unit 2 - analyze and manage risk virtual labs

Page | 1

Unit 2 – Analyze and Manage Risk Exercise 2.1 – Review Analyze and Manage Risk specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Maintain Configuration Settings

a. Review the following settings related to Analyze and Manage Risk b. List which settings are set and their values

i. 1‐Change Log:1001‐Enable Function Change Log ii. 1‐Change Log:1002‐Enable Risk Change Log iii. 1‐Change Log:1003‐Enable Organization Rule Log iv. 1‐Change Log:1004‐Enable Supplementary Rule Log v. 1‐Change Log:1005‐Enable Critical Role Log vi. 1‐Change Log:1006‐Enable Critical Profile Log vii. 1‐Change Log:1007‐Enable Rule Set Change Log viii. 1‐Change Log:1008‐Enable Role Change Log ix. 2‐Mitigation:1011‐Default expiration time for mitigating control assignments (in days) x. 2‐Mitigation:1012‐Consider Rule Id also for mitigation assignment xi. 2‐Mitigation:1013‐Consider System for mitigation assignment xii. 3‐Risk Analysis:1021‐Consider Org Rules for other applications xiii. 3‐Risk Analysis:1022‐Connector for which Object Ids may be maintained case sensitive xiv. 3‐Risk Analysis:1023‐Default report type for risk analysis xv. 3‐Risk Analysis:1024‐Default risk level for risk analysis xvi. 3‐Risk Analysis:1025‐Default rule set for risk analysis xvii. 3‐Risk Analysis:1026‐Default user type for risk analysis xviii. 3‐Risk Analysis:1027‐Enable Offline Risk Analysis xix. 3‐Risk Analysis:1028‐Include Expired Users xx. 3‐Risk Analysis:1029‐Include Locked Users xxi. 3‐Risk Analysis:1030‐Include Mitigated Risks xxii. 3‐Risk Analysis:1031‐Ignore Critical Roles & Profiles xxiii. 3‐Risk Analysis:1032‐Include Reference user when doing user analysis xxiv. 3‐Risk Analysis:1033‐Include Role/Profile Mitigating Controls in Risk Analysis xxv. 3‐Risk Analysis:1034‐Max number of objects in a package for parallel processing xxvi. 3‐Risk Analysis:1035‐Send email notification to the monitor of the updated mitigated object xxvii. 3‐Risk Analysis:1036‐Show All Objects in Risk Analysis xxviii. 3‐Risk Analysis:1037‐Use SoD Supplementary Table for Analysis. xxix. 3‐Risk Analysis:1046‐Extended objects enabled connector xxx. 4‐Risk Analysis ‐ Spool:1051‐Max number of objects in a file or database record xxxi. 4‐Risk Analysis ‐ Spool:1052‐Spool File Location xxxii. 4‐Risk Analysis ‐ Spool:1053‐Spool Type xxxiii. 5‐Workflow:1061‐Mitigating Control Maintenance xxxiv. 5‐Workflow:1062‐Mitigation Assignment xxxv. 5‐Workflow:1063‐Risk Maintenance

Page | 2

xxxvi. 5‐Workflow:1064‐Function Maintenance xxxvii. 5‐Workflow:1101‐Create Request for Risk Approval xxxviii. 5‐Workflow:1102‐Update Request for Risk Approval xxxix. 5‐Workflow:1103‐Delete Request for Risk Approval

xl. 5‐Workflow:1104‐Create Request for Function Approval xli. 5‐Workflow:1105‐Update Request for Function Approval xlii. 5‐Workflow:1106‐Delete Request for Function Approval xliii. 5‐Workflow:1107‐Create Request for Mitigation Assignment Approval xliv. 5‐Workflow:1108‐Update Request for Mitigation Assignment Approval xlv. 5‐Workflow:1109‐Delete Request for Mitigation Assignment Approval

Page | 3

Unit 2 – Analyze and Manage Risk Exercise 2.1 – Review Analyze and Manage Risk specific Configuration Solution:

Page | 4

Unit 2 – Analyze and Manage Risk Exercise 2.2 – Maintain Ruleset Objective: To understand how to maintain a Rule Set and view change history

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Rule Sets under the Access Rule Maintenance section 4. Create a rule set with the following information

a. Rule Set ID – ACRULExx (where xx is your participant ID) b. Rule Set Description – Rule Set Maintenance for GRC Access Control Training Course Group xx (where xx

is your Participant ID) 5. Click Save 6. Click Close 7. Review the Change History by clicking the tab

Page | 5

Unit 2 – Analyze and Manage Risk Exercise 2.2 – Maintain Ruleset Solution:

Page | 6

Page | 7

Unit 2 – Analyze and Manage Risk Exercise 2.3 – Maintain Function Objective: To understand how to maintain a Function and view change history

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Functions under the Access Rule Maintenance section 4. Create two Functions with the following information

a. Function A i. Function ID ‐ GRCFNxxA (where xx is your participant ID) ii. Business Process – Finance iii. Analysis Scope – Single System iv. Description – Function Maintenance A for GRC Training Course Group xx (where xx is your

Participant ID) v. Add the following Action

System Action Description Status ZMGCLNT800 FB50 This will be auto

populated ACTIVE

vi. Maintain the following Permissions

1. Where xx is listed in the Value From or Value To field, this should be replaced by your Participant ID

System Permission Group

Permission Field Value From

Value To

Condition Status

ZMGCLNT800 FB50 F_BKPF_GSB ACTVT 01 AND ACTIVE ZMGCLNT800 FB50 F_BKPF_GSB GSBER BAxx AND ACTIVE ZMGCLNT800 FB50 F_BKPF_KOA ACTVT 01 AND ACTIVE

b. Function B i. Function ID ‐ GRCFNxxB (where xx is your participant ID) ii. Business Process – Basis iii. Analysis Scope – Single System iv. Description – Function Maintenance B for GRC Training Course Group xx (where xx is your

Participant ID) v. Add the following Action

System Action Description Status ZMGCLNT800 OB52 This will be auto

populated ACTIVE

vi. Maintain the following Permissions

System Permission Group

Permission Field Value From

Value To

Condition Status

ZMGCLNT800 OB52 S_TABU_CLI CLIIDMAINT ‘ ’ AND ACTIVE ZMGCLNT800 OB52 S_TABU_DIS ACTVT 02 AND ACTIVE ZMGCLNT800 OB52 S_TABU_DIS DICBERCLS FC31 AND ACTIVE

Page | 8

5. Click Save 6. Click Close 7. Use Filter Settings to show ONLY your Functions

a. Click on Filter b. Enter GRCFNxx* in the Function ID field (where xx is your Participant ID)

Page | 9

Unit 2 – Analyze and Manage Risk Exercise 2.3 – Maintain Function Solution:

Page | 10

i. GRCFNCxxB

Page | 11

Page | 12

Unit 2 – Analyze and Manage Risk Exercise 2.4 – Maintain Owners (Risk / Mitigation) Objective: To understand how to maintain Owners for Risk and Mitigating Controls

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Control Owners under the Access Owners section 4. Click Create 5. Create Risk Owner with the following information

a. Group Type – Owner b. Owner – ACRISKOWNxx (where xx is your Participant ID) c. Click box in Select column for Risk Owner d. Add Comments – Risk Owner Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) e. Click Save, then Close

6. Click Create 7. Create Mitigation Monitor with the following information

a. Group Type – Owner b. Owner – ACMITMONxx (where xx is your Participant ID) c. Click box in Select column for Mitigation Monitor d. Add Comments – Mitigation Monitor Maintenance for GRC Training Course Group xx e. Click Save, then Close

8. Click Create 9. Create Mitigation Approver with the following information

a. Group Type – Owner b. Owner – ACMITAPPxx (where xx is your Participant ID) c. Click box in Select column for Mitigation Monitor d. Add Comments – Mitigation Approver Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) e. Click Save, then Close

10. Click Settings 11. Add the Owner ID column to the Query display

a. Select Owner ID b. Click arrow to move item to right side c. Click OK

12. Use Filter to find your IDs a. Click Filter b. Enter AC*xx in Owner ID column (where xx is your Participant ID)

13. Close Query Screen by clicking on X in upper right corner 14. Maintain Users as an OWNER in organization (Applied to Mitigation Approvers and Mitigation Monitors)

a. Click arrow next to your participant ID organization (example 00‐CRG GLB INTL would be for ACTRNG00) b. Click arrow to open xx‐CRG HQ , then xx‐CRG Finance, select the xx‐CRG Controllers Office (where xx is

your Participant ID) c. Click Open d. Click on Tab list on right side of the bar where the tabs are located

Page | 13

e. Select Owners f. Click Add Row g. Add the following owners to the organization

i. Click Search button ii. Enter your Mitigation Approver ID and select iii. Click OK iv. Select type as OWNER v. Repeat steps i‐iv for the Mitigation Monitor ID vi. Click Save.

h. Close the Organization Window by clicking X in upper right corner

Page | 14

Unit 2 – Analyze and Manage Risk Exercise 2.4 – Maintain Owners (Risk / Mitigation) Solution:

1. Maintain Owners

a. Risk Owner

Page | 15

b. Mitigation Monitors

Page | 16

c. Mitigation Approvers i. Maintain Mitigation Approver

Page | 17

ii. Maintain User as Owner in Organization

Page | 18

Page | 19

Page | 20

Page | 21

Unit 2 – Analyze and Manage Risk Exercise 2.5 – Maintain Risk Objective: To understand how to maintain a Risk and view change history

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Risks under the Access Rule Maintenance section 4. Create a Risk with the following information

a. Access Risk ID – GRCRSKxx (where xx is your Participant ID) b. Risk Type – Segregation of Duties c. Business Process – Finance d. Description ‐ GRC Access Control Training Group xx (where xx is your Participant ID) e. Risk Level – Medium f. Status – Active g. Description ‐ Risk Maintenance for GRC Training Course Group xx (where xx is your Participant ID) h. Objective – Training

5. Add the functions you just created in the previous exercise a. Click Add to insert a line b. Enter GRCFNxxA or use search (where xx is your Participant ID) c. Repeat steps a and b to enter GRCFNxxB (where xx is your Participant ID)

6. Click on Rule Sets tab 7. Add risk to the Rule Set previously created

a. Click Add to insert a line b. Enter ACRULExx or use search (where xx is your Participant ID)

8. Click on Risk Owners tab 9. Add risk owner to risk

a. Click on Add b. Enter ACRISKOWNxx or use search (where xx is your Participant ID)

10. Click Save 11. Click on Change History tab to view

Page | 22

Unit 2 – Analyze and Manage Risk Exercise 2.5 – Maintain Risk Solution

i. GRCRSKxx

Page | 23

Page | 24

Unit 2 – Analyze and Manage Risk Exercise 2.6 – Maintain Critical Access Rule for Critical Role

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Critical Roles under the Critical Access Rules section 4. Create a Critical Access Rule with the following information

a. System – ZMGCLNT800 b. Z_GRC_BS_SEC_CRITICAL_ROLE_xx (where xx is your participant ID) c. Risk Level – Medium d. Status – Active e. Risk Description – Critical Role Maintenance for GRC Training Course Group xx (where xx is your

Participant ID)

Page | 25

Unit 2 – Analyze and Manage Risk Exercise 2.6 – Maintain Critical Access Rule for Critical Role Solution

Maintain Critical Role

Page | 26

Unit 2 – Analyze and Manage Risk Exercise 2.7 – Maintain Control

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Mitigating Controls under the Mitigating Controls section 4. Create a Mitigating Control with the following information 5. On General Tab

a. Mitigating Control ID – GRCMCTxx (where xx is your Participant ID) b. Name – Mitigating Control Group xx (where xx is your Participant ID) c. Description – Mitigating Control Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) d. Organization – xx‐CRG Controllers Office (where xx is your Participant ID) (example 00‐CRG GLB INTL

would be for ACTRNG00) e. Process – Finance f. Subprocess – FPE‐Financial Period Maintenance g. Enter “Enter additional notes here.” In the Notes section. Use formatting to change look or add

numbering or bullets 6. Click Access Risks tab

a. Click Add Row b. Enter Risk ID (or search) GRCRSKxx (where xx is your Participant ID) c. Leave Rule ID blank

7. Click Owners tab a. Click Add Row b. Enter User ID for Owner (or search) ACMITAPPxx (where xx is your Participant ID) c. Select Assignment Type – Approver d. Click Add Row e. Enter User ID for Monitor (or search) ACMITMONxx (where xx is your Participant ID) f. Select Assignment Type – Monitor

8. Click Reports tab a. Click Add Row b. System – ZMGCLNT800 c. Action – FC10 d. Select Monitor from dropdown list e. Frequency of days 30

9. Click on Attachments and Links tab a. Click Add, then Add link b. Enter Title – Training Link c. Enter Path – www.sap.com d. Click OK

10. Click Save 11. Use Filter to show the Control just created 12. Close query window by clicking X in upper right corner

Page | 27

Unit 2 – Analyze and Manage Risk Exercise 2.7 – Maintain Control Solution

1. Maintain Mitigation Control a. GRCMCTxx

Page | 28

Page | 29

Page | 30

Page | 31

Page | 32

Page | 33

Page | 34

Unit 2 – Analyze and Manage Risk Exercise 2.8 – Assign User to Control

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Mitigated Users under the Mitigated Access section 4. Click Assign 5. Assign users to a Mitigating Control with the following information

a. Access Risk ID – GRCRSKxx (where xx is your Participant ID) b. Rule ID – leave blank c. Control ID – GRCMCTxx (where xx is your Participant ID) d. Select Monitor e. Valid from – Today’s Date f. Valid to – Today’s Date Next Year g. Status Active h. Select Approver i. Click Add under Users Section j. Enter User ID GRCRA1 or use search functionality

6. Click Save, then Close 7. User Filter and Settings to modify query view

Page | 35

Unit 2 – Analyze and Manage Risk Exercise 2.8 – Assign User to Control Solution:

1. Assign Mitigation Control

Page | 36

Page | 37

Unit 2 – Analyze and Manage Risk Exercise 2.9 – AdHoc Analysis ‐ Role

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Level under the Access Risk Analysis section 4. Create an Access Risk report with the following information:

a. System – ZMGCLNT800 b. Role Type – Technical Role c. Role – Z_GRC_PR_API_ROLE_VIOL

5. Under Report Options a. Choose report format

i. Select Summary in first dropdown box ii. Select Technical View in second dropdown box

b. Select Access Risk Analysis radio button i. Select Action Level, Permission Level, and Analytical Report

6. Under Additional Criteria a. Select Include Mitigated Risks

7. Click Run in Foreground 8. When report appears, open header Analysis Criteria to see report options 9. In results area

a. Select different Types to view Action, Permission and Analytical Report data b. Select different Formats to view Summary, Detail, Management Summary or Executive Summary

10. Close the report window 11. In the report options of the current window, select Fastrak Analysis radio button 12. Click Run in Foreground 13. Select a line in the report and click Detail button 14. Close results screen to return to Analysis Criteria Selection screen 15. Run this report again, but select Business View on the format line in the second dropdown 16. For more practice, another role exists with violations

a. Z_GRC_SD_ARI_ROLE_VIOL

Page | 38

Unit 2 – Analyze and Manage Risk Exercise 2.9 – AdHoc Analysis ‐ Role Solution

2. AdHoc Analysis – Role

Page | 39

Page | 40

Page | 41

Page | 42

Page | 43

Page | 44

Repeat analysis for a different role:

Page | 45

Page | 46

Unit 2 – Analyze and Manage Risk Exercise 2.10 – AdHoc Analysis ‐ User

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click User Level under the Access Risk Analysis section 4. Create an Access Risk report with the following information:

a. System – ZMGCLNT800 b. User – GRCRA1 to GRCRA3 (hint: Change the IS parameter) c. Rule Set – Global



b. Select Access Risk Analysis radio button i. Select Action Level, Permission Level, Critical Action, and Critical Permission

6. Under Additional Criteria a. Select Include Mitigated Risks and Show All Objects

7. Click Run in Foreground 8. When report appears, open header Analysis Criteria to see report options 9. In results area


10. Close the report window 11. In the report options of the current window, select Fastrak Analysis radio button 12. Click Run in Foreground 13. Select a line in the report and click Detail button 14. Close results screen to return to Analysis Criteria Selection screen 15. Run this report again, but select Business View on the format line in the second dropdown

Page | 47

Unit 2 – Analyze and Manage Risk Exercise 2.10 – AdHoc Analysis ‐ User Solution

3. AdHoc Analysis – User

Page | 48

Page | 49

Page | 50

Page | 51

Unit 2 – Analyze and Manage Risk Exercise 2.11 – Role Level Simulation

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Level Simulation under the Access Risk Analysis section 4. Create an Access Risk report with the following information:

a. System – ZMGCLNT800 b. Role Type – Technical Role c. Role – Z_GRC_FI_FPE_PERIOD_MAINTAIN



b. Select Access Risk Analysis radio button i. Select Action Level, Permission Level, Critical Action, Critical Permission and Analytical Report


7. Click Next 8. On Actions Tab

a. Click Add to insert a row for each of the following actions i. FB01 ii. FB50

9. Click Run in Foreground 10. When report appears, open header Analysis Criteria to see report options 11. Report will appear showing current and new simulated risks. 12. In results area


13. Click Previous 14. In Additional Criteria select Include Users 15. Click Run in Background (User Impact analysis can only be done in background) 16. Schedule job with following information

a. Name – xx‐BG Role Simulation (where xx is your Participant ID) b. Recurring Plan – NO c. Start Immediately – YES d. Click OK

17. Return to the Access Management workcenter 18. Click Background Jobs in the Scheduling section 19. A list of background jobs will appear

a. This type of simulation will produce 2 reports i. Role Level Simulation ii. Impact User Analysis

20. Select a job when it is finished 21. Click View Results button 22. When report appears, open header Analysis Criteria to see report options

Page | 52

23. Report will appear showing current and new simulated risks. a. Note the same selections will appear for Type and Format as in previous AdHoc reporting

Page | 53

Unit 2 – Analyze and Manage Risk Exercise 2.11 – Role Level Simulation Solution:

1. Simulation – Role

Page | 54

Page | 55

Page | 56

Page | 57

Page | 58

Role Simulation Report

Page | 59

User Impact Analysis

Page | 60

Page | 61

Unit 2 – Analyze and Manage Risk Exercise 2.12 – User Level Simulation

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click User Level Simulation under the Access Risk Analysis section 4. Create an Access Risk report with the following information:

a. System – ZMGCLNT800 b. User – GRCRA2 c. Rule Set ‐ Global



b. Select Access Risk Analysis radio button i. Select Action Level, and Permission Level,


7. Click Next 8. On Actions Tab

a. Click Add to insert a row for each of the following actions i. MIGO

9. Click Run in Foreground 10. When report appears, open header Analysis Criteria to see report options 11. Report will appear showing current and new simulated risks. 12. In results area


13. Click Previous 14. In Additional Criteria select Risks from Simulation Only 15. When report appears, open header Analysis Criteria to see report options 16. Report will appear showing only new simulated risks.

Page | 62

Unit 2 – Analyze and Manage Risk Exercise 2.12 – User Level Simulation Solution:

1. Simulation – User

Page | 63

Simulation Risks are near bottom

Page | 64

Page | 65

Page | 66

Firefighter ID Owner Firefighter ID Owners are responsible for maintaining firefighter IDs and their assignments to firefighters Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles and their assignments to firefighters Risk Owner Risk Owners are assigned to risks and are commonly responsible for approving changes to risk definitions and violations of the risk. Risk Owners may also receive conflicting and critical action alerts. Role Owner Role owners are responsible for approving either role content or user‐role assignment or both Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may receive control monitor alerts. Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. Firefighter ID Controller Firefighter ID Controllers are responsible for reviewing the log report generated during firefighter ID usage. Firefighter Role Controller Firefighter Role Controllers are responsible for reviewing the log report generated during firefighter role usage. Point of Contact Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles. Security Lead Security Lead is a group or individual that can provide secondary approval for access requests and reviews Workflow Administrator Workflow administrator is responsible for reassignment of workflows due to an incorrect approver, error condition, or escalation.

unit 2 - analyze and manage risk virtual labs

Documents