ac10.1-maintain config settings sp08
DESCRIPTION
Access Control 10.1 Configuration Settings for SP08TRANSCRIPT
-
2014 SAP AG
Applies to:Access Control 10.1 SP08
Summary:This guide contains additional information about the parameters used when configuring Access Control. Theinformation covers the configuration parameters available as of Access Control 10.1.
Created: February 2015
Version 1.6.0
Maintaining ConfigurationSettings in Access Control
-
2015 SAP AG
Document HistoryDocument Version Description
1.00 Initial release
1.10 Modified parameter 1048, 1049, 1050
1.20 Modified parameter 2013
1.30 Added parameter 5031
1.40 Added parameter 1124
Added parameter 5026
Added parameter 5027
Added parameter 5028
Added parameter 5032
1.4.1 Added parameter 1014
Added parameter 1047
Added parameter 1125
Added parameter 1073
Added parameter 2008
Added parameter 3027
Added parameter 4016
Added parameter 4017
Added parameter 4019
Added parameter 5022
Added parameter 5023
1.5.0 Removed parameter 1000
Added parameter 1015
Added parameter 1054
Updated parameter 1071
Added parameter 1302
Added parameter 2048
Added parameter 2060
Added parameter 2061
Added parameter 2401
Added parameter 3028
Added parameter 4018
Added parameter 5033
-
2015 SAP AG
1.6.0 Modified parameter 1050
Added parameter 1126
Added parameter 1127
Added parameter 2020
Added parameter 4020
-
2015 SAP AG
Typographic ConventionsType Style Description
Example Text Words or characters quotedfrom the screen. Theseinclude field names, screentitles, pushbuttons labels,menu names, menu paths,and menu options.
Cross-references to otherdocumentation
Example text Emphasized words orphrases in body text, graphictitles, and table titles
Example text File and directory names andtheir paths, messages,names of variables andparameters, source text, andnames of installation,upgrade and database tools.
Example text User entry texts. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.
Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.
IconsIcon Description
Caution
Note or Important
Example
Recommendation or Tip
-
2015 SAP AG
Table of Contents
1. Maintain Configuration Settings .....................................................................................1
1.1 Standard Settings .....................................................................................................1
1.2 Activities ...................................................................................................................9
1.3 Details of Configuration Parameters ..........................................................................9
2. Copyright ....................................................................................................................... 88
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
1
1. Maintain Configuration SettingsThis document covers the use of the Customizing activity available through the transaction SPRO.Access the Maintain Configuration Settings activity under Governance, Risks, and Compliance >Access Control.
In this activity, you maintain the global configuration settings and parameters used in Access Control.The activity includes settings for the following parameter groups:
01 Change Log 13 Access Request Default Roles
02 Mitigation 14 Access Request Role Mapping
03 Risk Analysis 15 SOD Review
04 Risk Analysis - Spool 16 LDAP
05 Workflow 17 Assignment Expiry
06 Emergency Access Management 18 Access Request Training Verification
07 UAR Review 19 Authorizations
08 Performance 20 Access Request Business Role
09 Risk Analysis - Access Request 21 Management Dashboard Reports
10 Role Management 22 Access Request Validations
11 Risk Analysis Risk Terminator 23 Simplified Access Request
12 Access Request Role Selection 24 Access Control General Settings
1.1 Standard SettingsThe following table lists the delivered parameters and default values.
Note:Values labeled as have no default value.
Parameter Group ParameterID
Description Default Value
Change Log 1001 Enable Function Change Log YESChange Log 1002 Enable Risk Change Log YESChange Log 1003 Enable Organization Rule Log YESChange Log 1004 Enable Supplementary Rule Log YESChange Log 1005 Enable Critical Role Log YESChange Log 1006 Enable Critical Profile Log YESChange Log 1007 Enable Rule Set Change Log YESChange Log 1008 Enable Role Change Log YESChange Log 5001 SLG1 Logs for HR Trigger HIGH
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
2
Parameter Group ParameterID
Description Default Value
Mitigation 1011 Default expiration time formitigating control assignments(in days)
365
Mitigation 1012 Consider Rule ID also formitigation assignment
NO
Mitigation 1013 Consider System for mitigationassignment
NO
Mitigation 1014 Enable separate authorizationcheck for mitigation from accessrequest
NO
Mitigation 1015 Get data for Invalid MitigationReport from ManagementSummary table
NO
Risk Analysis 1021 Consider Org Rules for otherapplications
NO
Risk Analysis 1022 Allow object IDs for thisconnector to be case sensitive
Risk Analysis 1023 Default report type for riskanalysis
2
Risk Analysis 1024 Default risk level for risk analysis 3Risk Analysis 1025 Default rule set for risk analysis Risk Analysis 1026 Default user type for risk
analysisA
Risk Analysis 1027 Enable Offline Risk Analysis NORisk Analysis 1028 Include Expired Users NORisk Analysis 1029 Include Locked Users NORisk Analysis 1030 Include Mitigated Risks NORisk Analysis 1031 Ignore Critical Roles and Profiles YESRisk Analysis 1032 Include Reference user when
doing user analysisYES
Risk Analysis 1033 Include Role/Profile MitigatingControls in Risk Analysis
YES
Risk Analysis 1034 Max number of objects in apackage for parallel processing
100
Risk Analysis 1035 Send e-mail notification to themonitor of the updated mitigatedobject
YES
Risk Analysis 1036 Show all objects in Risk Analysis NORisk Analysis 1037 Use SoD Supplementary Table
for AnalysisYES
Risk Analysis 1038 Consider FF Assignments inRisk Analysis
YES
Risk Analysis 1046 Extended objects enabledconnector
Management DashboardReports
1047 Default Management ReportViolation Count
P
Risk Analysis 1048 Business View for Risk Analysisis Enabled
NO (Technical View)
Management DashboardReports
1049 Default Management ReportRisk Type
ALL
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
3
Parameter Group ParameterID
Description Default Value
Risk Analysis 1050 Default Report View for RiskAnalysis
Remediation View
Risk Analysis - Spool 1051 Max number of objects in a fileor database record
200000
Risk Analysis - Spool 1052 Spool File Location Risk Analysis - Spool 1053 Spool Type DRisk Analysis - Spool 1054 Max number of violations
supported in Organization RuleAnalysis
500000
Workflow 1061 Mitigating Control Maintenance NOWorkflow 1062 Mitigation Assignment NOWorkflow 1063 Risk Maintenance NOWorkflow 1064 Function Maintenance NORisk Analysis - AccessRequest
1071 Enable risk analysis on formsubmission
NO
Risk Analysis - AccessRequest
1072 Mitigation of critical risk requiredbefore approving the request
NO
Risk Analysis - AccessRequest
1073 Enable SoD violations detour onrisks from existing roles
NO
Risk Analysis - RiskTerminator
1080 Connector enabled for RiskTerminator
Risk Analysis - RiskTerminator
1081 Enable Risk Terminator forPFCG Role Generation
NO
Risk Analysis - RiskTerminator
1082 Enable Risk Terminator forPFCG User Assignment
NO
Risk Analysis - RiskTerminator
1083 Enable Risk Terminator for SU01Role Assignment
NO
Risk Analysis - RiskTerminator
1084 Enable Risk Terminator for SU10multiple User Assignment
NO
Risk Analysis - RiskTerminator
1085 Stop role generation if violationsexist
NO
Risk Analysis - RiskTerminator
1086 Comments are required in caseof violations
NO
Risk Analysis - RiskTerminator
1087 Send Notification in case ofviolations
NO
Risk Analysis - RiskTerminator
1088 Default report type for RiskTerminator
2
Authorizations 1100 Enable authorization logging NOWorkflow 1101 Create Request for Risk
Approval12
Workflow 1102 Update Request for RiskApproval
13
Workflow 1103 Delete Request for RiskApproval
14
Workflow 1104 Create Request for FunctionApproval
15
Workflow 1105 Update Request for FunctionApproval
16
Workflow 1106 Delete Request for FunctionApproval
17
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
4
Parameter Group ParameterID
Description Default Value
Workflow 1107 Create Request for MitigationAssignment Approval
18
Workflow 1108 Update Request for MitigationAssignment Approval
19
Workflow 1109 Delete Request for MitigationAssignment Approval
20
Workflow 1110 High 2Workflow 1111 High 3Workflow 1112 High 4Workflow 1113 Access Control E-mail Sender WF-BATCHAuthorizations 1114 Display Authorization Message
in ReportsYES
Performance 1120 Batch size for Batch RiskAnalysis
1000
Performance 1121 Batch size for User Sync 1000Performance 1122 Default batch size for Role
Synchronization1000
Performance 1123 Default batch size for ProfileSynchronization
1000
Performance 1124 Default batch size forAuthorization Synchronization
1000
Performance 1125 Pre-aggregate Access RiskInformation
NO
Performance 1126 Number of background jobscreated for one Ad-Hoc RiskAnalysis job
1
Performance 1127 Minimum number of objectsconsidered for splitting intomultiple background jobs in Ad-Hoc Risk Analysis
1000
UAR Review 2004 Request Type for UAR UAR Review 2005 Default Priority UAR_PRIORITYUAR Review 2006 Who are the reviewers? MANAGERUAR Review 2007 Admin. review required before
sending tasks to reviewersYES
UAR Review 2008 Number of line items per UARrequest
100
Access Request DefaultRoles
1302 Add default roles only forsystems specified in the accessrequest
NO
Access Request DefaultRoles
2009 Consider Default Roles YES
Access Request DefaultRoles
2010 Request type for default roles
Access Request DefaultRoles
2011 Default Role Level REQ&ROL
Access Request DefaultRoles
2012 Role Attributes
Access Request DefaultRoles
2013 Request Attributes
Access Request Role 2014 Enable Role Mapping YES
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
5
Parameter Group ParameterID
Description Default Value
MappingAccess Request RoleMapping
2015 Applicable to Role Removals YES
SOD Review 2016 Request Type for SoD SOD Review 2017 Default priority for SoD SOD Review 2018 Who are the reviewers? MANAGERSOD Review 2019 Admin. review required before
sending tasks to reviewersYES
SOD Review 2020 Unique number of line items perSOD request (Maximum 9999)
SOD Review 2023 Is actual removal of roleallowed?
YES
Access Request TrainingVerification
2024 Training and verification
Access Request RoleSelection
2031 Allow All Roles for Approver YES
Access Request RoleSelection
2032 Approver Role RestrictionAttribute
Access Request RoleSelection
2033 Allow All Roles for Requestor YES
Access Request RoleSelection
2034 Requestor Role RestrictionAttribute
Access Request RoleSelection
2035 Allow Role Comments YES
Access Request RoleSelection
2036 Role Comments Mandatory YES
Access Request RoleSelection
2037 Display expired roles for existingroles
YES
Access Request RoleSelection
2038 Auto Approve Roles withoutApprovers
YES
Access Request RoleSelection
2039 Search Role by Transactionsfrom Backend System
NO
Access Request RoleSelection
2040 Assignment Commentsmandatory on rejection
NO
Assignment Expiry 2041 Duration for assignment expiry inDays
Access Request RoleSelection
2042 Visibility of Valid from/Valid tofor profiles
0
Access Request RoleSelection
2043 Authorization object for rolesearch - provisioning
GRAC_ROLED
Access Request RoleSelection
2044 Display profiles in ExistingAssignments, My Profile andModel User
YES
Access Request RoleSelection
2045 Default provisioning actionafter adding roles/profiles/FFIDfrom existing assignments andMy Profile
010
Access Request RoleSelection
2046 Field type for business processand system fields, in accessrequest role search
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
6
Parameter Group ParameterID
Description Default Value
Access Request RoleSelection
2047 Filter Business Process andsystems based on applicationarea
NO
Access Request RoleSelection
2048 Default provisioning environmentfor business role
Performance 2050 Enable Real time LDAP Searchfor Access Request User
NO
Workflow 2051 Enable User ID Validation inAccess Request Against SearchData Sources
YES
Performance 2060 Organization Rules -Maximumallowed to be generated inforeground
50000
Performance 2061 Duration for display ofconfirmation message (inmilliseconds)
1000
LDAP 2052 Use LDAP domain forest NORole Management 3000 Default Business Process Role Management 3001 Default Sub process Role Management 3002 Default Criticality Level Role Management 3003 Default Project Release Role Management 3004 Default Role Status Role Management 3005 Reset Role Methodology when
Changing Role AttributesNO
Role Management 3006 Allow add functions to anauthorization
YES
Role Management 3007 Allow editing organizational levelvalues for derived roles
NO
Role Management 3008 A ticket number is required afterauthorization data changes
YES
Role Management 3009 Allow Role Deletion from back-end system
YES
Role Management 3010 Allow attaching files to the roledefinition
YES
Role Management 3011 Conduct Risk Analysis beforeRole Generation
YES
Role Management 3012 Allow Role Generation onMultiple Systems
NO
Role Management 3013 Use logged-on user credentialsfor role generation
NO
Role Management 3014 Allow role generation withPermission Level violations
NO
Role Management 3015 Allow role generation withCritical Permission violations
NO
Role Management 3016 Allow role generation with ActionLevel violations
NO
Role Management 3017 Allow role generation withCritical Action violations
NO
Role Management 3018 Allow role generation withCritical Role/Profile violations
NO
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
7
Parameter Group ParameterID
Description Default Value
Role Management 3019 Overwrite individual role RiskAnalysis results for Mass RiskAnalysis
NO
Role Management 3020 Role certification remindernotification
10
Role Management 3021 Directory for mass role importserver files
Workflow 3022 Request Type for Role Approval 21Workflow 3023 Priority for Role Approval 5Role Management 3024 Enforce methodology process
for derived roles duringgeneration
YES
Role Management 3025 Allow selection of Org. ValueMaps without leading org.
NO
Role Management 3026 Save Role Provisioning DetailsWhile Copying Role
YES
Role Management 3027 Automate authorization copyfrom master role to derived roles.
NO
Role Management 3028 Generate derived roles afterCreation/Update
NO
Emergency AccessManagement
4000 Application Type 1
Emergency AccessManagement
4001 Default Firefighter Validity Period(in days)
Emergency AccessManagement
4002 Send E-mail Immediately YES
Emergency AccessManagement
4003 Retrieve Change Log YES
Emergency AccessManagement
4004 Retrieve System Log YES
Emergency AccessManagement
4005 Retrieve Audit Log YES
Emergency AccessManagement
4006 Retrieve O/S Command Log YES
Emergency AccessManagement
4007 Send Log Report ExecutionNotification Immediately
YES
Emergency AccessManagement
4008 Send Firefight ID LogonNotification
YES
Emergency AccessManagement
4009 Log Report ExecutionNotification
YES
Emergency AccessManagement
4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID
Access RequestBusiness Role
4011 Allow deletion of technical rolesif part of business roles
YES
Emergency AccessManagement
4012 Default users for forwarding theAudit Log workflow
2
Emergency AccessManagement
4013 Firefighter ID owner can submitrequest for Firefighter ID owned
YES
Emergency AccessManagement
4014 Firefighter ID controller cansubmit request for Firefighter IDcontrolled
YES
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
8
Parameter Group ParameterID
Description Default Value
Emergency AccessManagement
4015 Enable decentralized Firefighting NO
Access RequestBusiness Role
4016 Consider only theapproved/completed version of abusiness role when provisioning
NO
Emergency AccessManagement
4017 Enable CUP request number toshow in Firefighter ID/RoleAssignment Screen
YES
Emergency AccessManagement
4018 Enable detailed applicationlogging (SLG1) for Firefighter logsynchronization programs
NO
Emergency AccessManagement
4020 Send EAM log review workflowfor blank firefighter sessions aswell
NO
Emergency AccessManagement
5033 Allow creation of firefighters withno controller
YES
Access RequestBusiness Role 4019
Exclude manual changes to roleassignments or profiles fromrepository sync
NO
Access RequestValidations
5021 Validate the manager ID for thespecified user ID.
YES
Access RequestValidations 5022
Consider the password changein access request YES
Access RequestValidations
5023 Consider details from multipledata sources for missing userdetails in access requests
NO
Access RequestValidations
5024 Enable in-line editing for usergroup and parameters in AccessRequest
NO
Access RequestValidations
5026 Make system and provisioningactions visible for filtering userassignments for model users
NO
Access RequestValidations
5027 Default value for filtering bysystem
NO
Access RequestValidations
5028 Default value for filtering byprovisioning action
NO
Simplified AccessRequest
5031 Enable "Open in AdvancedMode" option
YES
Simplified AccessRequest
5032 Disable Type-ahead search inSimplified Access Request
NO
Access Control General Settings
2401 Allowed extensions forattachments
*
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
9
1.2 ActivitiesTo maintain the configuration settings:
1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.
2. In the Parameter ID column, select a parameter ID for use with the parameter group. Theshort description appears on the right-hand side.
3. Select a Parameter Value from the dropdown list, or enter values in the field.
4. In the Priority field, enter a number for the priority.
5. Choose Save.
1.3 Details of Configuration ParametersThis section explains in detail the configuration parameters. The table is formatted and ordered tomatch the table displayed in the Customizing activity. For each parameter, the table includes thepurpose of the parameter, the available option values, and screenshots to provide context about howthe parameter affects the application.
Note:The application provides a set of work centers; however, your system administrator can customizethem according to your companys processes and structures. Additionally, Access Control is availableboth as a standalone application and as part of the GRC 10.1 application. Depending on the GRCapplications you have licensed, different areas of the access control application are displayed. Thenavigation paths included in this document and in the screenshots may differ from yours.
# Parameter Group Parameter ID Description Default Value
1
Change Log 1001 Enable Function Change Log YES
Set to YES to display the Change History tab on the Function screen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
10
# Parameter Group Parameter ID Description Default Value
2
Change Log 1002 Enable Risk Change Log YES
Set to YES to display the Change History tab on the Access Risk screen.
3
Change Log 1003 Enable Organization Rule Log YES
Set to YES to display the Change History tab on the Organization Rules screen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
11
# Parameter Group Parameter ID Description Default Value
4
Change Log 1004 Enable Supplementary Rule Log YES
Set to YES to display the Change History tab on the Supplementary Rules screen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
12
# Parameter Group Parameter ID Description Default Value
5
Change Log 1005 Enable Critical Role Log YES
Set to YES to display the Change History tab on the Critical Role screen.
6
Change Log 1006 Enable Critical Profile Log YES
Set to YES to display the Change History tab on the Critical Profile screen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
13
# Parameter Group Parameter ID Description Default Value
7
Change Log 1007 Enable Rule Set Change Log YES
Set to YES to display the Change History tab on the Rule Sets screen.
8
Change Log 1008 Enable Role Change Log YES
Set to YES to display the Change History link on the Additional Details tab of the Role Maintenance screen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
14
# Parameter Group Parameter ID Description Default Value
9
Change Log 5001 SLG1 Log Level for HR Triggers HIGH
The available values are High and Medium.When this parameter is set as High, all the HR Trigger logs are captured under SLG1 whether or not the info types from the HR Systemsatisfy BRF rules. When this parameter is set as Medium, the system only captures those logs that occur after the BRF rules are satisfied.The screen shot below shows the detail SLG1 logs that are captured when the parameter is set to High.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
15
# Parameter Group Parameter ID Description Default Value
10
Mitigation 1011 Default expiration time for mitigatingcontrol assignments (in days) 365
The default quantity of days you are allowed to mitigate any object (selection on service map). You can overwrite this quantity in the ValidTo field.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
16
# Parameter Group Parameter ID Description Default Value
11
Mitigation 1012 Consider Rule ID also for mitigationassignment NO
By default, the application includes all rules when it mitigates the access risk.Setting the value to YES allows you to specify the specific Rule ID to be included when mitigating the risk.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
17
# Parameter Group Parameter ID Description Default Value
12
Mitigation 1013 Consider System for mitigationassignment NO
Setting the value to YES allows you to apply mitigating controls to risks originating from specific systems.
13
Mitigation 1014 Enable separate authorization checkfor mitigation from access request NO
This parameter controls how authorization checks are done during the access request risk mitigation process.Previously, when risk mitigation was done during request approval, the mitigation was saved directly to user mitigation tables. If therequest was later rejected or cancelled, the mitigation remained in the user mitigation table even though it was then invalid.By using this parameter, you tell the application to save the mitigation in intermediate tables until the request is fully approved. At thatpoint, the mitigation is transferred to the user mitigation table.This parameter works in conjunction with an activity (88) that is added to authorization object GRAC_MITC.
Setting the value to YES enables activity 88 and mitigations are saved to an intermediate table until the request is fully approved.Setting the value to NO saves the mitigations directly to the user mitigation tables and activity 88 is not checked.
For more information, see SAP Note 1996151
14
Mitigation 1015 Get data for Invalid Mitigation Reportfrom Management Summary table NO
SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls with the option to use Offline Data. The report getsthe offline data from the detailed violations table from the last batch risk analysis. The data is very granular (low level) and may take timeand more system resources to get.This parameter allows you to get the Offline Data from the Management Summary table. As the data is already at a summary level, it takesless time and less resources to produce the report.
Set value to No to get the data from the detailed violations table.Set value to Yes to get the data from the Management Summary table.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
18
# Parameter Group Parameter ID Description Default Value
15
Risk Analysis 1021 Consider Org Rules for otherapplications NO
Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request andRole Maintenance screens.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
19
# Parameter Group Parameter ID Description Default Value
16
Risk Analysis 1022 Allow object IDs for this connector tobe case sensitive
On the Risk Analysis screen, you can perform risk analysis. You specify the system and the analysis criteria such as User, Risk Level,and so on. This parameter allows you to specify for which systems the information entered is case sensitive.
In the example below, z_cup_USR001 is case sensitive for system NCACLNT001.
Note: To enter more than one system or connector, enter additional instances of the parameter.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
20
# Parameter Group Parameter ID Description Default Value
17
Risk Analysis 1023 Default report type for risk analysis 2
The Risk Analysis screen allows you to select several report type options for the risk analysis, such as Access Risk Analysis, ActionLevel, and Permission Level.This parameter allows you to choose one or more report types that are selected by default. It works as follows:
x If you do not define a value for parameter 1023 in the IMG, the report type defaults to 2, Permission Level.x If you define one or more values for parameter 1023 in the IMG, the report type defaults to those values.
Note: In the IMG value cell, press F4 to display the available types, such as Permission Level, and so on.The screenshot below shows the report being run with a default value of 2, Permission Level.
Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk Analysis screens; you must set these separately.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
21
# Parameter Group Parameter ID Description Default Value
18
Risk Analysis 1024 Default risk level for risk analysis 3
The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.This parameter allows you to choose the Risk Level that is selected by default.
19
Risk Analysis 1025 Default rule set for risk analysis
The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.This parameter allows you to choose the Rule Set that is selected by default.
20
Risk Analysis 1026 Default user type for risk analysis A
The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.This parameter allows you to choose the User Type that is selected by default.
21
Risk Analysis 1027 Enable Offline Risk Analysis NO
The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.The parameter value is set to NO to exclude Offline Data in risk analysis by default. On the Risk Analysis screen, the Offline Datacheckbox is empty by default.
22Risk Analysis 1028 Include Expired Users NO
Set to YES to include expired users from plug-in systems for risk analysis.
23Risk Analysis 1029 Include Locked Users NO
Set to YES to include locked users from plug-in systems for risk analysis.
24
Risk Analysis 1030 Include Mitigated Risks NO
The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.Set the parameter value to YES to include Mitigated Risks in the risk analysis by default. The application displays the SoD violations, themitigated risks, and the mitigating control assigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox isautomatically selected.
25Risk Analysis 1031 Ignore Critical Roles and Profiles YES
Set the value to YES to exclude critical roles and profiles for risk analysis.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
22
# Parameter Group Parameter ID Description Default Value
26Risk Analysis 1032 Include Reference user when doinguser analysis YES
Set the value to YES to include referenced users when performing SoD risk analysis for users. This is also valid for Batch Risk Analysis.
27Risk Analysis 1033 Include Role/Profile MitigatingControls in Risk Analysis YES
Set the value to YES to include the mitigating controls assigned to the users roles and profiles for risk analysis.
28
Risk Analysis 1034 Maximum number of objects in apackage for parallel processing 100
The application uses this parameter in conjunction with the Number of Tasks specified in the Customizing activity (IMG) Distribute Jobsfor Parallel Processing to determine the distribution of objects that are processed per job.For example, if there are 10,000 users to analyze and this value is 100, then there will be 100 packages created each having 100 users.Each package is submitted to a separate background process, which is available to the application via the application group.
If instead, we specify three background processes are available to GRAC_SOD, 100 packages are submitted one by one to theseprocesses. Three packages initially and then one by one to each process, which complete the package execution.
Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if the RZ10 parameter is set to 2, then theapplication ignores the parameter in this setting and uses the value 2 instead.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
23
# Parameter Group Parameter ID Description Default Value
29
Risk Analysis 1035Send e-mail notification to themonitor of the updated mitigatedobject
YES
Set the value to YES to send e-mail notifications to the owner of the mitigating control when the mitigated object is updated, such as theuser/role.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
24
# Parameter Group Parameter ID Description Default Value
30
Risk Analysis 1036 Show all objects in Risk Analysis NO
Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default.
The objects that do not have violations are displayed with the Action: No Violations.Note: This setting applies to SoD Batch Risk Analysis.
31
Risk Analysis 1037Use SoD Supplementary Table forAnalysis YES
Set value to YES to use supplementary rules for SoD risk analysis.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
25
# Parameter Group Parameter ID Description Default Value
32
Risk Analysis 1038Consider FF Assignments in RiskAnalysis YES
You can use this parameter to select whether or not to include firefighter (FF) assignments in risk analysis.x Select YES to include FF assignments for risk analysis.
On the Access Management > Access Risk Analysis screens, the application displays the Include FFIDS checkbox.x Select NO to exclude FF assignments for risk analysis.
On the Access Management > Access Risk Analysis screens, the application does not display the Include FFIDScheckbox.
Note: For Access Requests, the application does not allow users to choose whether to include, or not include, FFIDs for risk analysis. Asillustrated in the graphic below, the Include FFIDs checkbox is not part of the Risk Violation tab on the Access Request screen. If youset the parameter value as YES, the application automatically includes FFIDs in the risk analysis, but it will not display the checkbox on thescreen.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
26
# Parameter Group Parameter ID Description Default Value
33
Risk Analysis 1046 Extended objects enabled connector Extended objects are objects from non-SAP systems. This parameter allows you to specify the connectors for non-SAP systems.The connectors can have object lengths greater than SAP objects. For example, SAP User ID length is 12, but the extended object lengthmay be 50.Note: You can set multiple connectors by adding multiple instances of the parameter.
34
Management Dashboard Reports 1047 Default Management ReportViolation Count P
This parameter is used by the Access Risk Violations Dashboard. It controls the default behavior for how the application displays theviolation count. The possible values are P and R.If the parameter is set to P, the application displays the violation count by permission as shown in the example below.If the parameter is set to R, the application displays the violation count by access risk level.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
27
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
28
# Parameter Group Parameter ID Description Default Value
35
Risk Analysis 1048 Business View for Risk Analysis isEnabled NO (Technical View)
The available values are Yes and No.If the parameter is set to Yes, the system displays the Risk Violations tab when you create or approve a request as shown in the screenshot below.
36
Default Management Reports 1049 Default Management Report RiskType ALL
Management reports consider all three types of access risk types. SOD, Critical Actions and Critical Permission. The inclusion of all risktypes does pie chart calculations for all the management reports: Risk Violations, User Analysis and Role Analysis. This parameterprovides a way to restrict the access risk types in the management reports.
If parameter 1049 is set to *, all three types of access risk types are captured.If parameter 1049 is set to 1, Segregation of Duties will be captured.If parameter 1049 is set to 2, Critical Actions will be captured.If parameter 1049 is set to 3, Critical Permissions will be captured.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
29
# Parameter Group Parameter ID Description Default Value
37
Risk Analysis 1050 Default Report View for RiskAnalysis Remediation View
There are three types of views for Risk Analysis reports (technical, business and remediation). If you want to change the global default tosomething other than the Technical View, you can do that through this parameter. This parameter affects the dashboard drill-down for RiskAnalysis.
You can change the default view on a case-by-case basis for the ad hoc reports through the User Interface (as shown below).
38
Risk Analysis - Spool 1051 Max number of objects in a file ordatabase record 200000
You can use this parameter to specify the maximum number of analytics data objects the application stores.If parameter 1053 is set to F, the value is the maximum number of objects stored in the file.If parameter 1053 is set to D, the value is the maximum number of objects stored in the REPCONTENT column of theGRACSODREPDATA table.
Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table.
Prerequisite: You have configured parameters 1052 and 1053.
39
Risk Analysis - Spool 1052 Spool File Location
You can specify the file location the application stores the analytics data, such as\\ \public\SoD\.
Note: This parameter is only valid if parameter 1053 is set to F.Prerequisite: You have configured parameter 1053.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
30
# Parameter Group Parameter ID Description Default Value
40
Risk Analysis - Spool 1053 Spool Type D
You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for accesscontrol, such as ad hoc SoD violations.Set the value to F to store the data on the file system. (You set the file location in parameter 1052).Set the value to D to store the data in the GRACSODREPDATA table.Note:x You see the intermediate results while risk analysis is running. This gives you an opportunity to see if the desired records are created
and choose to stop or cancel the job.x If you change the location type (such as from D to F) in mid-course, the report will still read the previously generated files or database
records. Index tables keep track of the source of the records when the data was generated.x If you cancel the job before the report is finished, you can still read the data up to the point the files or database records were
created.
41
Risk Analysis - Spool 1054 Max number of violations supportedin Organization Rule Analysis 500000
SAP Access Control allows you to consider Organizational Rules when performing access risk analysis. Depending on the total number oforg rules, it is possible the analysis will generate a very large number of violations, which may cause the system to run out of memory andresult in a dump.With SP07, a feature has been added to enable the application to gracefully exit the analysis before the system runs out of memory. Youuse this parameter to set the threshold limit. The default is 500,000.For example, you can perform User Level risk analysis and choose the option to Consider Org Rule. If the 500,000 violations threshold isreached, the application stops the analysis for that particular user and displays the message Too many violations.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
31
# Parameter Group Parameter ID Description Default Value
42
Workflow 1061 Mitigating Control Maintenance NO
The application allows users to create and change mitigating controls.Set the value to YES to require that when users create or change mitigating controls, the application sends a workflow item to an approverto approve the action.Note: On the Mitigating Control screen, the Create button is replaced by a Submit button.
You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activityMaintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.Figure A below shows that on the control Owners tab the Mitigation Control Approver points to the Approver.Figure B below shows you can use Maintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER).
Figure A
Figure B
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
32
# Parameter Group Parameter ID Description Default Value
43
Workflow 1062 Mitigation Assignment NO
The application allows users to mitigate risks for objects (user, role, profile, and so on).x Set the value to YES to require the application send an approval workflow item to the mitigating control approver. The screen
displays a Submit button.Note: You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizingactivity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for AccessControl.
x Set the value to NO and the users can mitigate risks without approval. The screen displays a Save button.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
33
# Parameter Group Parameter ID Description Default Value
44
Workflow 1063 Risk Maintenance NO
The application allows users to create and modify risks.x Set the value to YES to require the application send an approval workflow item to the Risk Owner (or to any alternate workflow agent
you set) for approval. The screen displays a Submit button.Note: You can configure the role that receives the approval workflow item using the Customizing activity Maintain MSMPWorkflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.
x Set the value to NO and then users can create and modify risks without approval. The screen displays a Save button.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
34
# Parameter Group Parameter ID Description Default Value
45
Workflow 1064 Function Maintenance NO
The application allows users to create and change functions.Set the value to YES to require the application send an approval workflow item to the specified workflow agent for approval when functionsare created or modified.
Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER. You can change the approveragent by using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control >Workflow for Access Control.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
35
# Parameter Group Parameter ID Description Default Value
46
Risk Analysis - Access Request 1071 Enable risk analysis on formsubmission NO
You can use this parameter to set the application automatically to perform risk analysis on the access request the user submitted. The riskanalysis results are added to the access request for the approver to review. Therefore, the risk analysis results appear on the approversscreens but not on the requestors screens.
Set to No to disable automatic risk analysis.
Set to Yes to enable automatic risk analysis.This triggers a risk analysis. The user must wait for the risk analysis to finish before proceeding.
Set to Asynch to enable automatic risk analysis and allow the user to proceed to the next screen without waiting.The risk analysis is performed in the background and the results are attached to the request.Note: This does not change the workflow for the request. The request will only proceed to the approver after the risk analysis iscompleted in the background.
47Risk Analysis - Access Request 1072 Mitigation of critical risk requiredbefore approving the request NO
Set the value to YES to require mitigation of Risks of the type Critical Access.
48
Risk Analysis - Access Request 1073 Enable SoD violations detour onrisks from existing roles NO
The possible values for this parameter are YES and NO.If an SoD risk exists in an access request, the application considers it a special condition and sends it to a detour path in the workflow.
However, SoD risks may arise from the new roles the user is requesting and they may arise from the existing roles that are alreadyassigned to the user.Set the value to YES to consider risks from new and existing roles for the detour.Set the value to NO to consider risks only from new roles (and not existing roles) for the detour.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
36
# Parameter Group Parameter ID Description Default Value
49
Risk Analysis - Access Request 1080 Connector enabled for RiskTerminator
Enter the name of the connector in the value field to enable it for risk terminator.You can enter multiple values by entering multiple instances of the parameter, as follows:
Note: The Plug-in Connector is maintained in parameter 1000. The GRC Connector is maintained in parameter 1001.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
37
# Parameter Group Parameter ID Description Default Value
50Risk Analysis - Risk Terminator 1081 Enable Risk Terminator for PFCGRole Generation NO
Set to YES to trigger the risk terminator service for PFCG Role Generation.The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs.
51Risk Analysis - Risk Terminator 1082 Enable Risk Terminator for PFCGUser Assignment NO
Set to YES to trigger the risk terminator service for PFCG User Assignment.
52Risk Analysis - Risk Terminator 1083 Enable Risk Terminator for SU01Role Assignment NO
Set to YES to trigger the risk terminator service for SU01 Role Assignment.
53Risk Analysis - Risk Terminator 1084 Enable Risk Terminator for SU10multiple User Assignment NO
Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment.
54Risk Analysis - Risk Terminator 1085 Stop role generation if violationsexist NO
Set to YES the risk terminator service stops generating roles if violations exist.
55Risk Analysis - Risk Terminator 1086 Comments are required in case ofviolations NO
Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with rolegeneration or role assignment.
56Risk Analysis - Risk Terminator 1087 Send Notification in case ofviolations NO
Set the value to YES to enable the application to send e-mail notifications to the role owner when violations occur.
57Risk Analysis - Risk Terminator 1088 Default report type for RiskTerminator 2
Select the default report type the risk terminator service uses to report SoD violations. Use F4 help to display the available report types.
58Authorizations 1100 Enable the authorization logging NO
If set to YES, the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. For example, anowner wants to perform an action and is missing the necessary authorizations.
59
Workflow 1101 Create Request for Risk Approval 12
Use F4 help and choose the request type the workflow uses to create requests for risk approval.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
38
# Parameter Group Parameter ID Description Default Value
60
Workflow 1102 Update Request for Risk Approval 13
Use F4 help and choose the request type the workflow uses to update requests for risk approval. The request type is associated with anMSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
61
Workflow 1103 Delete Request for Risk Approval 14
Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with anMSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
62
Workflow 1104 Create Request for FunctionApproval 15
Use F4 help and choose the request type the workflow uses to create requests for function approval. The request type is associated withan MSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
63
Workflow 1105 Update Request for FunctionApproval 16
Use F4 help and choose the request type the workflow uses to update requests for function approval. The request type is associated withan MSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
64
Workflow 1106 Delete Request for FunctionApproval 17
Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with anMSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
65
Workflow 1107 Create Request for MitigationAssignment Approval 18
Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
66
Workflow 1108 Update Request for MitigationAssignment Approval 19
Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.(See also parameter 1101).
67
Workflow 1109 Delete Request for MitigationAssignment Approval 20
Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning.See also parameter 1101.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
39
# Parameter Group Parameter ID Description Default Value
68
Workflow 1110 High 2
You use this parameter to set the default workflow request priority for Updating and Creating Risks. Use F4 help to display the list ofavailable priorities.You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to riskapproval priorities.
69
Workflow 1111 High 3
You use this parameter to set the default workflow request priority for Creating and Updating Functions. Use F4 help to display the list ofavailable priorities.You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to functionapproval priorities.
70
Workflow 1112 High 4
You use this parameter to set the default workflow request priority for Mitigation Control Assignments. Use F4 help to display the list ofavailable priorities.You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN tomitigation control assignment priorities.
71Workflow 1113 Access Control E-mail sender WF-BATCH
The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers.See the Access Control 10.1 Security Guide for information about required authorizations for the WF-BATCH user.
72
Authorizations 1114 Display authorization message inreports YES
The Access Control reports and dashboards display data based on the users authorizations. You can use this parameter to display amessage and link that displays the objects the user is authorized to view.
x Set the value as YES to display the message and link.x Set the value as NO if you do not want to display the message and link.
73Performance 1120 Batch size for Batch Risk Analysis 1000
The application uses this value to determine the size of the batch when performing batch risk analysis.(See also parameter 1121 for an example).
74
Performance 1121 Batch size for User sync 1000
The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository.For example, if the batch size is 1000 and there are 10,000 users, the application divides the total users (10,000) by the batch size (1000),and then processes the job in 10 batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in its entirety beforecontinuing with the next.To synchronize users to the GRC AC Repository, you use the Customizing activity Repository Object Synch under Governance, Risks,and Compliance > Access Control > Synchronization Jobs.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
40
# Parameter Group Parameter ID Description Default Value
75Performance 1122 Default batch size for rolesynchronization 1000
The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. Each batch isprocessed in its entirety before moving on to the next. See also parameter 1121.
76Performance 1123 Default batch size for profilesynchronization 1000
The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Each batch isprocessed in its entirety before moving on to the next. See also parameter 1121.
77
Performance 1124 Default batch size for authorizationsynchronization 1000
The application uses this value to determine the size of the batch when synchronizing authorization master data from the backend ERPsystems to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter 1121.
78
Performance 1125 Pre-aggregate Access RiskInformation
NO
Setting the parameter to YES renders the SAP Fiori for SAP GRC transactional applications Compliance Approver and Access Approvermore quickly.Setting the parameter to NO can adversely affect the rendering of the SAP Fiori for SAP GRC transactional applications ComplianceApprover and Access Approver.
When performing risk analysis, the risk count shows the number of risks per access request. This parameter stores the risk count more
efficiently. For more information, see SAP Note 1976368.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
41
# Parameter Group Parameter ID Description Default Value
79
Performance 1126 Number of background jobs createdfor one Ad-Hoc Risk Analysis job 1
This parameter works with parameter 1127 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects, theone job is split into 2 background jobs for faster processing.
80
Performance 1127
Minimum number of objectsconsidered for splitting into multiplebackground jobs in Ad-Hoc RiskAnalysis
1000
This parameter works with parameter 1126 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects, theone job is split into 2 background jobs for faster processing.
81
Access Request Default Roles 1302Add default roles only for systemsspecified in the access request NO
Default roles are automatically assigned to users on a system. Typically, these are roles that have little to no risk and containauthorizations you want everyone to have.For example, you want everyone with access to System_A to have authorization to view data. Therefore, when someone requests accessto System_A the application automatically assigns the default roles to him or her in addition to whatever roles they requested.
Previously, the application would assign all default roles for all systems in one request even if the systems were not specified in therequest. The rationale is that all default roles are safe so the risk is low and it saves you from having to assign the roles in separaterequests. For example, someone requests access to System_A. The application assigns them the default roles for System_A and thedefault roles for all other systems.
You can use this parameter to have the application add default roles only for systems explicitly included in the access request.If the parameter is set to YES, the application only adds system-specific roles to the request.If the parameter is set to NO, the application adds default roles for all systems into the request.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
42
# Parameter Group Parameter ID Description Default Value
82
UAR Review 2004 Request Type for UAR
All request types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressing F4.
This is important for tagging the workflow in MSMP for UAR Review.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
43
# Parameter Group Parameter ID Description Default Value
83
UAR Review 2005 Default Priority UAR_PRIORITY
You use this parameter to set the default priority for user access request reviews. Use F4 help to display the list of available priorities forUAR Requests.
You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEWto UAR Review priorities. In this example, priority IDs 10, 22, 24, and 36 are relevant for UAR Review.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
44
# Parameter Group Parameter ID Description Default Value
84
UAR Review 2006 Who are the reviewers? MANAGER
Select either Manager or Role Owner as the approver type for user access review requests. The application creates a review workflowfor the specified approver type. Managers receive review requests sorted by USER, and Role Owners receive review requests sorted byROLE.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
45
# Parameter Group Parameter ID Description Default Value
85
UAR Review 2007 Admin. review required beforesending tasks to reviewers YES
Set the value to YES to require that users who are assigned the role of access request administrator (such asSAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers inparameter 2006).
86UAR Review 2008 Number of line items per UARrequest 100
This parameter allows you to specify the maximum number of items per UAR request when creating a UAR request.For more information, see SAP Note 1938273.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
46
# Parameter Group Parameter ID Description Default Value
87
Access Request Default Roles 2009 Consider Default Roles YES
If set to YES, the application automatically adds the relevant Default Roles to the access request.
Prerequisites: You have maintained the following parameters as needed: 2011, 2012, and 2013.
In this example, the value for the attribute Functional Area maps to a relevant default role, so the application adds the role to the request.
88
Access Request Default Roles 2010 Request type for default roles
Enter the request types that are relevant for default roles functionality. The application adds default roles only for the specified roles.Enter multiple request types by adding additional instances of the parameter.
Use F4 help to display the available request types. You maintain the list of available request types in the Customizing activity DefineRequest Type under Governance, Risk, and Compliance > Access Control > User Provisioning.
See also parameters 2009, 2011, 2012, and 2013.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
47
# Parameter Group Parameter ID Description Default Value
89
Access Request Default Roles 2011 Default Role Level REQ&ROL
Select which attribute type the application uses to determine the relevance of the default roles.
x Role The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the useradds the roles to the request. That is, the user does see the added default roles at the time they create the request. You define therelevant role attributes in parameter 2012.
x Request - The application uses the request attributes to determine the relevant default roles and adds the default roles when therequest is displayed for the approver. That is, the user does not see the added default roles at the time they create the request. Youdefine the relevant request attributes in parameter 2013.
In this example, the value is set to Request. The manager receives a request with the default role z_user_admin already added, becauseFunctional Area is a relevant attribute.
In this example, the value is set to Role. On the request screen, the application shows the default roles as Existing and adds them to therequest.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
48
See also parameters 2009, 2010, 2012, and 2013.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
49
# Parameter Group Parameter ID Description Default Value
90
Access Request Default Roles 2012 Role Attributes
Enter the role attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributesmaintained in parameter 2013.You can add multiple role attributes by adding additional instances of the parameter.
See also parameters 2009, 2010, 2011, and 2013.
91
Access Request Default Roles 2013 Request Attributes
Enter the request attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the requestattributes maintained in parameter 2012.You can add multiple request attributes by adding additional instances of the parameter.
See also parameters 2009, 2010, 2011, and 2012.
92
Access Request Role Mapping 2014 Enable Role Mapping YES
The application allows you to assign roles as child roles (or map the roles). This allows anyone who is assigned this role to be assigned theauthorizations and access for the child roles.Set the parameter value to YES to enable this functionality. The role mappings are applicable for provisioning access requests.
Note: On the Role Maintenance screen, you can select the Consider Parent Role Approver checkbox to use only the approversassociated with the parent roles and ignore any approvers associated with the child roles.
In the following example, the user is requesting the role BS_BS_123 of system GF1->GO7. The mapped role AC_C_ROLE1 isautomatically added to the request. The user can choose to remove the role from the request.Note: The Source System dropdown list is from the same landscape you chose on the Detail tab.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
50
# Parameter Group Parameter ID Description Default Value
93
Access Request Role Mapping 2015 Applicable to Role Removals YES
Set the value to YES to allow users to include mapped roles in requests for role removal.For example, if a user creates a request to remove a role assigned to them, and the role has mapped roles, then the mapped roles areautomatically included in the request. The user can choose to keep the mapped roles by deleting them from the removal request.
94
SOD Review 2016 Request Type for SoD
Use F4 help and select the request type when SoD review requests are created.
You maintain the list of available request type values in the Customizing activity Define Request Types under Governance, Risk, andCompliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.
95
SOD Review 2017 Default priority for SoD
Use F4 help and select the default priority used for SoD review requests.You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.
96
SOD Review 2018 Who are the reviewers? MANAGER
Select either Manager or Risk Owner as the approver type for user access review requests. The application creates a review workflow forthe specified approver type. Managers receive review requests sorted by USER, and Risk Owners receive review requests sorted byRisk.
97
SOD Review 2019 Admin. review required beforesending tasks to reviewers YES
Set the value to YES to require that users who are assigned the role of access request administrator (such asSAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. You specify reviewers inparameter 2018.
98
SOD Review 2020 Number of unique line items perSOD request (Maximum 9999)
You use this parameter to control the number of unique line items an approver wants to see in a SOD Review Request. The possiblevalues are all numeric values between 0001 and 9999. For more information, see SAP Note 1994429 - UAM: Running Batch RiskAnalysis is mandatory for SOD Review Request creation.
99
SOD Review 2023 Is actual removal of role allowed YES
You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the roles associated with an SOD risk oronly propose removal of the roles.x Set value as NO
This is the recommended setting. On the SoD Review screen, the application displays the Propose Removal button. Reviewers canonly propose the removal of roles associated with a SoD risk violation. The workflow goes to the security administrator who is able toview the source of the risk before deciding whether to remove the role.
x Set value as YESThis setting is not recommended. On the SoD Review screen, the application displays the Remove Role button. This allows thereviewer to delete the roles directly without going through approval by the security administrator.Warning: Reviewers do not have the ability to view the source of the risks; therefore, they have the risk of potentially deletingrelevant roles.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
51
# Parameter Group Parameter ID Description Default Value
100
Access Request TrainingVerification 2024 Training and verification
The application allows you to require that users complete training courses before the application provisions specific roles to them.
You enable this functionality by :1. Setting training requirements
(See Example 1 below.)2. Configuring MSMP routing rule3. Configuring the data source systems for verifying if the training requirements are completed
Example 1: The user is requesting a role that has a TRAINING prerequisite, and Verify on Request is set to Yes. The application will notallow them to submit the request until all the prerequisites are met.
The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks thisparameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add.If the required training is not completed for a particular role, the application does not provision the role, and instead, sends the request tothe routing path.
x Leave the value field empty to disable the function. The workflow does not take any routing paths.x Set the value to BAdI and the application uses the specified BAdI to perform the verification.x Set the value to WS and the application uses the specified web service to perform the verification.
Note: Specify the prerequisite system in the connector configuration. To configure the connectors, use the Customizing activityMaintain Connectors and Connector Types under Governance, Risk, and Compliance > Common Component Settings> Integration Framework. The connector must be of the type WS and associated with a logical port. You can define the logicalport in transaction SOAMANAGER.
Prerequisite: You have implemented the BAdI or web service (WS) as needed.
Note: You can configure the routing in the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance >Access Control > Workflow for Access Control.
101
Access Request Role Selection 2031 Allow All Roles for Approver YES
The application allows approvers to add additional roles to access requests when reviewing them.Set the value to YES to allow approvers to view and select all roles.Set the value to NO to restrict the roles the approvers can view and select for request creation. You specify the restriction criteria inparameter 2032.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
52
# Parameter Group Parameter ID Description Default Value
102
Access Request Role Selection 2032 Approver Role Restriction Attribute
The application allows approvers to add additional roles to access requests when reviewing them. You can restrict the roles approvers canview and select for request creation.
x Set the value to A to Restrict on Role Approver.Approvers can view and select only those roles for which they are the role approver.
x Set the value to B to Restrict on Business Process.Approvers can view and add only those roles with business process attributes that match those in the request
x Set the value to F to Restrict on Functional Area.Approvers can view and add only those roles with functional area attributes that match those in the request.
Prerequisite: You have set parameter 2031 to NO. If parameter 2031 is set to YES, the application ignores the restrictions specified here.
You can add multiple restriction values by adding additional instances of the parameter.
103Access Request Role Selection 2033 Allow All Roles for Requestor YES
Set the value to YES to allow the user to view all roles for request creation.Set the value to NO to restrict the roles the user can view for request creation. You specify the restriction criteria in parameter 2034.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
53
# Parameter Group Parameter ID Description Default Value
104
Access Request Role Selection 2034 Requestor Role Restriction Attribute
This parameter allows you to require that, for access request creation, the application displays only the roles that have attributes thatmatch the specified requestor attributes.
x Set the value to B to Restrict on Business Process. The application displays only the roles that match the requestors businessprocess attribute.
x Set the value to F to Restrict on Functional Area. The application displays only the roles that match the requestors functional areaattribute.
Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. If parameter 2033 is set to YES, the application ignoresthe restrictions specified here.
You can add multiple restriction values by adding additional instances of the parameter.
105Access Request Role Selection 2035 Allow Role Comments YES
Set value to YES to allow the user to enter Role Comments when creating access requests.
106
Access Request Role Selection 2036 Role Comments Mandatory YES
Set value to YES to require Role Comments when creating access requests.Note: This is a GLOBAL setting and is required for all roles included on requests. Mandatory comments can also be determined at theindividual role level.Prerequisite: Parameter 2035 must be set to YES.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
54
# Parameter Group Parameter ID Description Default Value
107
Access Request Role Selection 2037 Display expired roles for existingroles YES
Set the value to YES to include the roles for which the user assignment is expired when the user chooses the Existing Assignmentbutton on the Access Request.
108Access Request Role Selection 2038 Auto Approve Roles withoutApprovers YES
Set the value to YES to allow the application to approve access requests automatically for roles without role owners.
109
Access Request Role Selection 2039Search Role by Transactions fromBackend System NO
Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository.Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time. This has the followingeffect:
x It adds the Transaction from Backend System criteria to the Select Roles screen.x It makes the System criteria mandatory.x It fetches role information from the specified system in real time, which may have an effect on performance.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
55
# Parameter Group Parameter ID Description Default Value
110
Access Request Role Selection 2040 Assignment comments mandatoryon rejection NO
If the value is set to No, when you open an access request, you are not required to enter a comment if you reject a role or systemassignment.If the value is set to Yes, you must enter a value if you reject a role or system assignment.
111
Assignment Expiry 2041 Duration for assignment expiry inDays
On the My Profile and Existing Assignment screens, the application displays the Status field for the roles. Roles that are about toexpire displays the status of Expiring. You use this parameter to specify the timeframe (in days) that triggers the application to display thestatus as Expiring.In the following example, the My Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to theuser that is about to expire in 1 to 45 days.
112
Access Request Role Selection 2042 Visibility of Valid from/Valid to forprofiles 0
The available values are: 0,1,2,3,4The effect on the user experience is based on the value the user selects The visibility of dates and editable property of Valid from andValid To field will depend on the value selected for the parameter as indicated in the screen shots below.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
56
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
57
# Parameter Group Parameter ID Description Default Value
113
Access Request Role Selection 2043 Authorization object for role search -provisioning GRAC_ROLED
This parameter allows you to determine the behavior of role search based on authorizations and the roles the user can see during roledefinition and role provisioning.
x GRAC_ROLEDEnter this value to enforce role search authorizations during the role definition.
x GRAC_ROLEPEnter this value to enforce role search authorizations during role provisioning.
x BOTHEnter this value enforce role search authorizations during both role definition and role provisioning.
For more information about the authorization objects, see the Access Control 10.1 Security Guide.
114
Access Request Role Selection 2044Display profiles in ExistingAssignments, My Profile, and ModelUser
YES
The available values are Yes and No.Based on the parameter value, the system displays or hides Profiles for Existing Assignments, My Profile, and Model User as illustrated bythe screen shots below.
(continued)
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
58
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
59
# Parameter Group Parameter ID Description Default Value
115
Access Request Role Selection 2045Default provisioning action afteradding roles/profiles/FFID fromexisting assignments and My Profile
010
The available values are: 006,009,010Based on the parameter value the provisioning action is set for roles/profiles/FFID from existing assignments and My Profile as indicated inthe screen shots below.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
60
# Parameter Group Parameter ID Description Default Value
116
Access Request Role Selection 2046Field type for business process andsystem fields, in access request rolesearch
This parameter allows you to choose the field type for the Business Process and System search criteria on the Access Request RoleSearch screen. You can choose the field types as a Text field with F4 help or a dropdown list.
x Set the value to zero to display the field types for both Business Process and System as a text field. (See example below.)x Set the value to one to display the Business Process field as a dropdown list, and the System field as a text field.x Set the value to two to display the Business Process field as a text field, and the System field as a dropdown list.x Set the value to three to display both the Business Process and System fields as a dropdown list.
117
Access Request Role Selection 2047 Filter business process and systemsbased on application area NO
118
Performance 2048 Default provisioning environment forbusiness role
Use this parameter to set the default provisioning environment for business roles. For example, if you set the parameter to TST then whena user submits a request for a business role the default provisioning environment is Test.
The possible values for this parameter are:DEV - DevelopmentPRD - ProductionTST - Test
119
Performance 2050 Enable Real-time LDAP Search forAccess Request User. NO
If set to YES, the application searches for the access request user on the specified LDAP source and in real time.Prerequisite: You have specified the data source as LDAP, or else the application ignores this parameter.Note: Since the search is performed in real-time, it can negatively affect performance.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
61
# Parameter Group Parameter ID Description Default Value
120
Workflow 2051Enable User ID Validation in AccessRequest against Search DataSources
YES
If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does notallow the request to continue.The validation is performed when you select Submit or Enter.
121
LDAP 2052 Use LDAP domain forest NOThe available values are Yes and No.The effect on the user experience is based on the value set in configuration. If the value is Yes, users can search from multiple domainswhen the user data source is LDAP.
122
Performance 2060
Organization Rules -Maximumallowed to be generated inforeground 50000
In SAP Access Control, you can use the Organizational Rule Creation Wizard to generate organizational rules. You can choose togenerate the rules in the foreground or the background.Generating the rules in the foreground may use up system resources for other activities or affect performance. You can use this parameterto set a threshold for the maximum organizational rules that can be generated in the foreground, thereby keeping it from negativelyaffecting the system resources.For example, you set the threshold value at 20,000. If the threshold is reached when someone is generating organizational rules in theforeground, the application halts the task and displays options to either run the job in the background or cancel it.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
62
# Parameter Group Parameter ID Description Default Value
123
Performance 2061Duration for displaying confirmationmessage (in milliseconds) 1000
This parameter applies to the SAP Fiori for SAP GRC transactional application, Compliance Approver.You use this parameter to set how long the confirmation message appears on the screen. The default is 1000 milliseconds.Below is an example of the confirmation message.
124
Access Control General Settings 2401 Allowed extensions for attachments *The application allows users to attach files. By default, it allows all file types. You can use this parameter to restrict the types of files userscan attach. To restrict file types:
1. Enter the allowed file types in this parameter. Separate each file type by a comma.For example: docx, pdf, xlsx
2. Implement the BAdI GRFN_DOCUMENT to enable the logic and configure the wording for the error message.See SAP Note 2058231.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
63
# Parameter Group Parameter ID Description Default Value
125
Role Management 3000 Default Business Process
Select the business process the application displays by default on the Role Import screen. Use F4 help to display the available businessprocesses.You maintain the list of business processes in the Customizing activity Maintain Business Processes and Sub processes underGovernance, Risk and Compliance > Access Control.
126
Role Management 3001 Default Sub process
Select the sub process the application displays by default on the Role Import screen. Use F4 help to display the available sub processes.You maintain the list of sub processes in the Customizing activity Maintain Business Processes and Suppresses under Governance,Risk and Compliance > Access Control.
127
Role Management 3002 Default Criticality Level
Select the criticality level the application displays by default on the Role Import screen. Use F4 help to display the available criticalitylevels.You maintain the list of sub processes in the Customizing activity Specify Criticality Level under Governance, Risk and Compliance >Access Control > Role Management.
128
Role Management 3003 Default Project Release
Select the project release the application displays by default on the Role Import screen. Use F4 help to display the available projectreleases.You maintain the list of project releases in the Customizing activity Maintain Project and Product Release Name under Governance,Risk and Compliance > Access Control > Role Management.
129
Role Management 3004 Default Role Status
Select the role status the application displays by default on the Role Import screen. Use F4 help to display the available role status.You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance, Risk and Compliance >Access Control > Role Management.
130
Role Management 3005Reset Role Methodology whenChanging Role Attributes NO
This parameter determines whether the role methodology step is reset to the first step (Definition) after a mass update. It is particularlyuseful to avoid creating mass approval requests. When approvals are not required, we recommend that you set the parameter to No toleave the role methodology intact at the current step. Setting it to Yes causes the system to create one approval request per each roleupdated.
-
Maintaining Configuration Settings in Access Control 10.1
February 2015
64
# Parameter Group Parameter ID Description Default Value
131
Role Management 3006 Allow add functions to anauthorization YES
Set the value to YES to display the Add/Delete Function button on the Maintain Authorizations tab of the Role Maintenance screen.
132Role Management 3007 Allow editing organizational levelvalues for derived roles NO
The maintenance screen for derived roles displays organizational levels from the parent role.Set the value to YES to