Hello!

Configuring EAM in GRC 10 isn’t a difficult task, but there are some details you have to take into account. The document “AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access” is useful, but it doesn’t  consider all the details. Here I’ll try to give you a complete explanation about how to configure EAM successfully.

Configure Parameters:

In GRC Box, execute transaction SPRO and navigate to here:

The following parameters should be set according to the table:

For a complete description of the above parameters, please refer to the guide:

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) -> Acess Control -> Release 10.0 -> Maintaining Configuration Settings Guide - SAP AC 10.0

Current direct link:

http://service.sap.com/~sapdownload/011000358700000997872011E/AC10_ConfigSettings_SP10.pdf

You might want to change some of them; the recommended values only serve as a guide for the initial configuration.

Changes in the parameters table will be included in a transport request, you should release the transport to your QA/PROD systems when you finish the EAM tests and adapt the parameters according to your requirements.

Parameter 4010: What’s for?

If you’ve been working with GRC 5.3, this parameter should sound weird to you.

The purpose is to identify to the application that the user who is logging on to the target system is a Firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.

That means that you have to create the role that you’ve set in parameter 4010 in all the target systems with the exact name provided there. Usually, you copy it from the standard SAP_GRC_SPM_FFID (it contains RFC authorizations).

Only the users who have that role assigned in the target system will be available for selection in the GRC Box as Firefighters IDs.

Kindly check note: 1668255 - Firefighter ID role name for Param ID 4010

For more information regarding default roles provided by SAP, please refer to Security Guide available here:

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) -> Acess Control -> Release 10.0 -> Security Guide - SAP Access Control 10.0

Current direct link:

http:/service.sap.com/~sapdownload/011000358700001377352010E/ACPCRM10_SG_SP10_en.pdf

Adding connector to the SUPMG Scenario:

Please check: Note 1562760 - AC10.0 - Intergration Scenarios to Connector link

At this point you have already created the connectors.

Now you have to link the corresponding connectors to the SUPMG scenario:

Click here:

And:

Required roles in the GRC Box:

SAP provides standard roles that must be copied to the customer namespace. For this sample configuration you should need at least to create a copy for the following roles and generate the corresponding profiles:

You can just name them as Z_<full standard role name> or use a naming convention according to your company requirements.

CAUTION: Please, follow he instructions provided in tha attachment of note:

Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes

There are some changes you have to made to the standard roles and also there's a complete explanation of the authorization objects.

For more information, kindly refer to the Security Guide (link provided above).

Security considerations for EAM Roles:

Kindly read a specific authorization guide for EAM that is attached to the note:
Note 1663949 - EAM: Authorization Fixes for Central Owners and Reason Codes

and take into account the authorization concept for the roles:

1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User

"As per the functionality in AC10, we have concept of role based authorization. If a user is having SAP_GRAC_SUPER_USER_MGMT_OWNER  role at the backend, then he  should be able to assign any FFID to any Firefighter user.

The user Assigned with the Role of EAM Admin “SAP_GRAC_SUPER_USER_MGMT_ADMIN”
and EAM Owner “SAP_GRAC_SUPER_USER_MGMT_OWNER” can do all available owner action for all connector.
The Auth. Object used for firefighter Maintenance is GRAC_FFOWN & GRAC_OWNER"

Required users in the GRC Box:

In order to show a sample for testing, It’s necessary to create (or use existing ones) three users:

FF_OWNER: This user will serve as owner for the firefighter ID. It should be assigned to the role Z_SAP_GRAC_SUPER_USER_MGMT_OWNER

FF_CONTROL: This is the firefighter controller. You assign Z_SAP_GRAC_SUPER_USER_MGMT_CNTLR.

CAUTION: This user MUST have a valid e-mail address maintained in SU01 if you want the controller to receive notifications via e-mail.

FIREFIGHTER: This is the firefighter user, who will be able to access in the target system with the Firefighter ID. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in addition to the base roles. If you don't assign the base roles you won't see the user (FIREFIGHTER in this case) available for selection in the Firefighters IDs.

<your user>: The user who is going to perform the configurations, must have at least the role Z_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned.

In addition to all the mentioned roles above, all users must have the roles Z_SAP_GRAC_NWBC and Z_SAP_GRAC_BASE assigned.

For a theoretical explanation of the users and its responsibilities, refer to https://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htm

Required roles in the target system:

In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and generate the profile.

CAUTION: The name of this role MUST be the same configured in the parameter 4010 in the GRC Box. In this example: Z_SAP_GRC_SPM_FFID.

Required users in the target system:

You have to create a user (FIREFIGHTER_ID) in the target system with the corresponding roles required roles/profiles according to your requirements. In addition you must assign to the FIREFIGHTER_ID the role Z_SAP_GRC_SPM_FFID.

This user should be of type: “Service” as per note 1702439

The following note describes an issue you'll face with this kind of users: Note 1586989 - Object Services icon not available in Firefighter ID session

I'll update this document when a specific note for GRC 10 is released regarding this issue.

Creating central Owners and controllers:

Access to the NWBC:  http://<server>:<port>/nwbc/ or execute tx. NWBC in the GRC Box.

Go to the “Setup” tab and:

Create entries for the Firefighter controller and owner:

Creating reason codes:

You have to create at least one reason code to be able to use the firefighter ID later.

Associate the entry to the corresponding target system.

Synchronization Jobs:

In accordance with note: 1585079

You have to execute the synchronization Jobs in order to make the FF IDs available in GRC Box for selection:

Please make sure that you have performed following configuration steps:

1. 1. Integration Scenarios are configured as explained in note 1562760
2. 2. Please make sure the Firefighter role is assigned to Firefighter IDs in the corresponding client system and that the same role has been given as parameter value for configuration parameter 4010. Configuration parameters can be configured in the transaction code SPRO => Governance, Risk & Compliance => Access Control => Maintain Configuration Settings
3. 3. Run User/Role/Profile/Auth synchronization jobs. The Link to run these jobs can be found Under transaction code SPRO => Governance, Risk & Compliance => Access Control => Synchronization Jobs.

Once you have executed the auth & repository sync job with the corresponding target connector, the FF ID will be available for selection in the GRC Box.

See also Note 1668255

…Once you are done with the above steps, re-run an Incremental/Full User Sync for the

Firefighter IDs with the Firefighter Role to be SYNCed into the GRC box.

Now re-launch the application via NWBC or Portal and then search for the Firefighter ID

and this should be available in Firefighter ID list.

                          …

Assign Owners:

Assign Firefighter IDs to Firefighters

Here you assign the Firefighter ID to the corresponding Firefighters users (one or more)

And in the controller tab set the controller user:

Firefighter colector Job:

Execute tx. GRAC_SPM_LOG_SYNC and schedule the log collection periodically as per note: 1617529

Known problems with time zones:

Note 1595462 - Logs not visible in the SPM Reports

Note 1775432 - Transaction logs are not getting captured by GRC 10.0

Known problem when connector is set to “*”:

Note 1726157 - GRAC10 EAM GRAC_SPM_LOG_SYNC_UPDATE doesn t collect data

Performance problems:

Note 1750024 - GRAC - Performance of the SPM Log Sync

Other errors:

Note 1773855 - EAM10.0 Sometimes Workflows and transaction logs are missed

Note 1776070 - GRC EAM program is giving a short dump and no logs generated

Note 1731923 - EAM:Transaction Logs are not being captured while sync

E-mail configuration:

If you want the controller to receive e-mails (firefighter logon notification and firefighter session details) you have to check the following:

• Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. SCOT)
• Controller notification method was set to: Email (see above)
• SPRO parameters:

4002 Send E-mail Immediately YES

4007 Send Log Report Execution

Notification Immediately YES

4008 Send FirefightID Logon Notification YES

4009 Log Report Execution Notification YES

• Controller user (FF_CONTROL) has "Comm.Method” set to “E-Mail” in SU01 and has a valid e-mail address.
• WF-BATCH User must also have an e-mail address in SU01; otherwise you’ll get the following error in tx. SLG1:

According to the configuration settings guide:

You can change the parameter and use another user to send the e-mails.

After executing the GRAC_SPM_LOG_SYNC_UPDATE, please execute tx. SOST and check if the e-mails were generated (you have to access the firefighter to get the e-mails).

Implement Firefighter user Exit:

Despite the Firefighter ID password is changed by the application each time you start the firefighter (you can check it via change documents in the target system), Firefighter Ids need to be restricted from Logging in into SAP System directly via SAP GUI. For this purpose either we need to create and modify the SAP User Login Exit.

Check

1545511 - Firefighter User Exit

1735971 - User exit to prevent direct firefighter login

Security Issue???: http://scn.sap.com/thread/3273562

Required RFC connections for EAM:

Please check: Note 1701047 - Is it mandatory to use trusted connection in the RFC destination for Firefighter Connector?

"Yes it is mandatory to make a trusted relationship so that communication can be established between the GRC system and the plug-in."

Links to more documentation:

Note 1394281 - Superuser Privilege Management Log Report Content

Note 1065048 - Firefighter Log Not sent in Email to Controller <<- for 5.3, but useful

Note 1618040 - Performance fix for SPM transaction logs for large systems

Note 1732938 - Firefighter incorrect language setting on ERP Production

Note 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User

Note 1747283 - EAM: Entries in EAM logon pad not Visible for a firefighter

!!NEW: Decentralized firefighting (as in GRC 5.3) is available as of SP10

As of SP10, Emergency Access decentralized firefighting features are available.Users can install and use the EAM Launchpad to perform ID-based firefighting directly on plug-in systems. This means that Firefighter session could be started from the plugin system itself without the need to access the GRC Box. This approach was used in GRC 5.3. With GRC 10 SP10 you can chose between centralized or decentralized firefighting.

The most important advantage of decentralized firefighting is that you can continue using firefighter even when the GRC Box is down. In my opinion, it’s also more “user-friendly” since the firefighter doesn’t have to log on to GRC Box in order to start the firefighting session, he/she only needs to execute a transaction in the plugin system. For some companies, the centralized approach is better since the user access to a system (GRC Box) and can start firefighter sessions in multiple systems.

Bottom line, the most important thing is that with SP10 you have to option to choose and below you’ll find information that’ll help you to configure decentralized Firefighting.

The idea of a decentralized firefighting was submitted by Daniela Bork on SAP Idea Place: Access Firefighter application locally in AC10

So, if you have a good Idea, please share it with SAP customers and employees in the Idea Place and maybe it becomes a new functionality!

WARNING: THE FOLLOWING PROCEDURE ISN’T PROPERLY DOCUMENTED. I’LL ADD INFORMATION OR CHANGE THE PROCEDURE AS SOON AS NEW GUIDES ARE AVAILABLE.

Main documentation can be found in the guide attached to the note: Note 1690964 - Emergency Access Management Overview Documentation

In the GRC Box a new parameter is available and must be set accordingly:

Under transaction SPRO, navigate to here:

And create a new entry for parameter 4015 which has to be set to the value “YES”

Additionally a new synchronization job is available and must be executed in order to synchronize the EAM data from GRC Box to the plug-in system. Remember that configurations (firefighter assignments, controllers, owners, reason codes, etc.) are still maintained in a centralized way, i.e in the GRC Box.

In order to sync this data with the plug-in, a new job is available and can be found here:

In the connector field you have to set the corresponding plug-in connector.  In order to keep you plugin system updated with the changes you made in the GRC Box, this report should be scheduled periodically, I think hourly would be fine. In addition, if you have multiple plug-in systems, you should follow the same approach as with the log synch: create individual jobs for each connector instead of a unique job with connector value “*”.

Configuration in the plug-in system

In the plug-in system you’ll find new activities under SPRO:

These activities are described in here: 1804207 - GRC EAM 10.0: Configuration parameters introduced in SP10 for EAM

If you haven’t  set the parameter 1000 in the plug-in system, you’ll have to do it in order to use decentralized firefighting, otherwise you’ll get an error message as described here:1800772 - Error 'No Destination specified' when using transaction /GRCPI/GRIA_EAM

Then, check the parameter as described below:

If the parameter 1000 isn’t present you have to create it and set the value to an RFC destination pointing to the system itself:

Since this configuration is transported I recommend to create a new RFC destination in DEV, QAS and PRD system with the same name, let’s say “GRC_CONNECTOR”. This will allow you to transport the configuration throughout your entire landscape.

The RFC connection does not require a user. It just has to point to the correct system/instance and a specific client.

Required users

Controllers have to be created in the GRC Box as well as with centralized firefighting. In addition these users must exist in the plugin system and have a valid e-mail address because login notifications are sent from plug-in system

With the decentralized scheme it’s not necessary to create the firefighter users in the GRC Box, because they’ll start firefighter transaction from the plug-in system.

E-mail considerations

Log-in notifications are sent from the plug-in system:

But, as with the decentralized approach, Log  notifications are sent from GRC Box

These requires a proper mail configuration (tx. SCOT) in both systems: plug-in and GRC Box.

Plug-in roles

You’ll have to create a new role as a copy of SAP_GRAC_SUPER_USER_MGMT_USER.

You should add the following authorization to it:

For some NW releases ACTVT=02 will be also required. Kindly Check 1753459 - EAM: S_USER_GRP with ACTVT=02 required

This role is assigned to the firefighter users. Bear in mind that these users should not have access to user maintenance transactions, for example SU01. If the firefighter IDs are properly assigned to a group and you can restrict the CLASS field this is not a big issue, since despite they could change the password, they won’t be able to access because the user exit is implemented in order to prevent it.

The authorization added to the role SAP_GRAC_SUPER_USER_MGMT_USER isn’t properly documented by SAP yet. It might be another way to configure it...but this was the same approach used in GRC 5.3.

In addition to this role you also have to create roles for administrator and owner. Remember that extending the validity period is a new activity available in the plug-in system and owners and administrators should have access to it.

Known Problems ( specific to decentralized EAM)

Note 1849289 - For Decentral EAM No Reasoncode and Activity desc captured

Specific for CUA systems:Note 1814400 - Decentral call is opening different session in CUA

(Documentation provided by:Guido Stusinsky)

Common Issue: Logon screen appears when starting FF session

It's possible that we get a logon screen after starting the FF session. This is an incorrect behavior since the user doesn't need to enter the FF ID password.

Here some tips:

• Check the RFC connection. Perform an authorization check in SM59 to check if the RFC user is OK.
• Check that the RFC is pointing to the correct client.
• Look for dumps in ST22 in the plugin system.
• Check if the FF ID password is productive, reset the password or check with changing the user to type "Service" if you are using "Dialog" user for FF ID.
• Have a look at the following notes:

1861981 - Things to check when error message 'Error in opening RFC destination' appears in GRAC_SPM

1777094 - EAM log on is not possible with the error: 'Error found in RFC (plug in system) and respective logon\logons are disabled'

Note 1886332 - GRC 10.0 EAM prompts for user/password while logging

Note 1872709 - Logon popup shown when launching the EAM session

Co-existence of firefighting models

Both models could be used. The decentralized firefighter configuration doesn’t block the centralized firefighter approach. Since you can start only one firefighter session at a time, you cannot use both at the same time and this is automatically controlled by the application.

Administration functions

The administration functions are maintained in the GRC Box. The decentralized firefighting adds a couple of tasks in the plugin system such as logging notification customizations and the possibility to extend the validity date of firefighters if the GRC Box is down. You’ll find a nice illustration in the guide attached to note mentioned earlier (1690964).

Access to decentralized FF

Some standard roles do not include the correct SPM transaction. In order to start decentralized FF the Firefighter user have to type /n/GRCPI/GRIA_EAM in the transaction bar. If you use other tcodes might see an empty table, and if you don't use /n you'll receive a message stating something like it's impossible to execute this function.

Please share your thoughts, comments or documentation in order to improve this guide.

Well, that’s all. Hope this document has helped you to successfully configure GRC EAM.

Cheers!

Diego.

Check the following:

1) Open the BRF plus rule, navigate to the decision table component, click on "Table Settings" and make sure you have the check boxes as follows: first unchecked, second checked, third unchecked.

2) In the BRF rule still, navigate to the main Function, go to tab Signature, and make sure the name of the context table is HR_TRIGGER_TABLE, and nothing else other than this name.

3) Navigate to the second rule (which is called from the LOOP) and make sure you have only the two operations:

1. Go to IMG and open IMG documentation for highlighted activity:

2. In the documentation you will have to perform following steps in your system:

When LDAP is configured as a data source in GRC 10, the group parameter mapping must be configured.

For instance, the group parameter "User: OC" has a value of "person".

What does it mean?

It means that the search for LDAP records will only bring back to the application those entries for which the "objectClass" is "person".

In other words, the entries are for users. The same can be configured to bring back only roles, maintaining the group parameter "Roles: OC" with a value of "group"

1. Create a new expression of type ‘DB Lookup’ in your existing initiator rule

2. Provide name and description to your DB lookup and fill in following details

3. Once DB lookup is created and activated. Open your decision table and click on ‘Table Settings’ button. In your table settings ‘Insert Column’ as shown below

4. Select the newely created DB Lookup as a new column

5. Now in your decision table you can have first row for roles without role owners and rest of the table can remain same as your existing rule

The Java SQL Monitor is useful to troubleshoot issues in GRC 5.3 release.

1- Type the address http://<server>:<port>/SQLTraceand you will see the OpenSQLMonitor page:

2- Activate the trace I click on Switch on and off SQL Trace link.

3- Click on “SQL Trace ON” button, recreate the issue in GRC frontend, and click “SQL Trace OFF” (this button will appear once the trace is ON).

4- Click “Trace Evaluation” to evaluate the SQL statements sent to the database.

Example of existing traces in an internal system:

Once you evaluate it, this is what is used for analysis:

1. Open the Visual Administrator, select the first instance.

2. Go into the “Security Provider” service.

3. Select “Runtime” tab and “Policy Configurations” tab.

4. In the components list, select “sap.com/SQL Trace*OpenSQLMonitors” as shown below.

5. Select “Security Roles” tab and switch to edit mode by clicking the pencil in the toolbar above the tabs.

6. The J2EE role OpenSQLMonitorLogonRole has to be granted for the Sap.com/SQLTrace*OpenSQLMonitors component

**Please replace SAPSUPPORT with the correspondent user you are creating for SAP team to connect to the system.

The GRC 10 application makes use of BRF+ tool to create rules which are used to customize agents, initiators, detours, hr trigger, etc.

Specifically talking about the HR trigger rules, there are certain values that can be maintained in the decision table of the HR Trigger BRF+ rule, in order to capture the employee changes performed via HR transaction PA40.

Below is an example/suggestion of a decision table conditions for: New Hire (CRE), Terminitation (TER) and Position Change (CHN)

go to spro>grc>access control>> workflow for access control.

click define workflow related MSMP rule.

select process id and

fill details as per below screenshot as per your naming convention

use BRF+flat rule for line item.

click item select connector and click OK(green rightsymbol)

attached screenshot.

since connetor is specfic to client you require ment is based on that.

Once generation done you will see the below screen.

Now click on Define BRF rule.

it will open in browser.

select the Rule you have created.

exapnd as show. and click the function ZINIT_1 shown in example.

on right hand side you will see top expression ZINIT_1.

Click Top expression (ensure you are in edit mode)

then new screencomes click insert new row.

give detail of connector.

in line item key, select from context parameter and select item num.

rule result value is like initiator 1,

similarly fr each connector you can have inititoator defined.

now save and activate the brf+function.

and copy function id.

now to msmp.

in change mode to to maintain rules. click add

given function id of brf+,give description, select rule type and select rule kind

now save it.once you save it you can see at the above. and click these and add results

use same case and wod you have put in rule result vale in brf+

and at below screen you will see process initator use new initiator created.

now assuming you have your path and stages defined then go to maintain route mapping.

and map your result value.

then save and generate new version

Hi All,

We have detour path which has security stage.If the request has SOD then it will take detour path then Security person will forward to one approver.

If that forwared approver is not taking an action then request should escalate to admin.

We have maintained this at security stage i.e request should get escalate to admin in case approver didn't take any action.

but Request is not escalated to admin.Below are the logs which are showing.

2013-10-23 07:13:57,102 [Thread-112092] ERROR com.virsa.ae.core.BOException: Exception while getting results

com.virsa.ae.core.BOException: Exception while getting results

    at com.virsa.ae.accessrequests.bo.RequestBO.getRequestDetails(RequestBO.java:5380)

    at com.virsa.ae.accessrequests.bo.RequestBO.getRequestDetails(RequestBO.java:4614)

    at com.virsa.ae.accessrequests.bo.RequestBO.escalateRequestToAdmin(RequestBO.java:9663)

    at com.virsa.ae.workflow.bo.WorkFlowEscalationManager.forwardToAdministrator(WorkFlowEscalationManager.java:188)

    at com.virsa.ae.workflow.bo.WorkFlowEscalationManager.runEscalation(WorkFlowEscalationManager.java:153)

    at com.virsa.ae.service.escalation.EscalationBGJob.execute(EscalationBGJob.java:33)

    at com.virsa.ae.backgroundjobs.BackgroundTask.run(BackgroundTask.java:62)

    at java.util.TimerThread.mainLoop(Timer.java:432)

    at java.util.TimerThread.run(Timer.java:382)

Caused by: com.virsa.ae.core.BOException: Exception while getting results

    at com.virsa.ae.accessrequests.bo.RequestBaseBO.getRequestBaseDetails(RequestBaseBO.java:633)

    at com.virsa.ae.accessrequests.bo.RequestBO.getRequestDetails(RequestBO.java:4670)

Please advise us where is going wrong.

Thanks and Regards,

Sushma M

1. Changes in NWBC Page
2. Changes in Terminologies(ISO 31000 Terminology Support)
3. User Experience Enhancement
4. Operational Data Provision (ODP)
5. Risk Assessment/Analysis Related Enhancements

• Driver – Cause
• Impact – Consequence
• Probability – Likelihood
• Response – Treatment
• Event – Incident/Loss

• Entry  Page and Side Panel:  This functionality is most useful for corporate risk managers and operational risk managers. Users get easy access to critical data and frequently usedt ransactions.

• Displaying additional information related to the current context
• Rendering additional shell visuals, such as collaboration, help etc.
• Side panel of risk shows various controls and status of control test(passed/failed) as well

• Google like Search:This functionality enables few Risk Management entities for Enterprise search (Google like search) in Risk Management. Below is the list of entities which are supported by enterprise search;
  • Activity
  • Incident
  • Risk
  • Response

• HANA Based Key Risk Indicator (KRI): A new connector type ‘HANA’ is introduced, which helps to connect to HANA system. Thus, makes use of HANA capabilities to analyze large volume of data and find out potential risks quickly. Again, Enterprise Risks from multiple systems can be consolidated through HANA.

• KRI Driven Analysis:  This enhancement allows probability and/or impact to be linked to a KRI instance. Probability and  impact can be calculated automatically by KRI runtime. Whenever a linked KRI instance is updated, a new standard analysis would be created to keep the history of changes made, if any. This functionality is covered in KRI runtime.

  

• Operational Risk Analysis:  In earlier version, Risk Analysis used to show three risk analysis type; inherent, residual and planned residual. But, in GRC 10.1, Residual Analysis(Planned) can be hidden by configuring the settings. This enhancement helps Risk Management to support industry frameworks (ISO 31000 and COSO) better as Residual Risk Analysis(Planned) is not required in these frameworks.

      

• Risk Analysis Guidance:  The Risk Analysis Guidance can be configured in SPRO. This option helps users understand the possible impacts of a particular risk and perform analysis in a better way. It shows the list of all impact/consequence  categories, if configured.

       

• Ad-hoc Risk Escalation: Also called as Ad-Hoc Reporting. This functionality alerts risk managers whenever a risk exceeds the predefined company threshold level and helps them take corrective measures towards the risks, as ad-hoc risks require a dedicated awareness and reporting process in an organization. Ad-Hoc Risk Escalation also serves a whistle blowing approach within a Risk Management framework.
• Risk Summary: A new ‘Risk Summary’ tab has been introduced in new version at Organization, Risk Category and Activity user interface, which provides risk summary information on respective Organization, Risk Category and Activity collaboratively.

I have created this document in order to help the customer with one of many sub scenarios provided by Process Control Business Rules. My objective is to create one document for each sub scenario. This is the first one.

Before starting creating Data Sources and Business Rules, you need to check parameter for table logging in RZ11. You can specify specific clients for table logging or set the default option to ‘All’. Check SAP note 1653464 for further information on performance.

When setting continuous monitoring, you must create a Data Source.

Why creating a Data Source?

The data source created is usable for many business rules. The data source is where system is going to obtain monitored data.

Supported Sub-scenarios:

• SAP Query
• BW Query
• Process Integration
• SoD Integration
• Configurable
• Programmed
• Event
• ABAP report
• External Parter

In this tutorial we only will see the Configurable Sub-Scenario (Highlighted in Gray).

Creating a Data Source:

Filling out the General Tab:

Object Field:

In this example, I selected to monitor changes in HRP1000. I have selected some tables Field to lookup.

I cannot find any information related to this table.

HR tables are not supported in a Configurable scenario. You can include HR tables in the configurable scenario at your own risk by There is a work around. You can maintain the HR/PA table name in the table /GRCPI/GRIASPEC and can be used in Configurable scenario. However SAP will not hold any responsibility for this work around and it is not recommended. Customer at their own risk can implement this work around. We need to check another table to lookup.

• Chose LFA1.

LFA1 (Vendor master table) is a standard SAP Table.

Explanation of Related Table Lookup:

The Reference or Dependent tables option define the direction of the relationships.

Dependent tables are those which refer to (as foreign keys) the key fields of your main table (primary keys), while reference tables are the opposite — they hold the primary keys to which your main table refers as foreign keys. You can join multiple related tables together in such a compound data source, with the constraint that the join conditions are restricted to being equality relationships between like-type fields. For the most part, it is expected you will join primary keys to foreign keys. PC 10.0 looks up known relationships  from the data dictionary and pre-populates the join conditions area as you go.

Next step is to perform an ad-hoc query to check whether the table data is being retrieved.

Retrieved results successful. Meaning that the connection is okay.

In the connectors tab, you can check the connectors assigned to this Data Source. You can have multiple Connectors assigned to one Data Source.

The Data Source must be active to be available in the Business Rule.

Creating a business rule:

Select the Data Source created and press start.

I chose the data I have selected in the Data Source. Here you can choose the fields you want to monitor:

In the filter criteria, I only included the Name of person who Created the Object:

For the filter values, I chose ZHAOBR (include this range). I just want to include changes made by this user.

In the deficiency criteria, a handler must be selected in order to get changes from the target system. The table responsible for transport changes is SCU3.

Once selected, the fields must be shown in the Field Description.

If the fields are not available user needs to check in the target system whether or not the table LFA1 (table used in this example) is active for log changes.

Go to SE11 and type the table in the Database table field:

Go to technical settings of the table:

Enable Log Data Changes:

Check whether SCU3 is logging LFA1 table after the changes:

After this procedure if you still cannot see the deficiency fields check your GRCPINW support package level. An enhancement was done for capturing table change log directly from SCU3. Apply SAP note 1796052 if you are under Support Package 10 of GRCPINW.

Now, if we return to the Business Rules, the field descriptions are activated.

Conditions and Calculations

In this steps you can insert additional conditions to the Business Rule (BRFPlus). You can totally customize the BR according to your company needs.

Output Format

In the output format you can defined how the business rule will be shown.

Technical settings:

These settings basically affect the execution and performance of monitoring. It is always a best practice to test the performance of rules before transporting to production.

1. Calculate deficiency -> Remotely

It is used in the same way as PC 3.0. The job will collect data and apply the rule only on the returning data which is defined as deficient by the ERP. When the data volume is huge, this method will help to reduce the retrieving data.

2. Calculate deficiency -> Locally

This is used for almost all the sub scenarios. It analyzes the data on Process Control side. Rules are applied on the Process Control side as well.

3. Communication mode -> A sync.

Process Control will perform a job steps (execution of a Business Rule) via RFC to the ERP system and it will be executed in background mode. When the execution is finished, RTA sends the result back via RFC to Process Control. It is a two way communication.

4. Communication mode -> sync

Most of the sub scenarios use this. It means that when a Job step is executed, the Work Process waits the result from the RFC call and processes it. In most of the cases, this is used to calculate deficiencies locally.

5. Change log type

Here you can include the change types you want business rule to capture.

Ad-hoc query

Here you will test your business rule against all the criteria you have established.

The message is not an error. It means that the information for that timeframe was not found for that connector. Changing the timeframe to 2012 for example, I can find results.

Based on my conditions and filters, the results are showing correct.

Checking SCU3:

I Can see the same results.

After these steps, rules must be assigned to controls.

SAP Business Objects Governance, Risk and Compliance (GRC) application enables the customers to define policies or rules, and enforce these policies through provisioning services. SAP Access Control provides web services to enable the Identity Management (IdM) vendors to integrate for compliance provisioning. With the GRC-AC-IDM interface, the integration of SAP Access Control and IdM provides real time access management as a standard provisioning process across heterogeneous IT systems.

SAP BusinessObjects GRC 10 is a major release that Access Control is harmonized with Rick Management and Process Control in one common SAP NetWeaver ABAP platform. GRC AC 10 also improves the Identity Management (IdM) integration in the compliant provisioning for customers already using IdM. 

Getting Started

The SAP Integration and Certification Center (SAP ICC) highly recommends that ISVs and partners, who are interested in certifying an integration of their product with SAP solutions, begin with our page Getting Started with Integration and Certification that explains the SAP ICC services and describes the process how to obtain them. This page helps you select the correct integration scenario and contains technical information, streaming media presentations, step-by-step guides, and much more.

Technical Documentation

SAP Business Objects GRC AC 5.3

GRC-AC-IDM was introduced as a certifiable interface in this release. The GRC-AC-IDM test plan describes in details the requirements for the certification test.

In addition to the technical interface specifications, please also refer to the applicable SAP Solution Manager Ready integration criteria.

SAP GRC AC 10

A new version of GRC-AC-IDM is available in this release. Certificates for earlier releases are no longer valid. Technical information on new APIs: SAP GRC AC 10 Integration Guide document.

Test System Recommendation from ICC

SAP RAC Service:

The quickest way to gain access to an SAP system suitable for integration testing is via the SAP Remote Access and Connectivity Service (SAP RAC), which provides access to shared and exclusive-use hosted test systems.

Description about available test system options:

Read SAP ICC consultant Martin Vierling's blog about Not authorized to view the specified blog post 40340, where you can find the options of hosted SAP Test Systems and recommendations, if the hosted test system option is suitable for your certification.

Price List

15,000 Euros Per Certification (Euro currency applicable to all countries).To understand all services and benefits included in this fee, please refer to the Getting Started Page.

Benefits of Certification

Customers using SAP-certified solutions in their SAP environment, as well as the ISVs and partners offering these, experience great benefits such as shorter implementation times, technical enablement, and marketing assets that certification provides.

Please visit the 'Certification Benefits overview page' for more information.

• After successful certification testing the ISV solution can be advertised with the following logo:
• This Certification Scenario is "SAP Solution Manager Ready". 
• Platform User License is available for this scenario.

Related Content

Important Links:This is the central homepage for SAP Security and Identity Management on SDN.

SAP Training and Help: Please refer to SAP Education Course Name: GRC 030 SAP Business Objects Access Control 5.3 - Overview; GRC 300 SAP GRC Access Control 5.3 - Implementation and Configuration

ICC Webinar: You are invited to join our introductory webinars - hosted by the SAP Integration and Certification Center in regular intervals. For a schedule and recordings got to the page "SAP Integration and Certification Webinar Series".

Apply for ICC Services right away - please fill in the SAP ICC online application form.

Partner Information Center: Certified solutions can be found in the Partner Information Center (PIC).

Hi All,

I’ve been working my way through the installation and configuring of GRC 10 SPS14 for the last few days now and thought I’d share a few points in regards to the setup of EAM.

A common issue for GRC EAM that I also faced was that my user (FF_OWNER) would not appear in the Select Owner ID search help.  If you are experiencing this issue please check the following configurations.

1. IMG -> GRC -> AC -> Maintain Configuration Settings

Ensure the following parameters are set:

For more information please refer to the following guide:

https://websmp102.sap-ag.de/~sapdownload/011000358700000997872011E/AC10_ConfigSettings_SP10.pdf

2. IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

Note: I’m assuming you have created and tested your connectors in as outlined in the GRC post configuration guide.

3. Required roles for GRC EAM

Note: These roles have been copied into the customer namespace from standard SAP Roles.

4. Users

For test purposes, I’ve created three users:

FF_OWNER:

• Z:GRAC_SUPER_USER_MGMT_OWNER
• Z:SAP_GRAC_BASE
• Z:SAP_GRC_NWBC
• Z:SAP_GRC_FN_BASE

FF_CONTROL:

• Z:GRAC_SUPER_USER_MGMT_CNTLR
• Z:SAP_GRAC_BASE
• Z:SAP_GRC_NWBC
• Z:SAP_GRC_FN_BASE

FF_SUPER:

• Z:GRAC_SUPER_USER_MGMT_USER
• Z:SAP_GRAC_BASE
• Z:SAP_GRC_NWBC
• Z:SAP_GRC_FN_BASE

5. AM -> Access Control Owners

You need to configure each user as the owner of their particular "Owner Type":

6. When assigning a new Owner, you should now get the following

Hope it helps!

Cheers,

Sam

Extended Anti-Corruption Content with SAP Fraud Management Release 1.1 SP01

This week SAP Fraud Management was released to customers in Release 1.1, Support Package 01. SAP Fraud Management, powered by SAP HANA, combines an intelligent and efficient infrastructure for detecting fraud and supporting investigation with the speed and power of the SAP HANA database. With Release 1.1 SP01 of SAP Fraud Management, additional content is available for strengthening your compliance efforts with anti-corruption laws and regulations such as the US Foreign Corrupt Practices Act of 1977 or the United Kingdom’s Anti-Bribery Act of 2010.

1. Go to IMG and open IMG documentation for highlighted activity:

2. In the documentation you will have to perform following steps in your system:

When LDAP is configured as a data source in GRC 10, the group parameter mapping must be configured.

For instance, the group parameter "User: OC" has a value of "person".

What does it mean?

It means that the search for LDAP records will only bring back to the application those entries for which the "objectClass" is "person".

In other words, the entries are for users. The same can be configured to bring back only roles, maintaining the group parameter "Roles: OC" with a value of "group"

1. Create a new expression of type ‘DB Lookup’ in your existing initiator rule

2. Provide name and description to your DB lookup and fill in following details

3. Once DB lookup is created and activated. Open your decision table and click on ‘Table Settings’ button. In your table settings ‘Insert Column’ as shown below

4. Select the newely created DB Lookup as a new column

5. Now in your decision table you can have first row for roles without role owners and rest of the table can remain same as your existing rule

The GRC 10 application makes use of BRF+ tool to create rules which are used to customize agents, initiators, detours, hr trigger, etc.

Specifically talking about the HR trigger rules, there are certain values that can be maintained in the decision table of the HR Trigger BRF+ rule, in order to capture the employee changes performed via HR transaction PA40.

Below is an example/suggestion of a decision table conditions for: New Hire (CRE), Terminitation (TER) and Position Change (CHN)

SAP Business Objects Governance, Risk and Compliance (GRC) application enables the customers to define policies or rules, and enforce these policies through provisioning services. SAP Access Control provides web services to enable the Identity Management (IdM) vendors to integrate for compliance provisioning. With the GRC-AC-IDM interface, the integration of SAP Access Control and IdM provides real time access management as a standard provisioning process across heterogeneous IT systems.

SAP BusinessObjects GRC 10 is a major release that Access Control is harmonized with Rick Management and Process Control in one common SAP NetWeaver ABAP platform. GRC AC 10 also improves the Identity Management (IdM) integration in the compliant provisioning for customers already using IdM. 

Getting Started

The SAP Integration and Certification Center (SAP ICC) highly recommends that ISVs and partners, who are interested in certifying an integration of their product with SAP solutions, begin with our page Getting Started with Integration and Certification that explains the SAP ICC services and describes the process how to obtain them. This page helps you select the correct integration scenario and contains technical information, streaming media presentations, step-by-step guides, and much more.

Technical Documentation

SAP Business Objects GRC AC 5.3

GRC-AC-IDM was introduced as a certifiable interface in this release. The GRC-AC-IDM test plan describes in details the requirements for the certification test.

In addition to the technical interface specifications, please also refer to the applicable SAP Solution Manager Ready integration criteria.

SAP GRC AC 10

A new version of GRC-AC-IDM is available in this release. Certificates for earlier releases are no longer valid. Technical information on new APIs: SAP GRC AC 10 Integration Guide document.

Test System Recommendation from ICC

SAP RAC Service:

The quickest way to gain access to an SAP system suitable for integration testing is via the SAP Remote Access and Connectivity Service (SAP RAC), which provides access to shared and exclusive-use hosted test systems.

Description about available test system options:

Read SAP ICC consultant Martin Vierling's blog about Not authorized to view the specified blog post 40340, where you can find the options of hosted SAP Test Systems and recommendations, if the hosted test system option is suitable for your certification.

Price List

15,000 Euros Per Certification (Euro currency applicable to all countries).To understand all services and benefits included in this fee, please refer to the Getting Started Page.

Benefits of Certification

Customers using SAP-certified solutions in their SAP environment, as well as the ISVs and partners offering these, experience great benefits such as shorter implementation times, technical enablement, and marketing assets that certification provides.

Please visit the 'Certification Benefits overview page' for more information.

• After successful certification testing the ISV solution can be advertised with the following logo:
• This Certification Scenario is "SAP Solution Manager Ready". 
• Platform User License is available for this scenario.

Related Content

Important Links:This is the central homepage for SAP Security and Identity Management on SDN.

SAP Training and Help: Please refer to SAP Education Course Name: GRC 030 SAP Business Objects Access Control 5.3 - Overview; GRC 300 SAP GRC Access Control 5.3 - Implementation and Configuration

ICC Webinar: You are invited to join our introductory webinars - hosted by the SAP Integration and Certification Center in regular intervals. For a schedule and recordings got to the page "SAP Integration and Certification Webinar Series".

Apply for ICC Services right away - please fill in the SAP ICC online application form.

Partner Information Center: Certified solutions can be found in the Partner Information Center (PIC).