unit 3 - design and manage roles virtual labs

Page | 1

Unit 3 – Design and Manage Roles Exercise 3.1.1 – Review Design and Manage Roles specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Maintain Configuration Settings

a. Review the following settings related to Analyze and Manage Risk b. List which settings are set and their values

i. 10‐Role Management:3000‐Default Business Process ii. 10‐Role Management:3001‐Default Subprocess iii. 10‐Role Management:3002‐Default Critical Level iv. 10‐Role Management:3003‐Default Project Release v. 10‐Role Management:3004‐Default Role Status vi. 10‐Role Management:3005‐Reset Role Methodology when Changing Role Attributes vii. 10‐Role Management:3006‐Allow add functions to an authorization viii. 10‐Role Management:3007‐Allow editing organizational level values for derived roles ix. 10‐Role Management:3008‐A ticket number is required after authorization data changes x. 10‐Role Management:3009‐Allow Role Deletion from Back‐End xi. 10‐Role Management:3010‐Allow attaching files to the role definition xii. 10‐Role Management:3011‐Conduct Risk Analysis before Role Generation xiii. 10‐Role Management:3012‐Allow Role Generation on Multiple Systems xiv. 10‐Role Management:3013‐Use logged‐on user credentials for role generation xv. 10‐Role Management:3014‐Allow role generation with Permission Level violations xvi. 10‐Role Management:3015‐Allow role generation with Critical Permission violations xvii. 10‐Role Management:3016‐Allow role generation with Action Level violations xviii. 10‐Role Management:3017‐Allow role generation with Critical Action violations xix. 10‐Role Management:3018‐Allow role generation with Critical Role/Profile violations xx. 10‐Role Management:3019‐Overwrite individual role's Risk Analysis result during Mass Risk

Analysis run xxi. 10‐Role Management:3020‐Role certification reminder notification xxii. 10‐Role Management:3021‐Directory for mass role import server files xxiii. 5‐Workflow:3022‐Request Type for Role Approval xxiv. 5‐Workflow:3023‐Priority for Role Approval

Page | 2

Unit 3 – Design and Manage Roles Exercise 3.1.1 – Review Design and Manage Roles specific Configuration Solution:

Page | 3

Page | 4


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Role Type

Settings Deactivate Role Types a. Review the following settings related to Design and Manage Roles

i. Maintain Role Types 1. Are there any role types that have been deactivated? YES / NO

ii. Maintain Labels for Role Types 1. What is the description of Role Type TPL? _________________________

iii. Specify Maximum Length for Role Type 1. What is the maximum number of characters for Single Roles in User Management

Engine application (Hint: Application Type 3) _____________________ 2. What is the maximum number of characters for Single Roles in SAP application?

__________

Page | 5


Maintain Role Types Are there any role types that have been deactivated? NO

Maintain Labels for Role Types What is the description of Role Type TPL? TEMPLATE

Specify Maximum Length for Role Type What is the maximum number of characters for Single Roles in User Management Engine application (Hint: Application Type 3) 40 What is the maximum number of characters for Single Roles in SAP application? 30

Deactivate Role Types

Page | 6

Page | 7

i. Maintain Labels for Role Types

Page | 8

Page | 9

ii. Specify Maximum Length for Role Types

Page | 10

Page | 11


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Specify Naming

Conventions a. Review the following settings related to Design and Manage Roles

i. How many naming conventions have been configured? __________ ii. What is the Connector Group attached to Naming Convention 3? ____________ iii. There is a mismatch in configuration for the Naming Convention for Business Roles. What is it?

______________________________________________________________________________ iv. What role attributes are used for Composite roles to create the role ID?

______________________________________________________________________________

Page | 12


i. How many naming conventions have been configured? 4 ii. What is the Connector Group attached to Naming Convention 3? R3 iii. There is a mismatch in configuration for the Naming Convention for Business Roles. What is

it? The maximum length for this role type is configured at 30 characters, but the role naming convention is configured to 40 characters

iv. What role attributes are used for Composite roles to create the role ID? Role Type, Business Process, Business Subprocess

b. Specify Naming Conventions

Page | 13

Page | 14

Page | 15

Page | 16

Unit 3 – Design and Manage Roles Exercise 3.1.4 – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Project

and Product Release Name a. Review the following settings related to Design and Manage Roles

i. How many project releases have been configured? __________ ii. What is the Project Release ID and Description ______________________________________

Page | 17


i. How many project releases have been configured? 1 ii. What is the Project Release ID and Description PROD ; Production

c. Maintain Project and Product Release Name

Page | 18

Page | 19


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Role

Sensitivity a. Review the following settings related to Design and Manage Roles

i. What is the description of Role Sensitivity ID 3? __________

Page | 20


i. What is the description of Role Sensitivity ID 3? Restricted

d. Define Role Sensitivity

Page | 21

Page | 22


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Role Status

a. Review the following settings related to Design and Manage Roles i. What is the Role Status ID for “In Productive Use”? _____________

Page | 23


i. What is the Role Status ID for “In Productive Use”? PRD

e. Maintain Role Status

Page | 24

Page | 25


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Specify Critical Level

a. Review the following settings related to Design and Manage Roles i. What is the Critical Level ID for “VH” mean? _____________

Page | 26


i. What is the Critical Level ID for “VH” mean? Very High

f. Specify Critical Level

Page | 27

Page | 28


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Companies

a. Review the following settings related to Design and Manage Roles i. What is the Company ID for the IDES Company? _____________

Page | 29


i. What is the Company ID for the IDES Company? 0001

g. Define Companies

Page | 30

Page | 31


1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Maintain Functional

Areas a. Review the following settings related to Design and Manage Roles

i. What is the Functional Area ID for the Materials Management? _____________ ii. What is the abbreviation for the Sales functional area? _______________

Page | 32


i. What is the Functional Area ID for the Materials Management? MATERIAL ii. What is the abbreviation for the Sales functional area? SD

h. Maintain Functional Areas

Page | 33

Page | 34

Unit 3 – Design and Manage Roles Exercise 3.1.A – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define

Organizational Value Maps a. Review the following settings related to Design and Manage Roles

i. What is the parent organizational value for this map? List Org Level (ID or description) and the value. _____________

ii. What is the value of Org Level LGNUM for this value map? _______________

Page | 35

Unit 3 – Design and Manage Roles Exercise 3.1.A – Review Design and Manage Roles specific Configuration Solution:

i. What is the parent organizational value for this map? List Org Level (ID or description) and the value. BUKRS/Company Code; 1000

ii. What is the value of Org Level LGNUM for this value map? 010 i. Define Organizational Value Maps

Page | 36

Page | 37

Unit 3 – Design and Manage Roles Exercise 3.1.B – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Prerequisite

Types a. Review the following settings related to Design and Manage Roles

i. What is the description for prerequisite type CERTIF? _____________

Page | 38

Unit 3 – Design and Manage Roles Exercise 3.1.B – Review Design and Manage Roles specific Configuration Solution:

What is the description for prerequisite type CERTIF? Certification Define Prerequisite Types

Page | 39

Page | 40

Unit 3 – Design and Manage Roles Exercise 3.1.C – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Role

Prerequisites a. Review the following settings related to Design and Manage Roles

i. What is the Course ID and description for the CERT role prerequisite? _____________

Page | 41

Unit 3 – Design and Manage Roles Exercise 3.1.C – Review Design and Manage Roles specific Configuration Solution:

i. What is the Course ID and description for the CERT role prerequisite? CERT305; Certification Course 305

j. Define Role Prerequisites

Page | 42

Page | 43

Unit 3 – Design and Manage Roles Exercise 3.1.D – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Assign Condition

Groups to BRFplus Functions a. Review the following settings related to Design and Manage Roles

i. What are the condition groups listed? ______________________________ 5. Execute transaction BRF+. A new window will open that will show the BRFplus workbench.

a. NOTE: BRF+ will be details in a subsequent Lab. This is to familiarize the participant with some BRF+ screens and navigation. It is also important to note the BRF+ is a tool to analyze attributes and return a result. This result is returned to the requesting program.

b. Review the BRF+ Application i. Click Search in the Repository Navigation pane ii. In Define Search screen, search for Object Name ZBRM* (from the application column of the

above viewed data) iii. Click Search iv. The BRF application will now appear in the Navigation area v. Change the User Mode to Expert

1. Click Workbench 2. Click User Mode 3. Click Expert

vi. Open Expression navigation folder vii. Open Decision Tree navigation folder viii. Select ROLE_METHODOLOGY_EXPRESSION ix. Review the BRF rules.

1. The table states the if Role Type = SIN, then the Methodology Condition result returned is SIN01, if COM, the result is COM01, if BUS, the result is BUS01. This is used to determine the Role Methodology as will be seen in Exercise 3.2F.

2. View the detailed expression for the SIN role a. Select the row (if not already selected) b. Click Edit Row (if Edit Row is not visible, check to see if you are in Change Mode

at the top of the screen. If not, click Edit button. c. Click Cancel to return to Table Contents.

x. Select the APPROVER_METHODOLOGY_EXPRESSION 1. This table states that if the Role Type is SIN and the Business Process is MM00, the

result returned is MM01. This is used to determine a ‘default’ owner. This will be explained in exercise 3.3.

Page | 44

Unit 3 – Design and Manage Roles Exercise 3.1.D – Review Design and Manage Roles specific Configuration Solution:

k. Assign Condition Groups to BRFplus Functions i. NOTE: BRF+ will be covered in detail in a separate lab exercise

Page | 45

Page | 46

Page | 47

Page | 48

Page | 49

Page | 50

Page | 51

Unit 3 – Design and Manage Roles Exercise 3.1.E – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Define Methodology

Processes and Steps a. Review the following settings related to Design and Manage Roles

i. Click Define Step to review the available steps and the Phase defination ii. Click Define Methodology to view the configured role maintenance methodologies and which

one is the default. iii. Select a methodology and click Methodology Step to view the associated phases and their

sequence

Page | 52

Unit 3 – Design and Manage Roles Exercise 3.1.E – Review Design and Manage Roles specific Configuration Solution:

l. Define Methodology Processes and Steps

Page | 53

Page | 54

Page | 55

Page | 56

Page | 57

Unit 3 – Design and Manage Roles Exercise 3.1.F – Review Design and Manage Roles specific Configuration

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Role Management Associate

Methodology Process to Condition Group a. This configuration uses the information from the previous 2 exercises. b. Review the following settings related to Design and Manage Roles

i. To explain the columns 1. The Condition Group IDs are the same ones that BRF+ will return to Access Control

based on the attributes in the decision table. This was covered in Exercise 3.1.D. 2. The Methodology Column refers to the methodology ID reviewed in Exercise 3.1.E.

c. Which Methodology will a Composite role use? ________________________________ d. What Role type will use Methodology 4? ______________________________________

Page | 58

Unit 3 – Design and Manage Roles Exercise 3.1.F – Review Design and Manage Roles specific Configuration Solution:

a. Which Methodology will a Composite role use? 3 – Methodology Process for Composite Roles b. What Role type will use Methodology 4? Business Role

m. Associate Methodology Process to Condition Group

i. Note: These associate to the results in Assign Condition Groups to BRFplus Functions

Page | 59

Page | 60

Unit 3 – Design and Manage Roles Exercise 3.2 – Maintain Owners for Role Management

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Control Owners under the Access Owners section 4. Click Create 5. Create Role Owners with the following information

a. Group Type – Owner b. Owner – ACROLEOWNxx (where xx is your Participant ID) c. Click box in Select column for Role Owner d. Add Comments – Role Owner Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) e. Click Save, then Close f. Repeat steps above for User ID ACROLEAPPxx. In comments use: Role Approver Maintenance for GRC

Training Course Group xx (where xx is your Participant ID) 6. Click Close 7. Use Filter to find your IDs

a. Click Filter b. Enter AC*xx in Owner ID column (where xx is your Participant ID)

8. Close Query Screen by clicking on X in upper right corner

Page | 61

Unit 3 – Design and Manage Roles Exercise 3.2 – Maintain Owners for Role Management Solution:

1. Maintain Owners / Approvers (Provisioning) n. Assign User as Role Owner

Page | 62

Page | 63

Page | 64

Page | 65

Unit 3 – Design and Manage Roles Exercise 3.3 – Maintain Default Role Owners with Condition Group

1. Note: This functionality is to assign DEFAULT owners based on criteria that are entered in BRF+. The user can be the Assignment Approver or the Role Content Approver or BOTH.

2. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 3. Go to workcenter Setup 4. Click Role Owners under the Access Owners section 5. Review information shown in query

a. The Condition Group ID is the same one that was discussed in the BRF+ exercise (Exercise 3.1.D) 6. Create Role Owners with the following information

Page | 66

Unit 3 – Design and Manage Roles Exercise 3.3 – Maintain Default Role Owners with Condition Group Solution:

a. Assign Default Owners/Approvers using Approver Condition ID (optional)

Page | 67

Unit 3 – Design and Manage Roles Exercise 3.4 – Role Maintenance‐Single Role

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Single Role using the following information:

a. On Define Role tab ‐ Details i. Application Type – SAP ii. Landscape – ECC Landscape iii. Business Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finalize Role Name so that it shows as ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your

Participant ID) vii. Description – Single Role Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) viii. Profile Name and Description – Leave BLANK

b. Click Properties i. Critical Level – Medium ii. Sensitivity – Normal iii. Derivation allowed – NO

c. Click Functional Area i. Click Add ii. Enter or use search to select Functional Area – BASIS

d. Click Company i. Click Add ii. Enter or use search to select Company – 0001

e. Click Prerequisite i. Click Add ii. Enter or use search to select Prerequisite Name – CERT iii. Verify on Request – NO iv. Active – enable

f. Click Save to save data and say in the same Phase g. Click Owners/Approvers

i. Enter or search for ACROLEOWNxx (where xx is your Participant ID) and assign Assignment Approver and Role Content Approver

ii. Enter or search for ACROLEAPPxx (where xx is your Participant ID) and assign Assignment Approver ONLY

h. Click Additional Details tab i. Detailed Description – This role was created by a Training Participant Group xx (where xx is your

Participant ID) i. Click Provisioning

i. Select In Development

Page | 68

j. Click Save to remain in same Phase k. Click Change History to view the change log for this role l. Click Save & Continue to move to the next Phase (Maintain Authorizations) m. Click Maintain Authorization Data button

i. Enter AC Participant ID and password in the SAP GUI Shortcut 1. Password will be still be the initial password as this is for the backend (ZMG) system.

ii. The PFCG screen will open. iii. Create a role with the following information

1. In Menu Tab, insert the following Transactions a. XK01 b. XK02 c. XK03 d. FB60 e. MIRO

2. Click Authorizations tab, click Change Authorization Data 3. For the Organizational Levels, this should be FULL Authorization except for Account

Type, enter K and S for Account type 4. Set all other items in Authorizations screen to full by clicking on yellow arrows. 5. Click Save 6. Click Generate 7. Exit out of PFCG screen

iv. The NWBC screen will appear. Click Sync. With PFCG to bring changes back to Design and Manage Roles.

v. Click Save & Continue to move to next phase (Derive Role) vi. Click Save & Continue to move to next phase (Analyze Access Risks)

1. Click Foreground to run report with default settings 2. As with Analyze and Manage Risk reports previously learned, use Type and Format to

change the Risk Analysis results. vii. Select Impact Analysis in Analysis Type

1. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..

viii. Click Save & Continue to move to next phase (Generate Roles) 1. Click Generate 2. Validate the Default System is correct (ZMGCLNT800) 3. Click Next 4. Schedule the Generation ‐ select Foreground 5. Click Next 6. Verify successful role generation

ix. Click Save & Continue to move to complete x. Click Go to Phase, select Define Role

1. Click Additional Details – Provisioning a. In Provisioning Allowed, select YES b. In Allow Auto Provisioning, select YES c. Set Role Status to In Productive Use

Page | 69

2. Click Change History to view change log 3. Click PFCG Change History to view the backend Log

a. Enter logon data in SAP GUI Shortcut b. Verify Report Parameters c. Click Execute, review returned data d. Exit the Back end sytem

4. Close Role screen 5. Verify Current Phase for role is now COMPLETE.

5.

Page | 70

Unit 3 – Design and Manage Roles Exercise 3.4 – Role Maintenance‐Single Role Solution:

2. Create Single Technical Role

Page | 71

Page | 72

Page | 73

Page | 74

Page | 75

Page | 76

Page | 77

Page | 78

Page | 79

Page | 80

Page | 81

Page | 82

Page | 83

Page | 84

Page | 85

Page | 86

Page | 87

Page | 88

Page | 89

Page | 90

Page | 91

Page | 92

Page | 93

Page | 94

Page | 95

Page | 96

Page | 97

Page | 98

Page | 99

Page | 100

Unit 3 – Design and Manage Roles Exercise 3.5 – Role Maintenance – Composite Role

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Composite Role using the following information:

a. On Define Role tab ‐ Details i. Application Type – SAP ii. Landscape – ECC Landscape iii. Business Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finalize Role Name so that it shows as ZS:BSSE:COMPOSITE_ROLE_xx (where xx is your

Participant ID) vii. Description – Composite Role Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) viii. Profile Name and Description – Leave BLANK

b. Click Properties i. Critical Level – High ii. Sensitivity – Restricted iii. Comments Mandatory – YES




f. Click Save to save data and say in the same Phase g. Click Roles

i. Click Add ii. Enter or Search for Role

1. ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your Participant ID) 2. Use Arrow to move role to Selected 3. Click OK

h. Click Owners/Approvers i. Enter or search for ACROLEOWNxx and Role Content Approver ONLY (where xx is your

Participant ID)

Page | 101

ii. Enter or search for ACROLEAPPxx and assign Assignment Approver ONLY (where xx is your Participant ID)

i. Click Additional Details tab i. Detailed Description – This role was created by a Training Participant (Group xx)

j. Click Provisioning i. Select In Development

k. Click Save to remain in same Phase l. Click Change History to view the change log for this role m. Click Save & Continue to move to the next Phase (Maintain Authorizations)

i. Click Save & Continue to move to next phase (Analyze Access Risks) 1. Click Foreground to run report with default settings 2. As with Analyze and Manage Risk reports previously learned, use Type and Format to

change the Risk Analysis results. ii. Select Impact Analysis in Analysis Type

1. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..

iii. Click Save & Continue to move to next phase (Request Approval) 1. Clickitiate Approval Request 2. Enter Request Reason – Training Course Group xx (where xx is your Participant ID) 3. Click OK

iv. Logoff the NWBC client using the Logoff link. v. Logon the NWBC client using ID ACROLEOWNxx (where xx is your Participant ID) vi. In My Home workcenter, click Work Inox vii. Locate request for new composite role and approve

1. Enter Comments – Approved Training Request Group xx (where xx is your Participant ID) 2. Click YES to confirm approval 3. Click Close 4. Logoff ACROLEOWNxx (where xx is your Participant ID)

viii. Logon as ACTRNGxx (where xx is your Participant ID) ix. Go to workcenter Access Management x. Click Role Maintenance under the Role Management section xi. Select Role from query xii. Click Open xiii. Once Request is approved, begin Role Maintenance process to generate role

1. Go to workcenter Access Management 2. Click Role Maintenance under the Role Management section 3. Validate the Default System is correct (ZMGCLNT800) 4. Click Next 5. Schedule the Generation ‐ select Foreground 6. Click Next 7. Verify successful role generation

xiv. Click Save & Continue to move to complete xv. Click Go to Phase, select Define Role

1. Click Additional Details – Provisioning

Page | 102

a. Set Role Status to In Productive Use b. In Provisioning Allowed, select YES c. In Allow Auto Provisioning, select YES

2. Click Change History to view change log 3. Click PFCG Change History to view the backend Log

a. Enter logon data in SAP GUI Shortcut b. Verify Report Parameters c. Click Execute, review returned data d. Exit the Back end system

4. Close Role screen 5. Verify Current Phase for role is now COMPLETE.

Page | 103

Unit 3 – Design and Manage Roles Exercise 3.5 – Role Maintenance – Composite Role Solution:

3. Create Composite Technical Role

Page | 104

Page | 105

Page | 106

Page | 107

Page | 108

Page | 109

Page | 110

Page | 111

Page | 112

Page | 113

Logon as ACTRNGxx

Page | 114

Page | 115

Page | 116

Page | 117

Page | 118

Unit 3 – Design and Manage Roles Exercise 3.6 – Role Maintenance‐Business Role

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Role Maintenance under the Role Management section 4. Create a Business Role using the following information:

a. On Define Role tab – Details i. Application Type – Business Roles ii. Landscape – Role Mangement Business Group iii. Process – Basis iv. Subprocess – Security v. Project Release – Production vi. Finish Role Name ‐ ZB:BS:BUSINESS_ROLE_GRPxx (where xx is your Participant ID) vii. Description – Business Role Maintenance for GRC Training Course Group xx (where xx is your

Participant ID) b. Click Properties

i. Critical Level – High ii. Comments Mandatory – YES




f. Click Save to save data and say in the same Phase g. Click Roles

i. Click Add ii. Enter or Search for Role

1. ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your Participant ID) 2. ZC:BSSE:COMPOSITE_ROLExx (where xx is your Participant ID) 3. Use Arrow to move role to Selected 4. Click OK

h. Click Owners/Approvers i. Enter or search for ACROLEOWNxx and Role Content Approver ONLY (where xx is your

Participant ID) ii. Enter or search for ACROLEAPPxx and assign Assignment Approver ONLY (where xx is your

Participant ID) i. Click Additional Details tab

Page | 119

i. Detailed Description – This role was created by a Training Participant Group xx (where xx is your Participant ID)

j. Click Provisioning i. Select In Development

k. Click Define Role tab l. Click Save to remain in same Phase m. Click Change History to view the change log for this role n. Click Save & Continue to move to next phase (Analyze Access Risks)

i. Click Foreground to run report with default settings ii. As with Analyze and Manage Risk reports previously learned, use Type and Format to change

the Risk Analysis results. o. Select Impact Analysis in Analysis Type

i. Since this is a NEW role, this is no value for impact analysis as the role is not provisioned to anyone or is not part of other roles yet..

p. Click Save & Close to move to next phase (Maintain Test Cases) i. Click Create ii. Enter Test Case Name – Business Role Test Case Group xx (where xx is your Participant ID) iii. Enter Test Case Description – Business Role Test Case Group xx (where xx is your Participant ID) iv. Click Add, then Add Link

1. Title – Business Role Test Link xx (where xx is your Participant ID) 2. Path – www.sap.com 3. Click Save

q. Click Save & Continue to complete maintenance. r. Click Go to Phase, select Define Role

i. Click Additional Detail – Provisioning ii. In Role Status, select In Productive Use iii. Click Save.

Page | 120

Unit 3 – Design and Manage Roles Exercise 3.6 – Role Maintenance‐Business Role Solution:

4. Create Business Role

Page | 121

Page | 122

Page | 123

Page | 124

Page | 125

Page | 126

Page | 127

Page | 128

Page | 129

Firefighter ID Owner Firefighter ID Owners are responsible for maintaining firefighter IDs and their assignments to firefighters Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles and their assignments to firefighters Risk Owner Risk Owners are assigned to risks and are commonly responsible for approving changes to risk definitions and violations of the risk. Risk Owners may also receive conflicting and critical action alerts. Role Owner Role owners are responsible for approving either role content or user‐role assignment or both Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may receive control monitor alerts. Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. Firefighter ID Controller Firefighter ID Controllers are responsible for reviewing the log report generated during firefighter ID usage. Firefighter Role Controller Firefighter Role Controllers are responsible for reviewing the log report generated during firefighter role usage. Point of Contact Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles. Security Lead Security Lead is a group or individual that can provide secondary approval for access requests and reviews Workflow Administrator Workflow administrator is responsible for reassignment of workflows due to an incorrect approver, error condition, or escalation.

unit 3 - design and manage roles virtual labs

Documents