011000358700000334152011 e
TRANSCRIPT
SAP KPS: SAP GRC AC 10.0 Business Role Governance Month: 03, 2011SAP GRC Access
Access Control Pre-Implementation Steps From Post-Installation to First Role Creation
© 2011 SAP AG. All rights reserved. 3
Agenda
Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 ArchitectureSAP Access Control 10.0 Business Role Governance
New Enhancements for Business Role GovernanceSAP Access Control 10.0 Business Role Governance
Access Control Pre-Implementation Steps From Post-Installation to First Role CreationTechnical Configuration & Functional Configuration
Design and Manage Roles
Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 Architecture Overview
© 2011 SAP AG. All rights reserved. 5
* Crystal Reports Adapter – Needed for viewing GRC Crystal Reports
GRC 10.0 LandscapeTechnical Architecture Overview
SAP NetWeaverAS ABAP 7.02
AC, PC & RM(Software Component:
GRCFND_A)
SAP GRC Suite 10.0
GTS(Software Component:
SLL-LEG)
Nota Fiscal Eletronica(Software Component:
SLL-NFE)
CLM (Software Component:
POASBC)
SAP ERP (4.6C – 7.1)
Non-SAP Business ApplicationsAdapter
NW Function Modules(Plug-in: GRCPINW)
NW Function Modules(Plug-in: GRCPINW)
(Plug-in: GRCPIERP)
HR Function ModulesPC Automated Cntrls
(Plug-in: GRCPIERP) GTS Plug-in
(Plug-in: SLL-PI) GTS Plug-in
(Plug-in: SLL-PI)
SAP NW Portal 7.01
GRC Portal Content
SAP NW BW 7.02BI Content 7.06GRC BI Content
Identity Management Solutions
(SAP or Non-SAP)
optional
Optional
Optional
http
RFC
webservices
RFC
Optional
RFC
RFC
DIAGHTTP
RFCSAP NetWeaver 7.02Search/Classification
GRC Search
Recommended for GTS SPL
SAP NW Java 7.01Adobe Document
ServicesAdobe Document
Services
Required for RM and GTS
SAP NetWeaver PI Nota Fiscal Content
Required for Nota Fiscal E.
Optional
SAP GUI7.10
Web Browser
Front End Client
Adobe Flash Player
CRA*
NWBC 3.0
New Enhancements for Business Role Governance
New Enhancements for Business Role GovernanceSAP Access Control 10.0 Business Role Governance
New Features / Changes (Separate Discussions) Certification Provisioning Enhancements Role Mapping SAP Role Maintenance Role Derivation Role Update / Mass Role Derivation CUA Composite Roles Additional Features
Role Management CustomizingSettingsBRF+Workflow Role Owner
© 2011 SAP AG. All rights reserved. 8
10.0 New / Enhanced FeaturesCentral Role Repository for AC
Enhanced Mass Role ImportOption to import directly from the back-end system minimizing manual effortsImproved options for file based importCommon, excel based, import format for all role types
Enhanced Role Maintenance MethodologyEnhanced user experienceAbility to repeat phases in methodology processAbility to update Methodology and Approvers for existing roles
Business Role ManagementDefinition, Risk Analysis, Impact Analysis and ProvisioningUn-limited hierarchy support
CUA Composite Roles
Improved integration with PFCGLeveraging rich features of authorization maintenance in PFCGSegregation of authorization maintenance system from the golden client (development system)
Enhanced Role Search and POWLRole Certification
Enhanced Role Derivation Derivation without Org. levelsAbility to select Org. Value Maps based on range values
Enhanced Mass MaintenanceAbility to update multiple attributes at a timeSupport for enhanced list of attributes for mass updateEnhanced mass update options for Actions (t-codes), Permissions, Org. level valuesAbility to mass synchronize authorizations
Enhanced Role ComparisonAbility to compare multiple roles on multiple back-end systemsAbility to reconcile discrepancies by synchronizing roles to-and-from back-end systems
Enhanced Default Roles
Enhanced Risk AnalysisCommon risk analysis UI and Ability to support multiple rule sets
Enhanced Role Approval Workflow
BAdIs at major integration points
Object Level Security
MiscellaneousWhere-used roles and Assigned Users tabsRole ExistenceRole Generation HistoryRole Export to ExcelAbility to propagate authorizationsAbility to link URLs to test documentation
Introduction to SAP GRC Access Control 10.0SAP Access Control 10.0 Business Role Governance
© 2011 SAP AG. All rights reserved. 10
Business Role Governance
Access Control offers scalable and collaborative business role modeling, supporting both technical and business users. Supports the design of centralized, compliant roles through a robust role governance process.
Collaborative role governance process closes loop between business and technical owners
Enforces segregation of duties from the ground up by starting with clean role definitions
Streamline role definition and management
Optimizes role definition and reduces role redundancy
New centralized business role management with embedded access risk analysis
Enhanced process for mapping technical access authorizations to business functions
New role design and flexible role building workflows, including preventative simulations
New ability to analyze role usage for optimal assignment and to keep role definition up to date
Improved role comparison to detect backend changes provides role consistency, synchronization, and compliance
New process for periodic role certification
Solution Enhancements Key Benefits
Account ExecutiveAccount Executive Business Role
Sales ManagerSales Manager Business Role
Sale Executive / Management Sales Executive / Management Business Role
Territory Sales ExecutiveTerritory Sales Executive Business Role
Inside Sales ExecutiveInside Sales Executive Business Role
Territory Sales ManagerTerritory Sales Manager Business Role
Senior Sales ManagementSenior Sales Management Business Role
Business ChampionBusiness Champion Business Role
Senior Sales ManagementSenior Sales Management Business Role
Services Account Manager Services Account Manager Business Role
Enablement ExecutiveEnablement Executive Business Role
Solution Sales Engagement ManagerSolution Sales Engagement Manager Business Role
Inside Sales Executive – ServicesInside Sales Executive – Services Business Role
Inside Sales Executive – EducationInside Sales Executive – Education Business Role
Services Sales Manager Services Sales Manager Business Role
Education Manager Education Manager Business Role
Services Key User / Power UserServices Key User / Power User Business Role
CRM Key UserCRM Key User Business Role
Non-Sales Executive / ManagementNon-Sales Executive Business Role
Board MemberBoard Member Business Role
Business Role Examples
© 2011 SAP AG. All rights reserved. 12
ContentsAdding Connector to Work Area ScenarioAssociate Actions and Assign Default Connectors for Access ControlActivate the BC SetsVerifying Default Configuration ParametersConfigure Role ManagementCustomize the Role AttributesAssigning Roles and Maintaining AC OwnersCreate Role Approval WorkflowCreating the First Role
Optional: Create the BRF+ FunctionDefine the Methodology Process and Steps Additional TasksSynchronizing Users, Roles
Access Control Pre-Implementation Steps From Post-Installation to First Role Creation
Adding Connector to Work Area and Assign Default
© 2011 SAP AG. All rights reserved. 14
Adding Connector to Work Area Scenario
For Role Management it's required to have the ROLMG, AUTH and PROV WorkAreas linked to the Connector. This is done via the IMG
© 2011 SAP AG. All rights reserved. 15
Assigning Connector to Connector Groups
Define Connectors, define Connector Groups, then select the Logical Group and go to “Assign Connectors to Connector Groups” to link a System
Associate Actions and Assign Default Connectors for Access Control 10.0
© 2011 SAP AG. All rights reserved. 17
Associate Actions and Assign Default Connectors for Access Control
o Adding Connector to Work Area Scenarioo Associate Actions and Assign Default Connectors for Access Controlo Activate the BC Setso Verifying Default Configuration Parameterso Customize the Role Attributeso Assigning Roles and Maintaining AC Ownerso Create Role Approval Workflowo Creating the First Role
o Optional: o Create the BRF+ Functiono Define the Methodology Process and Steps o Additional Taskso Synchronizing Users, Roles
Create connector group and activate the groupAssign actions to connectors in connector groups and assign a default connector for each action
Associate Actions and Assign Default Connectors for Access Control
Activate the BC Sets
© 2011 SAP AG. All rights reserved. 20
Activate the BC Sets
Rule Sets are enabled using BC Sets via Transaction Code: SCPR20It’s required, up-front, to enable BC Sets.
It’s described in the GRC 10.0 Post-Installation Deck
GRAC_ROLE_MGMT_LANDSCAPEGRAC_ROLE_MGMT_METHODOLOGYGRAC_ROLE_MGMT_PRE_REQ_TYPEGRAC_ROLE_MGMT_ROLE_STATUSGRAC_ROLE_MGMT_SENTIVITY
Verifying Default Configuration Parameters
Verifying Default Configuration Parameters
Please check that Configuration Parameters, which are related to Role Management, are properly set according to Company’s requirements*
* It’s not necessary to maintain Parameters
Configure Role Management
© 2011 SAP AG. All rights reserved. 24
Role Management Configuration: Introduction
Navigate to IMG by executing SPRO; click on ‘SAP Reference IMG’Navigate to ‘Governance Risk and Compliance > Access Control > Role Management’
© 2011 SAP AG. All rights reserved. 25
Role Management Configuration: Maintain Labels for Role Types
Role Type Description and Language can be maintained
Role type description and language can be maintained
© 2011 SAP AG. All rights reserved. 26
Role Management Configuration: Specify Maximum Length for Role Type
Define the maximum length for the Role Type per Application Type
© 2011 SAP AG. All rights reserved. 27
Role Management Configuration: Specify Naming Conventions (1 of 2)
Role Naming Conventions for all Role Types can be maintained for new Roles
Create Naming Convention
© 2011 SAP AG. All rights reserved. 28
Role Management Configuration: Specify Naming Conventions (2 of 2)
Role Naming Conventions for all Role Types can be maintained for new Roles
Maintain Naming Convention format and position
© 2011 SAP AG. All rights reserved. 29
Role Management Configuration: Maintain Project and Product Release Name
Role Project and Product Release Name can be maintained and used to specify the Role
© 2011 SAP AG. All rights reserved. 30
Role Management Configuration: Define Role Sensitivity
Role Sensitivity can be maintained and used as a Role Attribute
© 2011 SAP AG. All rights reserved. 31
Configure Role Management
Maintain Role Type Settings
Activate Role Types (mandatory)
Maintain Role Types (optional)
Define the maximum length for the Role Types per Application
Activate role types (mandatory)
Maintain role types (optional)
S1
Slide 31
S1 Replace the placeholders with the name of the new or enhanced feature or task and a bulleted list of the functionality provided by that feature or task. Include a description of which users or roles will be change.Tip, 12/06/2009
Customize the Role Attributes
© 2011 SAP AG. All rights reserved. 33
Defining Business / Sub-Processes (mandatory)
Specifying Naming Convention (optional)
Defining Role AttributesMaintain Project Release (mandatory) Role Sensitivity (optional)Critical Level (optional)Companies (optional)Functional Areas (optional)Prerequisite Types (optional)
• Creating Organizational Value Mapping (optional)
Customize the Role Attributes
Assigning Roles and Maintaining Access Control Owners
© 2011 SAP AG. All rights reserved. 35
Creating Users and Assigning Roles
The responsible person for Role Content needs to be created with their respective Roles in the AC System. Please Note: The Roles listed below are provided as examples and Customer Roles should be created based on their authorizations for end-users
In the AC System RolesUser who is Role Owner SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRC_FN_BASESAP_GRC_FN_BUSINESS_USER
© 2011 SAP AG. All rights reserved. 36
Maintaining AC Owners
After this is done, it’s now possible to assign ‘Owners to Roles’.
Create Role Approval Workflow
Create Role Approval Workflow
A default Workflow Process can be used to easily set-up the Approval Workflow for the Role Content
Select the Workflow Process: SAP_GRAC_ROLE_APPR
Create Role Approval Workflow (Default)
Maintain the Agent ID GRAC_ROLE_APPROVER and the Task SettingsSave and activate the Workflow
Creating the First Role
© 2011 SAP AG. All rights reserved. 41
Creating the First Role
Now, we should be prepared to create a Role
Go to Access Management Work-Center and select Role Maintenance
Customize the Methodology Process (Optional)and Create the BRF+ Function (Optional)
© 2011 SAP AG. All rights reserved. 43
The customizing steps for “BRF+ Rule Creation” and “Methodology Process Definition” are not necessary when using the default Methodology Process for all Roles
Customize the Methodology Process (optional)
© 2011 SAP AG. All rights reserved. 44
Create the BRF+ Function (optional)
Run the program GRAC_GENERATE_ERM_BRFRULE to create the BRF+ Application and Function
S6
Slide 44
S6 Replace the placeholders with the name of the new or enhanced feature or task and a bulleted list of the functionality provided by that feature or task. Include a description of which users or roles will be change.Tip, 12/06/2009
Define the Decision Table for the Methodology Process
Create the BRF+ Function (optional)
© 2011 SAP AG. All rights reserved. 46
Define the Methodology Process and Steps (optional)
Create the different Methodology Processes and include the Required Steps
S7
Slide 46
S7 Replace the placeholders with the name of the new or enhanced feature or task and a bulleted list of the functionality provided by that feature or task. Include a description of which users or roles will be change.Tip, 12/06/2009
© 2011 SAP AG. All rights reserved. 47
Assign the BRF+ Rule to the Methodology Process (optional)
Assign BRF+ Condition Group ID to the Methodology Process ID
Assign BRF+ Application Name and the BRF+ Function Name to the Condition Group “METHODOLOGY”
S8
Slide 47
S8 Replace the placeholders with the name of the new or enhanced feature or task and a bulleted list of the functionality provided by that feature or task. Include a description of which users or roles will be change.Tip, 12/06/2009
Additional Tasks: Synchronizing Users and Roles (Optional)
© 2011 SAP AG. All rights reserved. 49
Additional Tasks: Synchronizing Users and Roles (optional)
Note: Run this in “Full Sync Mode“ for the first, initial synchronization. Later synchronizations can be done in “Incremental Mode” and should be run periodically to keep the AC System updated
Synchronize the Users and Roles from the back-end System into AC to see the assigned Users in the Role Management and the status of the RolesUse Transaction Code SE38; Programs GRAC_ROLEREP_USER_SYNC and GRAC_ROLEREP_ROLE_SYNC
© 2011 SAP AG. All rights reserved. 50
© SAP
THANK YOU!
© 2011 SAP AG. All rights reserved. 51
References
SAP Community NetworkSDN/BPX: www.sdn.sap.com/irj/bpxGRC Forum: http://forums.sdn.sap.com/index.jspaE-Learning: http://www.sdn.sap.com/irj/scn/grc-elearningSAP: www.sap.com/usa/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
GRC Helphttp://help.sap.com SAP Business User GRC Solutions
RKThttps://service.sap.com/RKT
Email [email protected]
© 2011 SAP AG. All rights reserved. 52
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun MicroSystems, Inc.
JavaScript is a registered trademark of Sun MicroSystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2011 SAP AG. All rights reserved. 53
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli und Informix sind Marken oder eingetragene Marken der IBM Corporation.
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Incorporated in den USA und/oder anderen Ländern.
Oracle ist eine eingetragene Marke der Oracle Corporation.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.
HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
© 2011 SAP AG. Alle Rechte vorbehalten.
Java ist eine eingetragene Marke von Sun MicroSystems, Inc.
JavaScript ist eine eingetragene Marke der Sun MicroSystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern.
Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.
Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG.
Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.