unit 3 - design and manage roles virtual labs
TRANSCRIPT
Page | 1
Unit 3 – Design and Manage Roles Exercise 3.1.1 – Review Design and Manage Roles specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Maintain Configuration Settings
a. Review the following settings related to Analyze and Manage Risk b. List which settings are set and their values
i. 10‐Role Management:3000‐Default Business Process ii. 10‐Role Management:3001‐Default Subprocess iii. 10‐Role Management:3002‐Default Critical Level iv. 10‐Role Management:3003‐Default Project Release v. 10‐Role Management:3004‐Default Role Status vi. 10‐Role Management:3005‐Reset Role Methodology when Changing Role Attributes vii. 10‐Role Management:3006‐Allow add functions to an authorization viii. 10‐Role Management:3007‐Allow editing organizational level values for derived roles ix. 10‐Role Management:3008‐A ticket number is required after authorization data changes x. 10‐Role Management:3009‐Allow Role Deletion from Back‐End xi. 10‐Role Management:3010‐Allow attaching files to the role definition xii. 10‐Role Management:3011‐Conduct Risk Analysis before Role Generation xiii. 10‐Role Management:3012‐Allow Role Generation on Multiple Systems xiv. 10‐Role Management:3013‐Use logged‐on user credentials for role generation xv. 10‐Role Management:3014‐Allow role generation with Permission Level violations xvi. 10‐Role Management:3015‐Allow role generation with Critical Permission violations xvii. 10‐Role Management:3016‐Allow role generation with Action Level violations xviii. 10‐Role Management:3017‐Allow role generation with Critical Action violations xix. 10‐Role Management:3018‐Allow role generation with Critical Role/Profile violations xx. 10‐Role Management:3019‐Overwrite individual role's Risk Analysis result during Mass Risk
Analysis run xxi. 10‐Role Management:3020‐Role certification reminder notification xxii. 10‐Role Management:3021‐Directory for mass role import server files xxiii. 5‐Workflow:3022‐Request Type for Role Approval xxiv. 5‐Workflow:3023‐Priority for Role Approval
Page | 2
Unit 3 – Design and Manage Roles Exercise 3.1.1 – Review Design and Manage Roles specific Configuration Solution:
Page | 3
Page | 4
Unit 3 – Design and Manage Roles Exercise 3.1.2 – Review Design and Manage Roles specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Role Type
Settings Deactivate Role Types a. Review the following settings related to Design and Manage Roles
i. Maintain Role Types 1. Are there any role types that have been deactivated? YES / NO
ii. Maintain Labels for Role Types 1. What is the description of Role Type TPL? _________________________
iii. Specify Maximum Length for Role Type 1. What is the maximum number of characters for Single Roles in User Management
Engine application (Hint: Application Type 3) _____________________ 2. What is the maximum number of characters for Single Roles in SAP application?
__________
Page | 5
Unit 3 – Design and Manage Roles Exercise 3.1.2 – Review Design and Manage Roles specific Configuration Solution:
Maintain Role Types Are there any role types that have been deactivated? NO
Maintain Labels for Role Types What is the description of Role Type TPL? TEMPLATE
Specify Maximum Length for Role Type What is the maximum number of characters for Single Roles in User Management Engine application (Hint: Application Type 3) 40 What is the maximum number of characters for Single Roles in SAP application? 30
Deactivate Role Types
Page | 6
Page | 7
i. Maintain Labels for Role Types
Page | 8
Page | 9
ii. Specify Maximum Length for Role Types
Page | 10
Page | 11
Unit 3 – Design and Manage Roles Exercise 3.1.3 – Review Design and Manage Roles specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Specify Naming
Conventions a. Review the following settings related to Design and Manage Roles
i. How many naming conventions have been configured? __________ ii. What is the Connector Group attached to Naming Convention 3? ____________ iii. There is a mismatch in configuration for the Naming Convention for Business Roles. What is it?
______________________________________________________________________________ iv. What role attributes are used for Composite roles to create the role ID?
______________________________________________________________________________
Page | 12
Unit 3 – Design and Manage Roles Exercise 3.1.3 – Review Design and Manage Roles specific Configuration Solution:
i. How many naming conventions have been configured? 4 ii. What is the Connector Group attached to Naming Convention 3? R3 iii. There is a mismatch in configuration for the Naming Convention for Business Roles. What is
it? The maximum length for this role type is configured at 30 characters, but the role naming convention is configured to 40 characters
iv. What role attributes are used for Composite roles to create the role ID? Role Type, Business Process, Business Subprocess
b. Specify Naming Conventions
Page | 13
Page | 14
Page | 15
Page | 16
Unit 3 – Design and Manage Roles Exercise 3.1.4 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Project
and Product Release Name a. Review the following settings related to Design and Manage Roles
i. How many project releases have been configured? __________ ii. What is the Project Release ID and Description ______________________________________
Page | 17
Unit 3 – Design and Manage Roles Exercise 3.1.4 – Review Design and Manage Roles specific Configuration Solution:
i. How many project releases have been configured? 1 ii. What is the Project Release ID and Description PROD ; Production
c. Maintain Project and Product Release Name
Page | 18
Page | 19
Unit 3 – Design and Manage Roles Exercise 3.1.5 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Role
Sensitivity a. Review the following settings related to Design and Manage Roles
i. What is the description of Role Sensitivity ID 3? __________
Page | 20
Unit 3 – Design and Manage Roles Exercise 3.1.5 – Review Design and Manage Roles specific Configuration Solution:
i. What is the description of Role Sensitivity ID 3? Restricted
d. Define Role Sensitivity
Page | 21
Page | 22
Unit 3 – Design and Manage Roles Exercise 3.1.6 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Role Status
a. Review the following settings related to Design and Manage Roles i. What is the Role Status ID for “In Productive Use”? _____________
Page | 23
Unit 3 – Design and Manage Roles Exercise 3.1.6 – Review Design and Manage Roles specific Configuration Solution:
i. What is the Role Status ID for “In Productive Use”? PRD
e. Maintain Role Status
Page | 24
Page | 25
Unit 3 – Design and Manage Roles Exercise 3.1.7 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Specify Critical Level
a. Review the following settings related to Design and Manage Roles i. What is the Critical Level ID for “VH” mean? _____________
Page | 26
Unit 3 – Design and Manage Roles Exercise 3.1.7 – Review Design and Manage Roles specific Configuration Solution:
i. What is the Critical Level ID for “VH” mean? Very High
f. Specify Critical Level
Page | 27
Page | 28
Unit 3 – Design and Manage Roles Exercise 3.1.8 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Companies
a. Review the following settings related to Design and Manage Roles i. What is the Company ID for the IDES Company? _____________
Page | 29
Unit 3 – Design and Manage Roles Exercise 3.1.8 – Review Design and Manage Roles specific Configuration Solution:
i. What is the Company ID for the IDES Company? 0001
g. Define Companies
Page | 30
Page | 31
Unit 3 – Design and Manage Roles Exercise 3.1.9 – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Functional
Areas a. Review the following settings related to Design and Manage Roles
i. What is the Functional Area ID for the Materials Management? _____________ ii. What is the abbreviation for the Sales functional area? _______________
Page | 32
Unit 3 – Design and Manage Roles Exercise 3.1.9 – Review Design and Manage Roles specific Configuration Solution:
i. What is the Functional Area ID for the Materials Management? MATERIAL ii. What is the abbreviation for the Sales functional area? SD
h. Maintain Functional Areas
Page | 33
Page | 34
Unit 3 – Design and Manage Roles Exercise 3.1.A – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define
Organizational Value Maps a. Review the following settings related to Design and Manage Roles
i. What is the parent organizational value for this map? List Org Level (ID or description) and the value. _____________
ii. What is the value of Org Level LGNUM for this value map? _______________
Page | 35
Unit 3 – Design and Manage Roles Exercise 3.1.A – Review Design and Manage Roles specific Configuration Solution:
i. What is the parent organizational value for this map? List Org Level (ID or description) and the value. BUKRS/Company Code; 1000
ii. What is the value of Org Level LGNUM for this value map? 010 i. Define Organizational Value Maps
Page | 36
Page | 37
Unit 3 – Design and Manage Roles Exercise 3.1.B – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Prerequisite
Types a. Review the following settings related to Design and Manage Roles
i. What is the description for prerequisite type CERTIF? _____________
Page | 38
Unit 3 – Design and Manage Roles Exercise 3.1.B – Review Design and Manage Roles specific Configuration Solution:
What is the description for prerequisite type CERTIF? Certification Define Prerequisite Types
Page | 39
Page | 40
Unit 3 – Design and Manage Roles Exercise 3.1.C – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Role
Prerequisites a. Review the following settings related to Design and Manage Roles
i. What is the Course ID and description for the CERT role prerequisite? _____________
Page | 41
Unit 3 – Design and Manage Roles Exercise 3.1.C – Review Design and Manage Roles specific Configuration Solution:
i. What is the Course ID and description for the CERT role prerequisite? CERT305; Certification Course 305
j. Define Role Prerequisites
Page | 42
Page | 43
Unit 3 – Design and Manage Roles Exercise 3.1.D – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Assign Condition
Groups to BRFplus Functions a. Review the following settings related to Design and Manage Roles
i. What are the condition groups listed? ______________________________ 5. Execute transaction BRF+. A new window will open that will show the BRFplus workbench.
a. NOTE: BRF+ will be details in a subsequent Lab. This is to familiarize the participant with some BRF+ screens and navigation. It is also important to note the BRF+ is a tool to analyze attributes and return a result. This result is returned to the requesting program.
b. Review the BRF+ Application i. Click Search in the Repository Navigation pane ii. In Define Search screen, search for Object Name ZBRM* (from the application column of the
above viewed data) iii. Click Search iv. The BRF application will now appear in the Navigation area v. Change the User Mode to Expert
1. Click Workbench 2. Click User Mode 3. Click Expert
vi. Open Expression navigation folder vii. Open Decision Tree navigation folder viii. Select ROLE_METHODOLOGY_EXPRESSION ix. Review the BRF rules.
1. The table states the if Role Type = SIN, then the Methodology Condition result returned is SIN01, if COM, the result is COM01, if BUS, the result is BUS01. This is used to determine the Role Methodology as will be seen in Exercise 3.2F.
2. View the detailed expression for the SIN role a. Select the row (if not already selected) b. Click Edit Row (if Edit Row is not visible, check to see if you are in Change Mode
at the top of the screen. If not, click Edit button. c. Click Cancel to return to Table Contents.
x. Select the APPROVER_METHODOLOGY_EXPRESSION 1. This table states that if the Role Type is SIN and the Business Process is MM00, the
result returned is MM01. This is used to determine a ‘default’ owner. This will be explained in exercise 3.3.
Page | 44
Unit 3 – Design and Manage Roles Exercise 3.1.D – Review Design and Manage Roles specific Configuration Solution:
k. Assign Condition Groups to BRFplus Functions i. NOTE: BRF+ will be covered in detail in a separate lab exercise
Page | 45
Page | 46
Page | 47
Page | 48
Page | 49
Page | 50
Page | 51
Unit 3 – Design and Manage Roles Exercise 3.1.E – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Methodology
Processes and Steps a. Review the following settings related to Design and Manage Roles
i. Click Define Step to review the available steps and the Phase defination ii. Click Define Methodology to view the configured role maintenance methodologies and which
one is the default. iii. Select a methodology and click Methodology Step to view the associated phases and their
sequence
Page | 52
Unit 3 – Design and Manage Roles Exercise 3.1.E – Review Design and Manage Roles specific Configuration Solution:
l. Define Methodology Processes and Steps
Page | 53
Page | 54
Page | 55
Page | 56
Page | 57
Unit 3 – Design and Manage Roles Exercise 3.1.F – Review Design and Manage Roles specific Configuration
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Associate
Methodology Process to Condition Group a. This configuration uses the information from the previous 2 exercises. b. Review the following settings related to Design and Manage Roles
i. To explain the columns 1. The Condition Group IDs are the same ones that BRF+ will return to Access Control
based on the attributes in the decision table. This was covered in Exercise 3.1.D. 2. The Methodology Column refers to the methodology ID reviewed in Exercise 3.1.E.
c. Which Methodology will a Composite role use? ________________________________ d. What Role type will use Methodology 4? ______________________________________
Page | 58
Unit 3 – Design and Manage Roles Exercise 3.1.F – Review Design and Manage Roles specific Configuration Solution:
a. Which Methodology will a Composite role use? 3 – Methodology Process for Composite Roles b. What Role type will use Methodology 4? Business Role
m. Associate Methodology Process to Condition Group
i. Note: These associate to the results in Assign Condition Groups to BRFplus Functions
Page | 59
Page | 60
Unit 3 – Design and Manage Roles Exercise 3.2 – Maintain Owners for Role Management
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Control Owners under the Access Owners section 4. Click Create 5. Create Role Owners with the following information
a. Group Type – Owner b. Owner – ACROLEOWNxx (where xx is your Participant ID) c. Click box in Select column for Role Owner d. Add Comments – Role Owner Maintenance for GRC Training Course Group xx (where xx is your
Participant ID) e. Click Save, then Close f. Repeat steps above for User ID ACROLEAPPxx. In comments use: Role Approver Maintenance for GRC
Training Course Group xx (where xx is your Participant ID) 6. Click Close 7. Use Filter to find your IDs
a. Click Filter b. Enter AC*xx in Owner ID column (where xx is your Participant ID)
8. Close Query Screen by clicking on X in upper right corner
Page | 61
Unit 3 – Design and Manage Roles Exercise 3.2 – Maintain Owners for Role Management Solution:
1. Maintain Owners / Approvers (Provisioning) n. Assign User as Role Owner
Page | 62
Page | 63
Page | 64
Page | 65
Unit 3 – Design and Manage Roles Exercise 3.3 – Maintain Default Role Owners with Condition Group
1. Note: This functionality is to assign DEFAULT owners based on criteria that are entered in BRF+. The user can be the Assignment Approver or the Role Content Approver or BOTH.
2. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 3. Go to workcenter Setup 4. Click Role Owners under the Access Owners section 5. Review information shown in query
a. The Condition Group ID is the same one that was discussed in the BRF+ exercise (Exercise 3.1.D) 6. Create Role Owners with the following information
Page | 66
Unit 3 – Design and Manage Roles Exercise 3.3 – Maintain Default Role Owners with Condition Group Solution:
a. Assign Default Owners/Approvers using Approver Condition ID (optional)
Page | 67
Unit 3 – Design and Manage Roles Exercise 3.4 – Role Maintenance‐Single Role
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Single Role using the following information:
a. On Define Role tab ‐ Details i. Application Type – SAP ii. Landscape – ECC Landscape iii. Business Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finalize Role Name so that it shows as ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your
Participant ID) vii. Description – Single Role Maintenance for GRC Training Course Group xx (where xx is your
Participant ID) viii. Profile Name and Description – Leave BLANK
b. Click Properties i. Critical Level – Medium ii. Sensitivity – Normal iii. Derivation allowed – NO
c. Click Functional Area i. Click Add ii. Enter or use search to select Functional Area – BASIS
d. Click Company i. Click Add ii. Enter or use search to select Company – 0001
e. Click Prerequisite i. Click Add ii. Enter or use search to select Prerequisite Name – CERT iii. Verify on Request – NO iv. Active – enable
f. Click Save to save data and say in the same Phase g. Click Owners/Approvers
i. Enter or search for ACROLEOWNxx (where xx is your Participant ID) and assign Assignment Approver and Role Content Approver
ii. Enter or search for ACROLEAPPxx (where xx is your Participant ID) and assign Assignment Approver ONLY
h. Click Additional Details tab i. Detailed Description – This role was created by a Training Participant Group xx (where xx is your
Participant ID) i. Click Provisioning
i. Select In Development
Page | 68
j. Click Save to remain in same Phase k. Click Change History to view the change log for this role l. Click Save & Continue to move to the next Phase (Maintain Authorizations) m. Click Maintain Authorization Data button
i. Enter AC Participant ID and password in the SAP GUI Shortcut 1. Password will be still be the initial password as this is for the backend (ZMG) system.
ii. The PFCG screen will open. iii. Create a role with the following information
1. In Menu Tab, insert the following Transactions a. XK01 b. XK02 c. XK03 d. FB60 e. MIRO
2. Click Authorizations tab, click Change Authorization Data 3. For the Organizational Levels, this should be FULL Authorization except for Account
Type, enter K and S for Account type 4. Set all other items in Authorizations screen to full by clicking on yellow arrows. 5. Click Save 6. Click Generate 7. Exit out of PFCG screen
iv. The NWBC screen will appear. Click Sync. With PFCG to bring changes back to Design and Manage Roles.
v. Click Save & Continue to move to next phase (Derive Role) vi. Click Save & Continue to move to next phase (Analyze Access Risks)
1. Click Foreground to run report with default settings 2. As with Analyze and Manage Risk reports previously learned, use Type and Format to
change the Risk Analysis results. vii. Select Impact Analysis in Analysis Type
1. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..
viii. Click Save & Continue to move to next phase (Generate Roles) 1. Click Generate 2. Validate the Default System is correct (ZMGCLNT800) 3. Click Next 4. Schedule the Generation ‐ select Foreground 5. Click Next 6. Verify successful role generation
ix. Click Save & Continue to move to complete x. Click Go to Phase, select Define Role
1. Click Additional Details – Provisioning a. In Provisioning Allowed, select YES b. In Allow Auto Provisioning, select YES c. Set Role Status to In Productive Use
Page | 69
2. Click Change History to view change log 3. Click PFCG Change History to view the backend Log
a. Enter logon data in SAP GUI Shortcut b. Verify Report Parameters c. Click Execute, review returned data d. Exit the Back end sytem
4. Close Role screen 5. Verify Current Phase for role is now COMPLETE.
5.
Page | 70
Unit 3 – Design and Manage Roles Exercise 3.4 – Role Maintenance‐Single Role Solution:
2. Create Single Technical Role
Page | 71
Page | 72
Page | 73
Page | 74
Page | 75
Page | 76
Page | 77
Page | 78
Page | 79
Page | 80
Page | 81
Page | 82
Page | 83
Page | 84
Page | 85
Page | 86
Page | 87
Page | 88
Page | 89
Page | 90
Page | 91
Page | 92
Page | 93
Page | 94
Page | 95
Page | 96
Page | 97
Page | 98
Page | 99
Page | 100
Unit 3 – Design and Manage Roles Exercise 3.5 – Role Maintenance – Composite Role
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Composite Role using the following information:
a. On Define Role tab ‐ Details i. Application Type – SAP ii. Landscape – ECC Landscape iii. Business Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finalize Role Name so that it shows as ZS:BSSE:COMPOSITE_ROLE_xx (where xx is your
Participant ID) vii. Description – Composite Role Maintenance for GRC Training Course Group xx (where xx is your
Participant ID) viii. Profile Name and Description – Leave BLANK
b. Click Properties i. Critical Level – High ii. Sensitivity – Restricted iii. Comments Mandatory – YES
c. Click Functional Area i. Click Add ii. Enter or use search to select Functional Area – BASIS
d. Click Company i. Click Add ii. Enter or use search to select Company – 0001
e. Click Prerequisite i. Click Add ii. Enter or use search to select Prerequisite Name – CERT iii. Verify on Request – NO iv. Active – enable
f. Click Save to save data and say in the same Phase g. Click Roles
i. Click Add ii. Enter or Search for Role
1. ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your Participant ID) 2. Use Arrow to move role to Selected 3. Click OK
h. Click Owners/Approvers i. Enter or search for ACROLEOWNxx and Role Content Approver ONLY (where xx is your
Participant ID)
Page | 101
ii. Enter or search for ACROLEAPPxx and assign Assignment Approver ONLY (where xx is your Participant ID)
i. Click Additional Details tab i. Detailed Description – This role was created by a Training Participant (Group xx)
j. Click Provisioning i. Select In Development
k. Click Save to remain in same Phase l. Click Change History to view the change log for this role m. Click Save & Continue to move to the next Phase (Maintain Authorizations)
i. Click Save & Continue to move to next phase (Analyze Access Risks) 1. Click Foreground to run report with default settings 2. As with Analyze and Manage Risk reports previously learned, use Type and Format to
change the Risk Analysis results. ii. Select Impact Analysis in Analysis Type
1. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..
iii. Click Save & Continue to move to next phase (Request Approval) 1. Clickitiate Approval Request 2. Enter Request Reason – Training Course Group xx (where xx is your Participant ID) 3. Click OK
iv. Logoff the NWBC client using the Logoff link. v. Logon the NWBC client using ID ACROLEOWNxx (where xx is your Participant ID) vi. In My Home workcenter, click Work Inox vii. Locate request for new composite role and approve
1. Enter Comments – Approved Training Request Group xx (where xx is your Participant ID) 2. Click YES to confirm approval 3. Click Close 4. Logoff ACROLEOWNxx (where xx is your Participant ID)
viii. Logon as ACTRNGxx (where xx is your Participant ID) ix. Go to workcenter Access Management x. Click Role Maintenance under the Role Management section xi. Select Role from query xii. Click Open xiii. Once Request is approved, begin Role Maintenance process to generate role
1. Go to workcenter Access Management 2. Click Role Maintenance under the Role Management section 3. Validate the Default System is correct (ZMGCLNT800) 4. Click Next 5. Schedule the Generation ‐ select Foreground 6. Click Next 7. Verify successful role generation
xiv. Click Save & Continue to move to complete xv. Click Go to Phase, select Define Role
1. Click Additional Details – Provisioning
Page | 102
a. Set Role Status to In Productive Use b. In Provisioning Allowed, select YES c. In Allow Auto Provisioning, select YES
2. Click Change History to view change log 3. Click PFCG Change History to view the backend Log
a. Enter logon data in SAP GUI Shortcut b. Verify Report Parameters c. Click Execute, review returned data d. Exit the Back end system
4. Close Role screen 5. Verify Current Phase for role is now COMPLETE.
Page | 103
Unit 3 – Design and Manage Roles Exercise 3.5 – Role Maintenance – Composite Role Solution:
3. Create Composite Technical Role
Page | 104
Page | 105
Page | 106
Page | 107
Page | 108
Page | 109
Page | 110
Page | 111
Page | 112
Page | 113
Logon as ACTRNGxx
Page | 114
Page | 115
Page | 116
Page | 117
Page | 118
Unit 3 – Design and Manage Roles Exercise 3.6 – Role Maintenance‐Business Role
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Business Role using the following information:
a. On Define Role tab – Details i. Application Type – Business Roles ii. Landscape – Role Mangement Business Group iii. Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finish Role Name ‐ ZB:BS:BUSINESS_ROLE_GRPxx (where xx is your Participant ID) vii. Description – Business Role Maintenance for GRC Training Course Group xx (where xx is your
Participant ID) b. Click Properties
i. Critical Level – High ii. Comments Mandatory – YES
c. Click Functional Area i. Click Add ii. Enter or use search to select Functional Area – BASIS
d. Click Company i. Click Add ii. Enter or use search to select Company – 0001
e. Click Prerequisite i. Click Add ii. Enter or use search to select Prerequisite Name – CERT iii. Verify on Request – NO iv. Active – enable
f. Click Save to save data and say in the same Phase g. Click Roles
i. Click Add ii. Enter or Search for Role
1. ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your Participant ID) 2. ZC:BSSE:COMPOSITE_ROLExx (where xx is your Participant ID) 3. Use Arrow to move role to Selected 4. Click OK
h. Click Owners/Approvers i. Enter or search for ACROLEOWNxx and Role Content Approver ONLY (where xx is your
Participant ID) ii. Enter or search for ACROLEAPPxx and assign Assignment Approver ONLY (where xx is your
Participant ID) i. Click Additional Details tab
Page | 119
i. Detailed Description – This role was created by a Training Participant Group xx (where xx is your Participant ID)
j. Click Provisioning i. Select In Development
k. Click Define Role tab l. Click Save to remain in same Phase m. Click Change History to view the change log for this role n. Click Save & Continue to move to next phase (Analyze Access Risks)
i. Click Foreground to run report with default settings ii. As with Analyze and Manage Risk reports previously learned, use Type and Format to change
the Risk Analysis results. o. Select Impact Analysis in Analysis Type
i. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..
p. Click Save & Close to move to next phase (Maintain Test Cases) i. Click Create ii. Enter Test Case Name – Business Role Test Case Group xx (where xx is your Participant ID) iii. Enter Test Case Description – Business Role Test Case Group xx (where xx is your Participant ID) iv. Click Add, then Add Link
1. Title – Business Role Test Link xx (where xx is your Participant ID) 2. Path – www.sap.com 3. Click Save
q. Click Save & Continue to complete maintenance. r. Click Go to Phase, select Define Role
i. Click Additional Detail – Provisioning ii. In Role Status, select In Productive Use iii. Click Save.
Page | 120
Unit 3 – Design and Manage Roles Exercise 3.6 – Role Maintenance‐Business Role Solution:
4. Create Business Role
Page | 121
Page | 122
Page | 123
Page | 124
Page | 125
Page | 126
Page | 127
Page | 128
Page | 129
Firefighter ID Owner Firefighter ID Owners are responsible for maintaining firefighter IDs and their assignments to firefighters Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles and their assignments to firefighters Risk Owner Risk Owners are assigned to risks and are commonly responsible for approving changes to risk definitions and violations of the risk. Risk Owners may also receive conflicting and critical action alerts. Role Owner Role owners are responsible for approving either role content or user‐role assignment or both Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may receive control monitor alerts. Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. Firefighter ID Controller Firefighter ID Controllers are responsible for reviewing the log report generated during firefighter ID usage. Firefighter Role Controller Firefighter Role Controllers are responsible for reviewing the log report generated during firefighter role usage. Point of Contact Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles. Security Lead Security Lead is a group or individual that can provide secondary approval for access requests and reviews Workflow Administrator Workflow administrator is responsible for reassignment of workflows due to an incorrect approver, error condition, or escalation.