAMEmergency Access Managmement Workflow Synchronization Job
GRAC_SPM_LOG_SYNCEAM Log SyncEAMEmergency Access Management Log Synchronization Job
GRFN_STR_DISPLAY / GRFN_STR_CHANGEOrg Structure Expert ChangeAll

These transactions show all the relationships between objects in the structure considering the timeframe of each object and the timeframe of the relationship.


Both are considered super transactions which are really sensitive. They are exclusive GRC transactions to check Objects Hierarchy. The point of GRFN_STR_CHANGE is that within this transaction you can change master data that you could not using UI. It means that the structure change transaction is not recommended as you can cause severe data inconsistency in the system if you use it without knowing it.

PFCGRole MaintenanceBasisRole maintenance to create and edit roles.5 Role Maintenance in PFCG - SAP NetWeaver Business Client - SAP Library
SU01User MaintenanceBasisUser maintenance
SE16Data BrowserBasisData browser to view/add table data
SM30/SM31/SM34View MaintenanceBasisSE16 and SM30 essentially give direct access to tables information. SM30 is restricted in a way that you cannot use the SM30 interface to view all the tables. Only tables with a maintaince dialog defined can be accessed through SM30. But there is no restriction on the access to tables in SE16 as long as u have access to the authorization group pertaining to the table you will be able to access the information through SE16.
GRFNMW_ADMINMSMP Power User / DebugWF
GRFNMW_CN_VERAMSMP Process Active Version Maint.WF
GRFNMW_DEBUGMSMP Process Debug SettingsWF
GRFNMW_DEBUG_MSGMSMP Process Debug Messages SettingsWF
GRFNMW_DEV_CONFIGMSMP Development ConfigurationWF
GRFNMW_DEV_RULESMSMP Rule Generation / TestingWF
GRFNMW_GEN_VERSIONGenerate Versions for MSMP ConfigWFGenerate version is useful to run after you import a transport (post processing activity) instead of going into MSMP screen to activate.
GRFNMW_MONITORMSMP Workflow MonitoringWFMonitoring of the MSMP Workflow statistics.
GRAC_ENDUSRFORM_SICFEnd user form SICF service
GRAC_FFOBJ_DSC_MAINTMaintain EAM FF Object Description
GRAC_FFOBJ_DSC_MNT1Firefighter Object Maintenance
GRAC_IDM_SCHEMA_SYNCIDM Schema Update
GRAC_DATA_MIGRATIONAC10 Data MigrationProgram to migrate data from an earlier version.
GRAC_DELETE_REPORT_SDelete Report Spool data
GRACRABATCH_MONITORBatch Risk Analysis MonitorThis program is used to monitor the execution status of a running batch risk analysis.
GRAC_ALERT_GENERATEAlert GenerationProgram that generates alerts.SAP Access Control 10.0 Alerting
GRAC_BATCH_RARisk Analysis In Batch ModeOffline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS).Online vs. Offline Risk Analysis
WD_TRACE_TOOLWebDynpro TracingBasisThe Web Dynpro trace tool supports the analysis of problems and errors arising in Web Dynpro ABAP, by collecting and listing the data related to the Web Dynpro ABAP application.Web Dynpro Trace Tool - Web Dynpro for ABAP - SAP Library

 

Programs

 

ProgramDescriptionWhy is this useful?Further details, links, etc.
PRGN_COMPRESS_TIMESProgram to merge the assignments of identical users and roles, provided the validity periods overlap with one another or immediately follow each other. Also you can delete expired assignments.

Very helpful to easily delete expired assignments or to clean up the assignments after a system copy.

 

Please note that this program should not be run if you have ARQ in place for business roles provisioning.

Before Initial Load ...
TZCUSTHELPTroubleshooting Support for Time Zone SettingsTimezone changes best practices - Basis Corner - SCN Wiki
TZONECHECKCheck Time Zone Data for ConsistencyTimezone changes best practices - Basis Corner - SCN Wiki
RSLDAPSYNC_USERSynchronization of SAP User Administration with an LDAP-Compatible Directory ServiceSynchronization of SAP User Administration with an LDAP-Compatib - Identity Management - SAP Library
GRFNMW_BATCH_EMAIL_REMINDERJob User to send Email reminders to approvers based on number of days and frequency
GRFNMW_BATCH_STALE_REQUESTThis program was useful for deleting non-actionable old requests from the system as housekeeping activity
RSCONN01This job used for sending email (and other types of communication items)
/GRCPI/GRIA_DNLDROLESDownload roles data for mass import

 

 

Tables

 

TableDescriptionWhy is this useful?Further details, links, etc.
GRACREVREJUSERUAR Rejected Users
GRACREJREASONUAR Rejected Reasons
GRACREJREASONTUAR Rejected Reasons Texts
USR02User Logon Data
GRACOWNERMaster Table for Central Owner Administration

 

Other tools

 

ToolDescriptionWhy is this useful?Further details, links, etc.

 

 

I am really looking forward to your input to extend the listing.

 

Best regards,

Ale,Col& Madhu

SAP Process Control - Useful Documents, Blogs, Resources, etc.

August 28, 2014, 2:15 am
$
0
0

This document is a collection of the most useful SAP GRC Process Control documents, blogs, resources, links, etc. here in SCN.

 

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Risk Management and Process Control 10.0 Content Starter Kits

SAP BusinessObjects GRC 10.0 Integration Guide – Access and Process Control 10.0

 

 

General opinion and thought-leadership

Are you ready to implement GRC 10?

SAP BusinessObjects Process Control 3.0 Implementation Checklist

Using RiskBusiness Content with GRC Risk Management and Process Control 10.0

SAP Business Objects Process Control 10.0 Automated Monitoring Overview

SAP BusinessObjects Process Control 3.0 Expert Guidelines, Tips, and Techniques to Successfully Implement SAP BusinessOb…

 

 

How To's

SAP BusinessObjects Process Control 3.0 and Risk Management 3.0 How to Enable Additional Survey Capabilities

SAP BusinessObjects Process Control 3.0 Reports Description

SAP BusinessObjects Process Control 3.0 How-To Choose the Best Technique for Master Data Uploads

 

 

GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

wiki.png General tips to help in troubleshooting scenarios

wiki.png Debugging tips

 

 

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

 

 

Extended Workflows

wiki.pngConfiguring Workflow E-mail Notification

 

 

CLM and MDUG

GRC Process Control 10.0: Content Lifecycle Management

 

 

Reports and Dashboards (RE)

wiki.pngHow to Customize and Enhance reports in PC and RM

 

 

Automated Monitoring (AM)

How to set up a Configurable Business Rule

SAP Business Objects Process Control 10.0 Automated Monitoring Overview

 

 

See also

SAP GRC Access Control - Useful Documents, Blogs, Resources, etc.

SAP GRC Risk Management - Useful Documents, Blogs, Resources, etc.

SAP Fraud Management - Useful Documents, Blogs, Resources, etc.

 

 

Legend

 

document.pngSAP SCN Documents
blog.pngSAP SCN Blogs
wiki.pngSAP Wiki

 

Please help in updating the collection so that new users can get a well structured overview for their information.

 

Best regards,

Alessandro& Fernando

SAP Risk Management - Useful Documents, Blogs, Resources, etc.

August 28, 2014, 2:18 am
$
0
0

This document is a collection of the most useful SAP GRC Risk Management documents, blogs, resources, links, etc. here in SCN.

 

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Risk Management and Process Control 10.0 Content Starter Kits

Overview of SAP BusinessObjects Risk Management 10.0

 

 

General opinion and thought-leadership

Are you ready to implement GRC 10?

Using RiskBusiness Content with GRC Risk Management and Process Control 10.0

 

 

How To's

SAP BusinessObjects Process Control 3.0 and Risk Management 3.0 How to Enable Additional Survey Capabilities

SAP BusinessObjects RM 3.0 Quantitative Risk Analysis v1.0

Risk Management 3.0 Architecture Requirements

 

 

GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

wiki.png General tips to help in troubleshooting scenarios

wiki.png Debugging tips

 

 

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

 

 

Bow-Tie Risks

wiki.png Integration with Bow-Tie Builder in Risk Management 10.0

 

 

Risk Aggregation

wiki.png Risk Aggregation in RM 10.0

 

 

Integration

wiki.pngRM 10.0 Integration of Activity and Process Control local Sub processes


 

See also

SAP GRC Access Control - Useful Documents, Blogs, Resources, etc.

SAP GRC Process Control - Useful Documents, Blogs, Resources, etc.

SAP Fraud Management - Useful Documents, Blogs, Resources, etc.

 

Legend

 

document.pngSAP SCN Documents
blog.pngSAP SCN Blogs
wiki.pngSAP Wiki

 

 

Please help in updating the collection so that new users can get a well structured overview for their information.

 

Best regards,

Alessandro& Fernando

GRC Weekly News - 01/26/2015

February 11, 2015, 11:24 am
$
0
0

RELEASED NOTES AND KBAs


GRC-SAC-ARA

   2119685  Add multiple client support for data load for Role Search

   2104079  While copying a role  in role mitigation, the role name which contains ampers

   2113066  Role level Risk Analysis not working for input with '*' in them

   2116308  CX_SY_CONVERSION_OVERFLOW error while running role simulation with include user

   2117916  Incorrect status in Access rule detail report

   2120491  Text incorrect for a check box in the Risk Analysis simulation screen

   2120686  T-Code search is slow while opening a function

   2121438  GRAC_DELETE_REPORT_SPOOL doesn't delete all data

   2121521  Mitigation on Business Role Level does not work

   2122162  Analysis Criteria section does not collapse


GRC-SAC-ARQ

   1168508  Compliant User Provisioning 5.3 Support Package (VIRAE)

   1907636  UAM: Distribution list as role onwer was not supported in UAR jobs.

   1976652  Repository sync job is deleting business role assignment data

   2056973  UAM: Incorrect provisioning action is displayed when roles are selected from existing assignments

   2068412  UAM: Approval action not working correctly for mapped role

   2096567  UAM: UAR request are displaying indirectly assigned derived roles and incorrect

   2108896  UAM: Role range in role import is not considered

   2110815  Copy multiuser request not working correctly in case of multiuser request

   2118201  UAM: Re-login required when clicking role name from existing assignments

   2119463  UAM: 'Add comment' hyperlink not available during request approval

   2119407  UAM: Incorrect validity dates when business role is added in the simplified access request

   2120231  UAM: Submission notification variable not filled correctly for business role

   2120438  UAM: Dump while adding business role to access request

   2121176  UAM: User group not provisioned while creating/changing user in CUA

   2122128  User Defaults error: "Entry ALL does not exist in GRFNCCICONNECTOR (check entry)"

   2122132  HR Trigger error "Roles not present in request. No request can be created."

   2122134  MSMP Notification Agent of type "PFCG User groups"

   2122147  Approval error: "Line item comments are mandatory for rejection for assignment"

   2122152  SAP Enterprise Portal SSO does not work for the GRC notification variable links


GRC-SAC-BRM

   1897889  Job Status empty after deleting the role in background.

   1971192  "Role Search” is not consistent with role search in “Roles by Owners and Approver" report

   1987973  The “List of Approvers” check box is not enabled

   2031203Option to add org value map name is not available in naming convention for derived roles
                      and Enhancement implementation is not called

   2045102  Description for single role is empty when import is manually

   2045597  Role Comparison is Incorrect on Actions for Roles with no transactions

   2050347  Role Comparison - role and landscape link work incorrect

   2100042  Critical Roles/Profiles create in ZH can't be display in EN

   2103555  Useless spaces in authorization Error message in role search

   2109444  Language not considered while fetching role description during role import.

   2115671  AC10.1 SP04: GRAC_ROLED object check issues

   2117294  AC10.1 - Poor performance of Repository Sync

   2117340  Default role import not working

   2118711  GRACUSERROLE table not getting updated

   2120396  Unable to import Non PFCG role


GRC-SAC-EAM

   1902228  Irrelevant GRC TCodes are showing in transaction logs

   1962440GRC EAM - Change Log Collection Performance Enhancement

   1988760  Remote login is happing with FFID without using Fire Fighter application

   2015290  FFuser and controller canont be same person via Emergency access request

   2026907  Invalid Super user report Inconsistency

   2118517  Firefighter ID description is coming blank in access request

   2119915  GRC 10.1 EAM: Add button on firefighter assignment screen in inactive

   2118517  Firefighter ID description is coming blank in access request

   2122027  How to identify the workflow generated for a given FFID session?


GRC-SAC-UAR

   2090183  UAM: Incorrect request type action display in template based request

   2103580  UAM: Multiple UAR request generate UAR role rejection for single request


GRC-SAC-UPG

   1731987  GRCPINW V1000_731 Install/Delta Upg/SP on SAP_BASIS 731


GRC-SAC-WF

   2009630  UAM: Company attribute is not available in BRF rule structure for Role Approval


GRC-FRA             

   2118928  Collective Note Error Corrections for DU SAPFRA_CM_FND Fraud Management 1.1 SP05

   2119471  HANA Rules Framework Support Package 2 in Fraud Mangement SP5 verwenden

   2118244  Performance Improvement for Claim Facette UI

   2120209  Network Analysis Doesn't Show Navigation Targets

   2121072  SAVE in Decision Fecett of the alert details is not working

 

GRC-SPC-AC

   1869786  Currency Conversion not working for BRF+ in AMF

   1902686  Conversion routine does not work in Programmed rules

   1917806  Value for column comes blank for change log check scenario

   1930781  Adhoc query on table TSTC do not return results in data source

   1972490  Currency field value is not displayed correctly in Adhoc query

   2048491  Exception List is not editable for Multiple Deficiency

   2096980  Unreserve the work item for process control work items


GRC-SPC-AD

   2120661  Policy Attachment is Not Attaching in PDF Survey in correct form


GRC-SPC-AP

   1948002  PC task get reserved on Approver Delegation to a AC user


GRC-SPC-IU

   1912569  Problem in upgrade at step GRPC_30_2010_UPG_P1_LOCAL_CHG


GRC-SPC-MD

   1914305  Multi Language support issues

   1923467  Duplicated issues on Issue Status Report

   2025068  GRPC_PSTEP_SYNCHRONIZE creates delinkage of objects at local level

   2032790  Frequency is not updated when control type is changed to Event based

   2120592  The replacement functionality dumps for some users

   2119204  Valid From date of Sub Process with respect to the Timeframe selected.


GRC-SPC-MT

   2121735  Custom Defined Field is not enable when Remediation Plan is editable


GRC-SPC-PR

   2112810  Copy function of ad hoc issue management does not work


GRC-SPC-RE

   2010446  Control Test of effectiveness Dashboard report does not show complete data

   2083218  Column Owner displays only one user

   2109409  How to debug the reporting engine for Process Control and Risk Management

    2113340  Dump when searching for Organization unit in Policy Profile


GRC-SPC-SA

   1777657  Policy survey result report shows time in UTC

   1897216  Remediation Plan populated the incorrect user

   2031859  Sorting does not work as expected after filter is used in Planner

   2070990  Applog handling for OWP inbound processing

   2119746  Error in Sending Surveys due to invalid E-mail address of recipient

   2120558  Checkman error SP09

   2121796  This note is technically required to be implemented and avoid delta in 'Role Assignment' correction

 

GRC-SPC-SC

   2065101  Organization maintenance is not possible for the user with ability to do subprocess assignment

    2119901  Authorization check on Plan Activity field in Planner Monitor


GRC-RM              

   1657668  Checkman error in migration tool

   2109176  Authorization check for analysis create displays description instead of the name of the risk

   2118237  New IMG entry - Activate Work Inbox Task Grouping

   2120642  Popup window with error when deleting loss event

   2120510  Reporting: Multiplicated results for non-power user in LEM hierarchical reports

   2119756  Checkman

   2120121  Reporting: Authorization check improvement

   2113131  Interface Note for Enhanced Risk Graphic View

   2120552  Risk change history - underlying risks

   2120819  Risk change history - attachments and links

 

RELATED INFORMATION


    2094723 - Consolidated Note for SAP Access Control 10.0 Master Note

   2096196- Consolidated Note for SAP Access Control 10.1 Master Note

   2104086 - Consolidated Note for Process Control 10.0 Master Data

   2105791 - Consolidated Note for Process Control 10.1 Master Data

SAP Process Control 10.0

February 13, 2012, 10:10 am
$
0
0

SAP BusinessObjects Process Control is an enterprise software solution for compliance and policy management. The compliance management capabilities enable organizations to manage and monitor its internal control environment. This provides the ability to proactively remediate any identified issues, and then certify and report on the overall state of the corresponding compliance activities. The policy management capabilities support the management of the overall policy lifecycle, including the distribution and attestation of policies by target groups. These combined capabilities help reduce the cost of compliance and improve management transparency and confidence in overall compliance management processes.
Please also see:

 

 

Getting Started

GRC 10.0 - Pre-Installation  

This document will give readers an initial understanding of the GRC 10.0 technical requirements, architecture and documentation prior to the GRC 10.0 installation especially for IT, SAP Basis and technology audience.

 

GRC 10.0 - Post-Installation 

This document covers the basic steps required for the post-installation of GRC in general, before performing the solution specific (e.g. AC, PC or RM) post-installation tasks.

 

More on SAP BusinessObjects GRC Process Control

SAP Business Objects Process Control 10.0 Automated Monitoring Overview  

Automated monitoring of business process controls is a key feature of SAP Business Objects Process Control (PC) 10.0, and a fast-evolving feature category in the market. This document presents an overview of the monitoring features of PC 10.0, which will help put more detailed user guides in context.

 

GRC Process Control 10.0: Content Lifecycle Management  

This document describes configuration and use of Content Lifecycle Management (CLM) for SAP GRC Process Control (PC) 10.0 release. The document includes a Frequently Asked Questions section covering discussion topics which have come up during presentations to partners and customers. CLM use for PC has strong resemblances to its use for other GRC products such as Access Control (AC) 10.0, Risk Management (RM) 10.0 and Global Trade Services (GTS) 10.0, although some of the details differ.

Search

SAP Risk Management

February 9, 2010, 3:00 pm
$
0
0

The SAP Risk Management application provides risk-adjusted management of enterprise performance that empowers an organization to optimize efficiency, increase effectiveness, and maximize visibility across risk initiatives.

 

Key features of the application include

  • Organizational alignment towards top risks, associated thresholds, and risk appetite
  • Qualitative and quantitative analysis
  • Identification of key risks across the enterprise
  • Resolution/remediation strategies for risks
  • Proactive monitoring into existing business processes and strategies
  • Automated key risk indicator monitoring combined with automated workflow that allows risk owners to initiate strategy modifications when risks change
  • Alignment of key risk and performance indicators across all business functions permitting earlier risk identification and dynamic risk mitigation
  • Cross-system integration delivering an enterprise-wide view and transparency into risk exposure and strategy execution

 

Please also see: SAP BusinessObjects Process Control 3.0 and Risk Management 3.0 Articles and SAP BusinessObjects Process Control 3.0.


Risk Management 3.0 Architecture Requirements

Learn here about the Risk Management 3.0 Architecture Requirements

 

Risk Management 30 - Security Concepts

This presentation is intended for use by Technical Consultants, Solution Consultants and System Administrators. It's purpose is to give a general overview of the various roles in the front-end, the backend and the application, showing how they interact with each other to enable employees to perform their daily duties and to form security for the Risk Management application

 

SAP BusinessObjects Risk Management 3.0 Key Risk Indicators

This document will guide the user through configuration of RM 3.0

 

SAP BusinessObjects Risk Management 3.0 Master Data Setup

The Accelerator will assist in configuring RM 3.0' s Master Data Setup Section.

 

SAP BusinessObjects Risk Management 3.0 Response and Enhancement Plan

This document will guide the user through configuration of RM 3.0

 

SAP BusinessObjects Risk Management 3.0 Risk and Opportunity Analysis

This document will guide the user through configuration of RM 3.0

 

SAP BusinessObjects Risk Management 3.0 Risk and Opportunity Attributes

This document will guide the user through configuring the RM 3.0 system.

 

SAP BusinessObjects RM 3.0 Incident Loss Database

The following IMG activities are covered in this presentation: Maintain Number Range for Incidents, Maintain Incident and Loss Attributes, Assign Incident/Loss Attributes to Organizational Unit.

 

SAP BusinessObjects RM 3.0 Business BluePrint Template v1.0

Excel template providing guidance and organization on blueprint RM 3.0 configuration requirements.

 

SAP BusinessObjects RM 3.0 Quantitative Risk Analysis v1.0.pdf

This presentation is intended to explain the quantitative calculations performed when analyzing risks in RM 3.0.

SAP Access Control 10.0

April 19, 2011, 3:00 pm
$
0
0

A fragmented, reactive approach to managing access risk isn't just inefficient and costly - it's bad for business. The SAP Access Control application can enable your business to confidently manage and reduce access risk across the enterprise by helping you prevent unauthorized access and achieve real-time visibility into access risk.


To learn more about SAP GRC solutions, please visit our product page, or go to the GRC area of BPX. We also invite you to learn more about SAP GRC Access Control 5.3.

 

 

Getting Started

GRC 10.0 Pre-Installation 
The presentation explains the new architecture and the necessary prerequisites for a successful installation of SAP GRC 10.0 and guides the reader through the installation procedure of the software.

 

GRC 10.0 Post-Installation 
The presentation explains the necessary post-installation steps in SAP GRC 10.0.

 

AC 10.0 Post-Installation  
The presentation covers the basic steps required for setting up SAP Access Control 10.0. For setting up specific functionality please refer to corresponding pre-implementation guide.

 

AC 10.0 - Installation Checklist 
This guide provides a checklist for your installation activities for the SAP Access Control 10.0 application.

 

Access Risk Analysis

AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis
This document allows implementation consultants and administrators to setup the required functionality for running a user level risk analysis after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Access Risk Analysis component, rather it allows testing the application is working properly by setting up a basic test case.

 

AC 10.0 - Enhanced Access Risk Analysis  
This document describes the major enhancements to the access risk analysis capability of GRC, including end user customization and personalization. It covers how to navigate through the different reports, and also about new functionality such as new bulk maintenance, automation, audit trail, and mitigation options.

 

Emergency Access

AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access 
This document allows implementation consultants and administrators to setup the required functionality for running an emergency access (firefighter) session after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Emergency Access Management component, rather it allows testing the application is working properly by setting up a basic test case.

 

AC 10.0 - Centralized Emergency Access 
This document is a detailed guide on the emergency access capability of Access Control 10.0. It explains the basic concepts about emergency access and provide details on how to configure the application. Also this document includes additional information on the types of logs available for monitoring the emergency accesses.

 

Business Role Management

AC 10.0 Pre-Implementation From Post-Installation to First Role Creation  
This document allows implementation consultants and administrators to setup the required functionality for creating a single role in AC after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Business Role Management component, rather it allows testing the application is working properly by setting up a basic test case.

 

AC 10.0 - Business Role Management 
This document allows implementation consultants and administrators to setup the required functionality for creating roles in AC after the post-installation has been finished. This guide provides the configuration steps for setting up Business Role Management.

 

Access Request Management

AC 10.0 Pre-Implementation From Post-Installation to First Access Request 
This document allows implementation consultants and administrators to setup the required functionality for creating an access request after the post-installation has been finished, please notice that it is required to configure Role Management before being able to request role assignments. This is by no means a comprehensive guide for setting up MSMP workflows, rather it allows testing the application is working properly by setting up a basic test case.

 

AC 10.0 - Customizing Workflows for Access Management
This document allows implementation consultants and administrators to setup the required functionality for enabling the workflow engine in AC 10.0. You will learn the main components of the new workflow engine and how to customize them, also how to create agents and initiators using Function Modules and BRFplus.

 

AC 10.0 - How to Customize Notification Templates for AC Workflow  
This how-to-guide explains how to set up the SAPconnect communication interface in your application server in order to send out email notifications triggered by workflow events in Access Control 10.0. This guide provides a comprehensive overview of workflow events that can trigger email notifications and notification variables used to populate the message bodies with information that is specific to each request. The guide also explains how the pre-delivered message bodies can be replaced by custom messages as well as how email reminders are set up.

 

AC 10.0 - Managing Custom Fields for Access & Role Management 
This document explains how to setup the required functionality for adding custom fields to access requests and roles maintained in GRC 10.0.

 

AC 10.0 - End User Personalization  
This how-to-guide explains the End User Personalization concept in Access Control 10.0 and the technical configuration to attain that functionality.

 

AC 10.0 - Performing Segregation of Duties Review 
This how-to-guide explains the Segregation of Duties Review concept and the technical configuration to attain that functionality.

 

Integration with Other Applications

 

GRC 10.0 Integration Guide:

Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management
These documents cover all the new web services for Access Control 10.0 and integration scenarios with IDM solutions. The main foundation for this integration is based on NetWeaver Identity Management 7.2.

 

SAP BusinessObjects GRC 10.0 Integration Guide - Access and Process Control 10.0 

With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution, both at the data layer and at the user interface layer. This new unified platform enables increased harmonization of key master data. Organization, process and control structures can now be shared across components of Access Control and Process Control, which supports a more integrated approach to governance, risk, and compliance. Access risks identified in Access Control can be mitigated using controls managed by Process Control, as an example. This document details methods for harmonizing data across Access Control and Process Control.

 

Access Control 5.3

SAP GRC Access Control 5.3  
SAP GRC Solutions for Access Control handle sustainable prevention of segregation-of-duties (SoD) violations.

BRM Role Methodology via Condition Groups

February 18, 2015, 8:56 am
$
0
0

This document has been written to explain how you can customise the ROLE METHODOLOGY steps depending on role criteria. The configuration requires the use of a BRF+ rule that using CND_GRP (condition group) as the rule result.

 

Please note, that this is not the same as Condition Group Mappings for Default Approvers (specified via NWBC screens). If you are interesting in the condition group mappings for default approvers then click here: BRM Default Approvers via Condition Groups

 

What’s it all about?


Business Role Management makes use of the role maintenance process steps known as the Role Methodology. You have two options with configuring Role Methodology:

  • Default only – every role will have the same set of methodology steps. You can alter the default in IMG, however the steps apply to all roles. The default is also the methodology steps that is loaded when you first choose to create a new role.
  • Custom BRF+ - configure use of condition groups and map different role methodologies depending on the role criteria. This provides great flexibility to have different steps depending on role information; require approval for some and not others; and a different sequence of steps.

 

Why isn’t the default enough?


This all comes back to your BRM design (funny that). If you have business rules that determine different scenarios for roles then you will want a set of steps to match them. For example, you might decide the Process Owner (i.e. Role Content Owner) does not need to approve Derived Roles so you don’t need an approval step. You might have decided Business Roles don’t need Test Documentation (random example here). You might even decide you’d rather a different sequence of steps depending on the role (i.e. Approve role before making a change).

 

Put simply, default methodology is inflexible and may not match your business process for role management. Configuring multiple methodologies allows you to match process to steps in the system.


 

Just a few lessons learned before we hit the configuration


From configuring this functionality and also responding to questions in SCN, there a few lessons learned I thought I’d share relating to this topic.

 

Why do some roles miss some role methodology steps?


Okay, I’m going to contradict myself to what I said above. The default methodology is meant to apply the same steps to all roles regardless of role criteria. However, the GRC component has an additional mapping table in the back-end that determines which methodology steps apply to the specific role. For example, a business role is a non-technical role and therefore, would never require a step to “Maintain Authorisations”. As a result, if you were to add “Maintain Authorisations” as a step for a Role Methodology that applies to business roles, it still will not appear in your NWBC screens.


 

When is the role methodology going to take place?


When you build a role for the first time, the calculation of the role methodology does not occur until after you press save on the DEFINE ROLE stage. Only the attributes related to the definition phase can be used as the criteria for the role methodology. Initially, the default methodology will appear. On save of the Define Role stage a “recalculation” of the methodology will occur.


The Role Methodology is not determined until:

  • Create New Role > After the Role Definition is saved (default methodology will load)
  • Maintain Role > On open the methodology will load (possibly you may need to Reapply Methodology if the configuration has changed)
  • Reapply Methodology – it will check if layout needs to change and adjust accordingly


 

My approach has been to include 1 step for the default methodology – Define only. This removes all other steps from the user. When they press save, the role is then evaluated and the process steps are calculated and added to the NWBC screen to continue role maintenance. My thought was this makes it clear to the user that the steps will be defined once they specify the role attributes.


 

What does this mean in the NWBC?


The Default Role Methodology (box selected in Define Methodology Processes and Steps in IMG) will load when a new role is created, regardless of role type (as per screen shot below).

 

1 nwbc default.png


On completing and saving of the Define Role > Details information, the BRFplus rule is executed and the methodology is updated. The GRACROLE table stores the methodology for the role and the step is it up to.


2 NWBC methodology.png


If changes are made to the role methodology, the administrator can choose to “Re-Apply”. The Role Definition in GRACROLE table is re-evaluation and if it does not match the methodology, the methodology will reset.

 


Summary of Steps to configure Methodology


This section does not capture the Business Role Manage configuration steps for other aspects of BRM (such as role type, project, etc). This is a high level overview of the step intended to show you how the configurations comes together. It is not meant to act as step by step instructions.

 

  1. Activate BC Set GRAC_ROLE_MGMT_METHODOLOGY
  2. BRFplus Function for METHODOLOGY
  3. Assign Condition Groups to BRFplus Functions
  4. Define Methodology Processes and Steps
  5. Associate Methodology Process to Condition Group

 

[1] Activate BC Set GRAC_ROLE_MGMT_METHODOLOGY


Activating this BC Set will provide the baseline configuration date for role types, steps, etc is populated. Regardless of your design, it is best to activate this BC Set and then make the necessary configuration changes.

 

 

[2] BRFplus Function for METHODOLOGY


The IMG provides a step to automate creation of the BRF+ rule by creating the application, function and decision table structure.


Transaction: GRAC_GEN_ERM_BRFRULE

Program: GRAC_GENERATE_ERM_BRFRULE

IMG Navigation: Governance, Risk and Compliance > Access Control > Role Management > Generate BRFPlus Applications, Approvers, and Methodology Functions


3 Generate BRFPlus.png


One the program has created the BRF+ function and decision table, you can then maintain the decision table. In this, you will need the CND_GRP as your output. Create a rule for each different role scenario you need to handle.


4 Decision Table for CND_GRP.png


The Column Name for GRAC_CNGP is the return result. These values must match the Condition Group Id in Associate Process Methodology to Condition Group.

 


[3] Assign Condition Groups to BRFplus Functions


IMG Navigation: Governance, Risk and Compliance > Access Control > Role Management > Assign Condition Groups to BRFPlus Functions

 

Within the IMG you need to tell GRC which BRF+ function to execute when Methodology is evaluated. Again, Condition Group is used but it is not the same as the CND_GRP that you mapped out in the previous step. You only need to create one entry for METHODOLOGY and map it to the Application/Function that you created. Unlike the MSMP, you do not enter the Application or Function Ids (alphanumeric number).

 

If this step is not completed, then BRM will only use default methodology.


5 Condition Group Type for Methodology.png


From a background table point of view, the GRACCNDGPTYPE contains technical information used to build/evaluate the Methodology rule.


6 GRACCNDGPTYPE table.png

 

 

[4] Define Methodology Processes and Steps


In this step you build each methodology scenario. For each scenario, you then define the necessary steps including the sequence. The Define step information will come as part of the BC Set. There should be no need to update this configuration unless you need to add the elusive Provisioning Step.


7 define methodology process.png


[5] Associate Process Methodology to Condition Group


IMG Navigation: Governance, Risk and Compliance > Access Control > Role Management > Associate Methodology Process to Condition Group

 

In this step of the configuration, you need to map the BRFPlus Results for Condition Group (CND_GRP) to the Methodologies that you just configured. You are able to map multiple condition group outputs to the same methodology step.


8 cnd to meth mapping.png


Useful Tables

Table

Description/Comments

GRACCNDGPTYPE

GRC ERM Condition Group Type

GRACCNDGPTYPET

GRC ERM Condition Group Type Text

GRACCNDGPTPBRF

Condition group type to BRF+ function assignment

GRACCNDGPMTH

Condition Group to Method

GRACMTH

Method

 

 

Happy role building with Access Controls

 

 

Regards

Colleen



P.S I would love to hear your thoughts on designing the role methodology configuration and lessons learned.

ABAP dump on program CL_POWL_UI_HELPER

February 20, 2015, 10:00 pm
$
0
0

Hi All,

 

This document is to discuss OBJECTS_OBJREF_NOT_ASSIGNED dump we have encountered on our GRC system(GRC 10).

We had a scenario where certain users are unable to display/process their GRC request from the browser with HTTP 500 - Internal Server error ( Screen-1) on the browser and OBJECTS_OBJREF_NOT_ASSIGNED  dump in the GRC system(ABAP Stack).

Our security team investigated this for missing authorizations and they also deleted and recreated the user, but users still have this issue.


Screen 1 : Error user received

GRC error.jpg

Screen 2 : ABAP dump on GRC system

ABAPerror.jpg

Dump : OBJECTS_OBJREF_NOT_ASSIGNED

Runtime Errors OBJECTS_OBJREF_NOT_ASSIGNED

Excetion : CX_SY_REF_IS_INITIAL

ABAP Program CL_POWL_UI_HELPER=============CP

Application Component CA-GTF-SGF-POW



Reason for dump:

     On further investigation of this issue we understood that this issue was caused due the old query/queries cached for that particular user id and got corrupted. Hence when user tries to open his/her GRC session, system was executing these corrupted query and hence dumps in the system. As these quires are stored at database level against the user name, the attempt to delete and recreate the user id will not work in this case.


Resolution :

     We have run a report POWL_D01 to fix this issue. This report is used to clear the cache for the users to delete the all old queries .

This report allow you to input affected user id( multiple selection available) and you can run in display mode to view the current queries.


Screen 3 : POWL_D01 selection screen

POWL_D01.png

Check box 'DISPLAY' will allow you to view the queries before deleting them, remember to un-tick this box to cleat the user cache


Screen 4 : Report output on deleting the user cache

results.png


Result :

     User will be able to run new queries from browser without any dumps.



References :

  • If you are interested to know more about report on POWL(Personal Object Worklist) please go though the below link

http://wiki.scn.sap.com/wiki/display/WDABAP/POWL+Reports

 

  • FAQ on POWL

http://wiki.scn.sap.com/wiki/display/WDABAP/FAQ+ABOUT+POWL

 

 

 

Please comment and let me know if you have faced similar errors and resolution details.

Direct vs. Indirect Role Assignment

March 2, 2015, 11:54 am
$
0
0

This document elaborates the differences of the direct vs. indirect role assignments in SAP Access Control. Each scenario has its pros and cons and can be used dedicated or also in combination.

 

 

Direct Role Assignment

Authorization roles (and profiles) are directly assigned to the User Master Records via SU01/PFCG, Access Request Management (ARM) or adequate tools like SAP IdM.

 

direct.png

 

What are the pros?

  • Flexible - different authorization can be assigned to end user eventhough they are assigned to the same position
  • Widely used - best practise (fully supported by SAP Access Control)
  • Access Risk Analysis (ARA) performed on user level, as well as remediation is done on user level
  • HR user master is not required (only SAP user account)

 

What are the cons?

  • Historical assignments do often remain undetected and conclude in too much authorization
  • Same authorization must be given individually eventhough end users having the same job role
  • Roles / profiles must be requested and assigned manually

 

 

Indirect Role Assignment

Authorization roles (and profiles) are attached to positions or other objects in the organization structure. The end user gains the access rights based on his assignment to the position in the organization management.

 

indirekt.png

 

What are the pros?

  • Same authorization for everyone who is assigned to the same position
  • Authorization gets removed automatically if a person moves around the organisation (can be further configured in SAP Access Control so that an old assignment remains for X days/weeks/months)
  • New authorization gets added automatically if a person moves around the organisation
  • New hired people will get authorization automatically when they start their work
  • Less effort for administrators to initiate and manage access requests

 

What are the cons?

  • Inflexibelity - everyone assigned to a position gets the same authorization (differences in authorization needs to be assigned seperately)
  • Each SAP user needs to have a personnel record in HR that is assigned to a position
  • SAP user needs to be mapped with the personnel record in HR (info type 0105 (Communication), sub type 0001 (SAP User))
  • Changes in organisational management will have an impact on end user access
  • Additional training to administrators and approvers
  • Access Risk Analysis (ARA) only works on user level, whereas remediation is done on position level

 

 

Basically both scenarios can be used together depending on your business scenario. Combining both scenarios (direct and indirect assignment) means that basic authorization can be assigned indirectly via the position and additional authorization is assigned directly to the user account.

 

I am looking forward to your input and also experience with setting up the scenarios in complex environments.

 

Best regards,

Alessandro

GRC Document Collaboration Topics

August 22, 2014, 8:40 pm
$
0
0

Hi All

 

If you are wondering what this document is all about then please refer to: Community Collaboration for GRC Blogs and Documents - you will find an overview of what this community collaboration is about and the rules on how you can contribute. You are still encouraged to write your own blogs and documents without participating in this process (it would be nice if you could update this document to let the community know you are working on something).

 

You are also welcome to be both the person who suggests the topic and the author. This can advertise you are working on the topic and hold yourself accountable to a deadline that the community is aware of.

 

 

Remember: Add a row below the 3rd row of the table to included your suggestion. Please do not change the first three heading rows as these rows indicate the title and a short summary of the content below. When including your name, please include your SCN profile as a hyperlink (easiest way to open your Profile in a new browser tab and copy the URL)

 

 

Step 1: Requester to CompleteStep 2: Author to completeStep 3: Option (collaborator to complete)Step 4: Author to PublishModerator and Coordinator Override
DateSuggestedSuggested ByDocument TypeIdeaAuthorDate DueAssistance?NameLink to itemModerator and reason for rejection
DD/MM/YYYYYour SCN  Profile URLblog or documentTitle or topic ideaYour SCN  Profile URLDD/MM/YYYY

do you want any assistance?

If yes, summarise (input, review, etc)

Your SCN profile URLSCN document or blog linkModerators or Coordinators to advise if topic is not appropriate.
27/08/2014Alessandro Banzer / Colleen LeeDocumentAnalysis of the SAP delivered rule-set - do you accept as it is? Do you build your own or do you do something in between?
13/09/2014Colleen LeeDocumentBusiness Role Management - overview and use of the methodology customisation
13/09/2014Colleen LeeBlogBusiness Role Manager - What are the benefits and issues with using BRM and integrating with ARA and ARQ?
02/10/14S ADocumentPSS - Best practices, pitfalls to avoid and things to consider while enabling PSS?Colleen Lee12/10/2014Reviewed by S.A, Alessandro & GretchenDesign Considerations to reduce Password Self Service (PSS) Intruder RiskApproved
02/10/2014Colleen LeeBlogBRM - discussion use of profile generation to distribute role to different systems vs system transportsAlessandro Banzer12/12/2014Input from Susanne Obrist-Niederer (Susanne is a highly experienced authorization consultant with several international projects in her backpack).
02/10/2014Colleen LeeDocumentSummary of the GRC Org structure - which sections apply to AC, PC and RM and any tips on integration with ERP
30/10/2014Darnell SuggsDocumentLink or Page to latest Configuration and Integration Documents for GRC AC 10.1 similar to SAP BOBJ AC 10.0
21/11/2014Alessandro BanzerDocumentUsage of EAM - appropriate and inappropriate usage and its dangersAlessandro Banzer30/11/2014Reviewed by Alessandro & ColleenUsage of EAMApproved
02/03/2015Alessandro BanzerDocumentDifferences of direct and indirect role assignmentAlessandro Banzer06/03/2015Direct vs. Indirect Role AssignmentApproved

SAP Fraud Management - Useful Documents, Blogs, Resources, etc.

August 28, 2014, 10:53 pm
$
0
0
Search

EAM: Requesting emergency access via access request workflow in SAP GRC - step by step.

January 24, 2015, 9:32 am
$
0
0

1. Introduction - the need.

Your company is currently managing emergency access requests manually, based on approved ticket or request in another system or ticketing tool. You would like to enhance the usage of GRC AC tool and enable requesting for emergency access assignment in a way similar to requesting user regular access requests – via SAP GRC Access Request Management system. Your Audit team, however would like to limit number of people who can access this kind of access request, as it is critical from risk perspective.

2. Expected result - emergency access requests.

On the request type drop-down - you would like to see a new request type "Emergency access request".

1.png

On the request detail (line item level) - you would like to see a new entry "Firefighter ID".

2.png

Next after 'Firefighter ID' entry selection - and you would like to specify validity period for EAM assignment.

3.png

Next you would like FF account owner to approve this access via SAP GRC work-inbox, exactly in the same way as other access requests being approved. You expect one stage approval - being made by EAM account owner.

4.png

 

3. Enable new access request type for Emergency Access (step by step)

 

3.1 Activate superuser access request type for SAP GRC 10.

 

Go to SPRO - > GRC -> Access Control -> User Provisioning -> Define request type

In this Customizing activity, you can maintain the request types, and then assign actions to the request types. SAP delivers several standard request types. These standard request types represent actions that occur in the back end systems.

5.png


6.png

Click on box to activate

7.png

3.2 Select action for superuser request type.

 

Click on line item for Super User Access and next click on Select Action and ensure you have 'Super User Access'.

8.png


3.3 Save and transport.


3.4 Validation. On your access request - > if you done everything correctly - you should be able to see new request type with Super User Access request type. Make sure you have appropriate authorization and additional authorization (request type '6' in example case) will be required to see / create this access request as per expected solution requirements.


4. Build path for Super user access assignment request type (step by step)


Now when your new request type is available in the system, you need to make sure you have workflow path in place to handle those request.

 

4.1 Modification (or creation) of initiator rule

 

If you already have workflow for access request in place (as mentioned in Introduction) - you need to just update your Initiator rule to handle new request type. To update your current initiator rule - go to 'BRF+' transaction code and find your initiator rule (if you do not have it yet - first it need to be create see other documents for information in case you are wondering how to do this like:GRC Request with both System and Role Line Items

or  AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls ).

 

Next click on Table settings.

9.png

 

Make sure field 'REQTYPE' is on the list of Condition Columns.

Next modify new entry (11.png)in decision table and add new condition by clicking 12.pngand selecting  Direct Value Input from the list in 'REQTYPE ''column.

13.png

14.png

In result section enter (in LINE_ITEM_KEY - contex parameter ITEMNUM) and Rule_Result (direct value input for example Z_EAM)

15.png

Next activate your function and transport changes


4.2 Building path for EAM access requests

 

Enter the transaction code 'GRFNMW_CONFIGURE_WD' and open Workflow navigator.

Select process for 'SAP_GRAC_ACCESS_REQUEST' and click edit

16.png


4.3 Define result for initiator rule.


Go to Maintain Rules and find your initiator rule.

17.png

and click on ADD button.

Next add your Rule result defined previously - in my case it was Z_EAM.

 

4.4 Define Path

Define the path name and stage

18.png

Create new path in my case Z_EAM:

19.png

4.5 Maintain Stages


Next you add one stage - there is standard agent available GRAC_SPM_OWNER. Whoever you define as EAM owner will be now approving emergency access requests. 

20.png

4.6 Maintain route mapping


Assign this new created path Z_EAM to result you have from your initiator rule (in my case also Z_EAM)

22.png

4.7 Activate the Workflow version


Last step and you done with your configuration - you can now start to create access control workflows.

 

23.png

Please share and contribute in this document to make it better.

 

Looking forward to hear from you.

 

Best regards,

 

Filip

Top 10 most viewed SAP KBAs for GRC Access Control in January 2015

February 2, 2015, 10:05 pm
$
0
0

Purpose

The purpose of this document is to provide a list of the top ten most viewed SAP KBA's for GRC Access Control in the month of January 2015.


Overview

Below are the top 10 most viewed SAP KBA's for GRC Access Control.

 

KBA NumberKBA Title
2094723  Consolidated Note for SAP Access Control 10.0 Master Notes
1741151  GRC 10.0 Indexing on CDHDR table in case of time out issue due to huge data
2105079  TSV_TNEW_OCCURS_NO_ROLL_MEMORY - Firefighter Log Report
1967403

  EAM: Key note for Firefighter Log and Review Workflow issues

2075357

  How to create a support incident for SAP Governance Risk and Compliance

1900049

  ABAP Dump TSV_TNEW_OCCURS_NO_ROLL_MEMORY, how to verify if it's a

  memory issue

1668255  Firefighter ID role name for Param ID: 4010
1638100

  Print version Communication Failure:  RFC Destination SALV_WD_EXPORT_PDF

  does not exist

1701047

  Is it mandatory to use trusted connection in the RFC destination for Firefighter

  Connector?

1735971  User exit to prevent direct firefighter login

 

Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

 

 

See Also

Top 10 most viewed SAP KBAs for GRC

 

Top 10 most viewed SAP KBAs for GRC Process Control in January 2015

February 3, 2015, 10:47 am
$
0
0

Purpose

The purpose of this document is to provide a list of the top ten most viewed SAP KBA's for GRC Process Control in the month of January 2015.


Overview

Below are the top 10 most viewed SAP KBA's for GRC Process Control.

 

KBA NumberKBA Title
1884797   System is throwing runtime error "SYSTEM_NO_SHM_MEMORY"
2105791   Consolidated Note for Process Control 10.1 Master Data
2104086   Consolidated Note for Process Control 10.0 Master Data
2022567   Access using a 'ZERO' object reference is not possible
2006772   Automated Monitoring Job with status Error
1922636   With Exceptions Status in Planner Assessments
2085529   OWP ASSERTION_FAILED Master Note
2047097   Communication failure with remote system (SAP Query)
1781991   How to deactivate the New Work Item Notifications
1884827   Automated job created stays in "In Progress" state

 

Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

 

 

See Also

Top 10 most viewed SAP KBAs for GRC

 

Top 10 most viewed SAP KBA's for GRC Risk Management in January 2015

February 3, 2015, 11:04 am
$
0
0

Purpose

The purpose of this document is to provide a list of the top ten most viewed SAP KBA's for GRC Risk Management in the month of January 2015.


Overview

Below are the top 10 most viewed SAP KBA's for GRC Risk Management.

 

KBA Number

KBA Title

1804950   GRC RM 10.0- From Risk & Opportunity OIF submission of Issue
1705870

   RABAX_STATE dump while creating a response in "Response and Enhancement

   Plans"

1803876   Maintain Analysis Profile dumps as "DYNP_TOO_MANY_RADIOBUTTONS_ON"
1784868   GRC 10.0 Email notification is not sent for Incident workflow
1722449   KRI alert email notification is sent without logo
1800920   How to set work inbox default query
1744953

   Text message not translated.

1731254   POWL does not refresh automatically
1841359   Loss Event Approval task is not generated
1843598

   KRI Implementation based on table KNB4 is throwing error "Data buffer exceeded;

   Table "KNB4" contains too many fields"


Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

 

 

See Also

Top 10 most viewed SAP KBAs for GRC

 

GRC Weekly News - 01/19/2015

February 4, 2015, 10:58 am
$
0
0

RELEASED NOTES AND KBAs


GRC-SAC-ARA

   1986732  GRC 10.0: Risk Violations - Number of Analyzed Users

    2099999  Remediation View screen shows blank while Risk Analysis

    2113597  Tuning Organization Rules for better performance

    2116171  Rule Set is not considered for Critical Role/Profile Risk Analysis

    2117916  Incorrect status in Access rule detail report

 

GRC-SAC-ARQ

   1791296  Note for SAP GRC AC PORTAL PI GRCPIEP in AC10 for NW 730/731

   1806141  GRC 10.0: EUP not supported for Multiple Users requests

   1973753  UAM: Incorrect default roles added into request

   1982339  UAM: End user is able to submit request for business role with retain provision

   2058184  Request with conflict and mitigation report not working

   2069094  Fix related to User details, Default role, system description and unlock action type

   2115282  UAM: Portal role name incomplete in audit log after provisioning

   2116145  Fiori Check Request Status - Cancelled requests displays as "Pending"

   2116262  UAM: Request approval possible with risks

   2116829  Mass load of Business role assignments to users

   2116843  GRC 10.0: Maintain Guided Procedures Gateway

 

GRC-SAC-BRM

   2083724  Program GRAC_CHECK_BROLE_ASSIGNMENT does not exist

   2117294  AC10.1 - Poor performance of Repository Sync

   2117340  Default role import not working

   2058957  Enable manual editing in EAM maintenance screens

   2113707  Remove non working print button

   2116307  Background job status does not change on RFC time out error


    

GRC-SPC

   1899028  Notification goes to Owner if there is no deficiency in Sap Query Scenario in Automated Monitoring

   1954054  Can’t Cancel Event Trigger Automated Monitoring Job

   1988286  Currency amount issue error in ad-hoc query

   2096980  Unreserve the work item for process control work items

   1948002  PC task get reserved on Approver Delegation to a AC user

   2117375  Navigate to Subprocess Tab into Organization details causes short dump

   2117756  Risk template cut not reflected on sub process risks

   2079702  PC10.1SP07: Dump in Evaluation Status Bar Chart

   2104886  Reporting: Long running traverses of Process

   1949265  GRC PC: How to enable multilingual test steps in test plan

   1951090  Problem with period in a copy of recurring plan

   2112383  Empty comments for assessments/surveys

 

GRC-RM

   2114201  Risk OIF - create new risk with Influenced risks - error on save

   2114360  Bow tie builder - entering big number causes dump

   2116408  Risk OIF - Start risk validation in one click

   2117409  WF monitor application for managers - activation/deactivation

   2117687  RM reporting - performance improvement of KRI instance reports

   2118235  Risk template cut - related local risks remains locked

   2118325  Deleted loss events are shown in the "Loss Event Structure" dashboard

   1847859  Reporting: More detail logging of errors in reporting engine

   2117051  Reporting: Performance improvement when processing merged nodes

   2117742  Number of losses and/or loss events in the dashboards are not correct

   2118287  Response Upload: Wrong risk check

 

RELATED INFORMATION


   2094723  Consolidated Note for SAP Access Control 10.0 Master Note

   2096196 Consolidated Note for SAP Access Control 10.1 Master Note

   2104086  Consolidated Note for Process Control 10.0 Master Data

   2105791  Consolidated Note for Process Control 10.1 Master Data

Viewing all 459 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>