unit 5 - manage user access virtual labs

Page | 1

Unit 5 – Provision and Manage Users Exercise 5.1 – Review Provision and Manage Users specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Maintain Configuration Settings

a. Review the following settings related to Analyze and Manage Risk b. List which settings are set and their values

i. 9‐Risk Analysis ‐ Access Request:1071‐Enable risk analysis on form submission ii. 9‐Risk Analysis ‐ Access Request:1072‐Mitigation of critical risk required before approving the

request iii. 12‐Access Request Role Selection:2031‐Allow All Roles for Approver iv. 12‐Access Request Role Selection:2032‐Approver Role Restriction Attribute v. 12‐Access Request Role Selection:2033‐Allow All Roles for Requestor vi. 12‐Access Request Role Selection:2034‐Requestor Role Restriction Attribute vii. 12‐Access Request Role Selection:2035‐Allow Role Comments viii. 12‐Access Request Role Selection:2036‐Role Comments Mandatory ix. 12‐Access Request Role Selection:2037‐Display expired roles for existing roles x. 12‐Access Request Role Selection:2038‐Auto Approve Roles without Approvers xi. 13‐Access Request Default Roles:2009‐Consider Default Roles xii. 13‐Access Request Default Roles:2010‐Request type for default roles xiii. 13‐Access Request Default Roles:2011‐Default Role Level xiv. 13‐Access Request Default Roles:2012‐Role Attributes xv. 13‐Access Request Default Roles:2013‐Request Attributes xvi. 14‐Access Request Role Mapping:2014‐Enable Role Mapping xvii. 14‐Access Request Role Mapping:2015‐Applicable to Role Removals xviii. 17‐Assignment Expiry:2041‐Duration for assignment expiry in Days xix. 18‐Access Request Training Verification:2024‐Traning and verification

5. Open Folders – Governance Risk and Compliance Access Control User Provisioning a. Maintain Service Level Agreements

i. What Service Level Agreements (SLAs) are configured? ii. What are the options for determining the SLA timeframe?

b. Maintain Request Types i. How many request types are configured? ii. To which workflow is the request type Role Approval assigned?

c. Maintain Priority Configuration i. How many Priorities have been configured? ii. To which workflow process have they been assigned?

d. Define Number Range for Provisioning Requests i. What is the end number for the first number range?

e. Maintain End User Personalization i. Which Fields are Mandatory? ii. Do any of the fields have a Default Value?

Page | 2

f. Maintain Provisioning Settings i. Maintain Global Provisioning Configuration

1. What are the options for Password expiry for ORAAPPS? 2. What are the fields available for System Provisioning Configuration?

Page | 3

Unit 5 – Provision and Manage Users Exercise 5.1 – Review Provision and Manage Users specific Configuration Solution:

Page | 4

Page | 5

Page | 6

Page | 7

Page | 8

Unit 5 – Provision and Manage Users Exercise 5.2 – Set Workflow Administrator and Security Lead Owners

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Control Owners under the Access Owners section 4. Click Create 5. Create Role Owners with the following information

a. Group Type – Owner b. Owner – ACSECURITYxx (where xx is your Participant ID) c. Click box in Select column for Security Lead d. Add Comments – Security Lead Maintenance for GRC Training Course Group xx e. Click box in Select column for Workflow Administrator f. Add Comments – Workflow Administrator Maintenance for GRC Training Course Group xx g. Click Save, then Close

6. Click Settings to add Owner ID column to the visible query. a. Select Field Owner ID in the Hidden Columns section b. Click Add button to move the field to the Displayed Columns section c. Click arrow button at the bottom of the Displayed Columns section to place the Owner ID field at the top

of the list d. Click OK

7. Filter to find your specific owners. a. Click Filter b. In column for Owner ID, enter AC*xx (where xx is your Participant ID) c. Press Enter

Page | 9

Unit 5 – Provision and Manage Users Exercise 5.2 – Set Workflow Administrator and Security Lead Owners Solution:

Page | 10

Page | 11

Page | 12

Page | 13

Unit 5 – Provision and Manage Users Exercise 5.3 – Maintain Access Request Templates

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Template Management under the Access Request Administration section 4. Click Create 5. Create Access Request Template with the following information:

a. Name – ACTEMPLATExx (where xx is your Participant ID) b. Description – Access Request Template Maintenance for GRC Training Course Group xx c. EUP ID – 999 (should already be populated) d. Request Type – New Account e. Click Access Details tab f. Reason for Request Description – New Account Request by Template for GRC Training Course Group 99 g. Request Details

i. Priority – High ii. Business Process – Basis iii. Functional Area – Leave as Select iv. Due Date – Leave Blank

h. Click Add on the User Access Tab, then click Role i. A Select Roles search screen will appear.

i. Use this screen to search and add 2 of the roles you created in Unit 3 1. ZS:BSSE:SINGLE_ROLE_GRPxx (where xx is your Participant ID) 2. ZB:BS:BUSINESS_ROLE_GRPxx (where xx is your Participant ID)

ii. When roles have been entered in the Selected section, click OK j. Click User Details tab k. Enter the following information

i. User Type – Dialog ii. Manager – ACMANAGERxx (where xx is your Participant ID) iii. Decimal Notation – Choose the normal default for your region iv. Date Format – Choose the normal default for your region

l. Click Save 6. A confirmation appears that the template has been saved

Page | 14

Unit 5 – Provision and Manage Users Exercise 5.3 – Maintain Access Request Templates Solution:

8. Template Management

Page | 15

Page | 16

Page | 17

Page | 18

Page | 19

Page | 20

Unit 5 – Provision and Manage Users Exercise 5.4 – Create Access Request

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Access Request under the Access Request Creation section 4. Create an Access Request using the following information:

a. Reason for Request i. Description: Access Request Creation for GRC Training Course Group 99

b. Request Details i. Request Type – New Account ii. Request For – Other iii. User – ACUSERxx01 (where xx is your Participant ID) iv. Priority – High v. Business Process – Basis vi. Functional Area – Leave as Select vii. Due Date – Leave Blank

c. On the User Access tab, Click Add, then Role d. Search for the Composite Role that you created previously

i. System ‐ Select ZMGCLNT800 ii. Role Type – Select Composite Role iii. Role Name – Select contains and enter Z*xx (where xx is your Participant ID) iv. Click Search v. Select Role, click Down arrow to move to Selected section vi. Click OK

e. Click Risk Violation tab i. Use the default settings for Risk Analysis ii. Click Run Risk Analysis iii. Review results that appear

f. Click Attachments tab i. Add a link for reference ii. Click Add, then click Link

1. Title the Link – Training Link 2. Enter the path – www.sap.com 3. Click OK

g. Click User Details tab i. Enter the following information

1. First Name – AC User 2. Last Name – Group xx01 (where xx is your Participant ID) 3. Email – [email protected] (where xx is your Participant ID) 4. User Type – Dialog 5. Manager – ACMANAGERxx (where xx is your Participant ID) 6. Job – 12345 7. Decimal Notation – Choose the normal default for your region 8. Date Format – Choose the normal default for your region

Page | 21

h. Click Submit i. Enter the request number here _________________________________________ j. Click Close

Page | 22

Unit 5 – Provision and Manage Users Exercise 5.4 – Create Access Request Solution:

9. Create Access Request

Page | 23

Page | 24

Page | 25

Page | 26

Unit 5 – Provision and Manage Users Exercise 5.5 – Create Access Request with Model User

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Model User under the Access Request Creation section 4. Create an Access Request using the following information:

a. On the User Details tab i. Request For – Other ii. User – ACUSERxx02 (where xx is your participant ID) i. First Name – AC User ii. Last Name – Group xx02 (where xx is your Participant ID) iii. Email – [email protected] (where xx is your Participant ID) iv. User Type – Dialog v. Manager – ACMANAGERxx (where xx is your Participant ID) vi. Job ‐ 98765 vii. Decimal Notation – Choose the normal default for your region iii. Date Format – Choose the normal default for your region

b. Click Next c. Model User access after user ID GRCRA1

i. Select Model User (use Search or Enter ID directly and press Enter) 1. User – GRCRA1 2. Click Select button in upper left corner of Available section

a. Click Select All 3. Click Down arrow to move selected roles to Selected section

d. Click Next e. Enter Request Details

i. Reason for Request 1. Description – Model Access Request for GRC Training Course Group xx (where xx is your

participant ID) ii. Request Details

1. Business Process – Basis f. Click Next g. Review the data on the screen for accuracy. h. Click Submit i. Enter the request number here _________________________________________ j. Click Close

Page | 27

Unit 5 – Provision and Manage Users Exercise 5.5 – Create Access Request with Model User Solution:

10. Create Model User Access Request

Page | 28

Page | 29

Page | 30

Page | 31

Unit 5 – Provision and Manage Users Exercise 5.6 – Create Access Request with Template

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Template Based Request under the Access Request Creation section 4. Select the template you created previously – ACTAMPLATExx (where xx is your Participant ID) 5. Click Next 6. Create an Access Request using the following information:

a. Request For – Other b. User – ACUSERxx03 (where xx is your participant ID) c. First Name – AC User d. Last Name – Group xx03 (where xx is your Participant ID) e. Email – [email protected] (where xx is your Participant ID) f. Job – 45612

7. Click Next 8. Review request details 9. Click Next 10. Review request for accuracy 11. Click Submit

a. Enter the request number here _________________________________________ 12. Click Close

Page | 32

Unit 5 – Provision and Manage Users Exercise 5.6 – Create Access Request with Template Solution:

11. Create Template User Access Request

Page | 33

Page | 34

Page | 35

Page | 36

Unit 5 – Provision and Manage Users Exercise 5.7 – Create Access Request with Copy Request

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Access Management 3. Click Copy Request under the Access Request Creation section 4. Select Request to Copy

a. Enter Request Number you created in Exercise 5.4 b. Select the request attributes to be copied

i. User Details ii. Request Details iii. Manager Details iv. System Details v. Roles

5. Click Next 6. Create an Access Request using the following information:

a. User – ACUSERxx04 (where xx is your Participant ID) b. Last Name – Group xx04 (where xx is your Participant ID) c. Email – [email protected] (where xx is your Participant ID)

7. Click Next 8. Enter Request Details

a. Reason for Request i. Description – Copy Access Request for GRC Training Course Group xx (where xx is your

Participant ID) ii. Review other information

9. Click Next 10. Review information for accuracy 11. Click Submit

a. Enter the request number here _________________________________________ 12. Click Close

Page | 37

Unit 5 – Provision and Manage Users Exercise 5.7 – Create Access Request with Copy Request Solution:

12. Create Copy Request

Page | 38

Page | 39

Page | 40

Page | 41

Page | 42

Unit 5 – Provision and Manage Users Exercise 5.8.1 – Approve Access Request

1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACMANAGERxx (where xx is your Participant ID) a. If you are logged into NWBC already, you can click Log Off from a workcenter page. b. Confirm log off action c. Click link “To restart the application, please click here” d. Sign in with desired User ID

2. Go to workcenter My Home 3. Click Work Inbox 4. Click the request created in Exercise 5.4 5. Review the information on the request 6. Click Submit. 7. Confirmation appears, click Close 8. Log Off the application 9. Click link to restart application 10. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACROLEAPPxx (where xx is your Participant ID) 11. Go to workcenter My Home 12. Click Work Inbox 13. Click the request created in Exercise 5.4 14. Review the information on the request 15. Click Submit

a. An error message should appear that Risk Analysis is Mandatory 16. Click Risk Violations tab 17. Click Run Risk Analysis and review the information 18. Click Submit 19. Click Submit. 20. Confirmation appears, click Close

Page | 43

Unit 5 – Provision and Manage Users Exercise 5.8.1 – Approve Access Request Solution:

13. Request Approval

Page | 44

Page | 45

Page | 46

Page | 47

Page | 48

Page | 49

Page | 50

Page | 51

Page | 52

Unit 5 – Provision and Manage Users Exercise 5.8.2 – Approve Access Request‐Manager Rejects the Request


2. Go to workcenter My Home 3. Click Work Inbox 4. Click the request created in Exercise 5.5 5. Review the information on the request 6. Click Other Actions, then Reject 7. Confirmation appears, click Close

Page | 53

Unit 5 – Provision and Manage Users Exercise 5.8.2 – Approve Access Request‐Manager Rejects the Request Solution:

Page | 54

Page | 55

Unit 5 – Provision and Manage Users Exercise 5.8.3 – Approve Access Request‐Role Owner Rejects a Role


2. Go to workcenter My Home 3. Click Work Inbox 4. Click the request created in Exercise 5.6 5. Review the information on the request 6. Click Submit. 7. Confirmation appears, click Close 8. Log Off the application 9. Click link to restart application 10. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACROLEAPPxx (where xx is your Participant ID) 11. Go to workcenter My Home 12. Click Work Inbox 13. Click the request created in Exercise 5.6 14. Review the information on the request 15. Reject the role ZS:BSSE:SINGLE_ROLE

a. In the Approval Status column, select Reject from the dropdown list 16. Click Risk Violations tab 17. Click Run Risk Analysis and review the information 18. Click Submit. 19. Confirmation appears, click Close

Page | 56

Unit 5 – Provision and Manage Users Exercise 5.8.3 – Approve Access Request‐ Role Owner Rejects a Role Solution:

Page | 57

Page | 58

Page | 59

Page | 60

Unit 5 – Provision and Manage Users Exercise 5.8.3 – Approve Access Request‐ Review Audit Log


2. Go to workcenter My Home 3. Click Work Inbox 4. Click the request created in Exercise 5.7 5. Review the information on the request 6. Click Submit. 7. Confirmation appears, click Close 8. Log Off the application 9. Click link to restart application 10. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACROLEAPPxx (where xx is your Participant ID) 11. Go to workcenter My Home 12. Click Work Inbox 13. Click the request created in Exercise 5.7 14. Review the information on the request in the User Access and User Details tabs 15. Click on Audit Log tab

a. Review the information. 16. Click Risk Violations tab 17. Click Run Risk Analysis and review the information 18. Click Submit. 19. Confirmation appears, click Close

Page | 61

Unit 5 – Provision and Manage Users Exercise 5.8.3 – Approve Access Request‐ Role Owner Rejects a Role Solution

Page | 62

Page | 63

Page | 64

Page | 65

Firefighter ID Owner Firefighter ID Owners are responsible for maintaining firefighter IDs and their assignments to firefighters Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles and their assignments to firefighters Risk Owner Risk Owners are assigned to risks and are commonly responsible for approving changes to risk definitions and violations of the risk. Risk Owners may also receive conflicting and critical action alerts. Role Owner Role owners are responsible for approving either role content or user‐role assignment or both Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may receive control monitor alerts. Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. Firefighter ID Controller Firefighter ID Controllers are responsible for reviewing the log report generated during firefighter ID usage. Firefighter Role Controller Firefighter Role Controllers are responsible for reviewing the log report generated during firefighter role usage. Point of Contact Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles. Security Lead Security Lead is a group or individual that can provide secondary approval for access requests and reviews Workflow Administrator Workflow administrator is responsible for reassignment of workflows due to an incorrect approver, error condition, or escalation.

unit 5 - manage user access virtual labs

Documents