Table of Contents

Open all
Close all
Preface
19
Target Audience
19
How to Read This Book
20
How This Book Is Organized
20
Conclusion
22
Acknowledgments
23
1 Introduction to Governance, Risk and Compliance
25
1.1 Why Use Governance, Risk and Compliance Solutions?
25
1.2 Introduction to SAP Access Control
29
1.3 Architecture and Landscape
31
1.3.1 Architecture
32
1.3.2 Landscape
33
1.4 Key Capabilities, Supported Systems, and Integration
34
1.4.1 Key Capabilities
34
1.4.2 Supported Systems
36
1.5 Cloud Integration
37
1.6 Summary
39
2 Prerequisites
41
2.1 Checking License Agreements and Licensing Requirements
41
2.1.1 Creating an SAP GRC Solutions System in SAP Support Portal
42
2.1.2 Generating and Applying an SAP GRC Solutions License
43
2.1.3 Identify the User License Requirements
44
2.2 System Sizing
45
2.3 System Time Zone Check
47
2.4 Component and Plug-In Requirements
48
2.4.1 Components
48
2.4.2 Plug-Ins
49
2.5 Summary
50
3 Post-Installation Steps
51
3.1 Quick Checks
51
3.2 Initial Configuration
52
3.2.1 Activating Applications and Services
52
3.2.2 Activating Internet Communication Framework Services
53
3.2.3 Activating Internet Communication Management Services
56
3.2.4 Activating Business Configuration Sets
58
3.2.5 Maintaining Plug-In Parameters
63
3.2.6 Maintaining Plug-In (User Exit) Settings
63
3.2.7 Activating SAP-Delivered Roles
64
3.2.8 Defining Business Processes and Subprocesses
68
3.3 Multistage Multipath Workflow Initial Configuration
70
3.3.1 Performing Automatic Workflow Configuration
70
3.3.2 Testing Automatic Workflows
75
3.3.3 Classifying Workflow Tasks as General
75
3.3.4 Scheduling Workflow Background Jobs
76
3.3.5 Performing Task-Specific Customizing
77
3.3.6 Activating Event Linkages
78
3.3.7 Performing Task-Specific Customizing with Plug-Ins (Assigning Agents)
80
3.3.8 Defining Number Ranges for Access Requests
84
3.4 Setting Up Common Parameters
85
3.5 Email Configuration
88
3.5.1 Opening a Simple Mail Transfer Protocol Port
89
3.5.2 Maintaining RZ10 Profile Parameters for the Simple Mail Transfer Protocol Service
89
3.5.3 Creating a System User for Receiving Emails
90
3.5.4 Configuring the Simple Mail Transfer Protocol Service
91
3.5.5 Configuring the Simple Mail Transfer Protocol Server Inbound/Outbound Flow
93
3.5.6 Setting Up Simple Mail Transfer Protocol Jobs
94
3.6 Summary
95
4 Common Configurations
97
4.1 Configuring Remote Function Call Destinations
97
4.1.1 Connecting an SAP NetWeaver System
98
4.1.2 Connecting an SAP HANA Database
101
4.1.3 Connecting an SAP Enterprise Portal System
113
4.2 Maintaining Connectors and Connection Types
116
4.2.1 Creating Connection Types and Connectors
116
4.2.2 Defining Connector Groups
118
4.2.3 Assigning Connectors to Connector Groups
119
4.3 Maintaining Connection Settings
119
4.4 Maintaining Connector Settings
123
4.5 Maintaining Configuration Settings
124
4.6 Maintaining Mapping for Actions and Connector Groups
127
4.7 Configuring Data Sources
129
4.7.1 Data Source Configuration
129
4.7.2 Setting Up an HR Connection
131
4.7.3 Setting Up a LDAP Connection
132
4.8 Setting Up Background Synchronization Jobs
137
4.8.1 Authorization Sync
137
4.8.2 Repository Object Sync
138
4.8.3 Action Usage Sync
139
4.8.4 Role Usage Sync
139
4.8.5 Superuser Privilege Management Log Sync
139
4.8.6 Batch Risk Analysis
140
4.8.7 Alert Generation
142
4.8.8 Generate Rules
143
4.8.9 Email Reminders
143
4.8.10 Emergency Access Management Master Data Sync
144
4.8.11 Fetch IDM Schema
144
4.9 Distributing Jobs for Parallel Processing
145
4.9.1 Setting Up Background Work Processes
145
4.9.2 Maintaining Parameters for Parallel Processing
146
4.9.3 Distributing Jobs for Parallel Processing
146
4.10 Summary
147
5 Access Risk Analysis
149
5.1 Introduction to Access Risk Analysis
149
5.1.1 Why Use an Access Risk Analysis Solution?
150
5.1.2 Evolution of Access Risk Analysis
151
5.1.3 Terminology
153
5.1.4 Definitions
155
5.2 Setting Up Access Risk Analysis
157
5.2.1 Configuring Parameters
158
5.2.2 Setting Up Rulesets
176
5.2.3 Synchronization Jobs
191
5.2.4 Setting Up Batch Risk Analysis
192
5.2.5 Setting Up Risk Owners, Mitigation Control Owners, and Controllers
192
5.3 Setting Up Workflows for Access Risk Analysis
196
5.4 Maintaining Custom User Groups
197
5.5 Maintaining Master User ID Mappings
199
5.6 Working with Access Risk Analysis
200
5.6.1 Performing Risk Analysis
201
5.6.2 Risk Simulation
211
5.7 Working with Mitigation Controls
216
5.7.1 Configuring Mitigating Control
216
5.7.2 Applying Mitigations
221
5.8 Setting Up Alerts
224
5.9 Configuring the Risk Terminator
228
5.10 Reports and Analytics
230
5.11 Summary
231
6 Emergency Access Management
233
6.1 Introduction to Emergency Access Management
233
6.1.1 Why Use an Emergency Access Management Solution?
234
6.1.2 Advantages and Business Benefits
235
6.2 Configuring Emergency Access Management
235
6.2.1 Setting Up Parameters
236
6.2.2 Setting Up Transaction SPRO Configuration in SAP Access Control
242
6.2.3 Setting Up Transaction SPRO Configuration in Your Backend (Plug-In) System
243
6.2.4 Setting Up Notification Templates
244
6.2.5 Setting Up Reason Codes
249
6.3 Maintaining Emergency Access Management Access Control Owners
250
6.3.1 Users in Emergency Access Management
250
6.3.2 Assigning the Firefighter Owner to a Firefighter ID
251
6.3.3 Assigning the Firefighter Controller to a Firefighter ID
252
6.3.4 Assigning Firefighter IDs to Firefighters
254
6.4 Activating Multistage Multipath for Emergency Access Management
254
6.5 ID-Based and Role-Based Emergency Access Management
264
6.5.1 Centralized Emergency Access Management
265
6.5.2 Decentralized Emergency Access Management
265
6.5.3 Role-Based Emergency Access Management
266
6.6 Setting Up Emergency Access Management Jobs
268
6.7 Emergency Access Management Log Synchronization
269
6.8 Working with Firefighter IDs
269
6.8.1 Using Firefighter IDs in a Centralized Environment
270
6.8.2 Using Firefighter IDs in a Decentralized Environment
271
6.9 Firefighter ID Report Execution
271
6.10 Emergency Access Management Log Reviews
273
6.11 Emergency Access Management Log Types and Details
273
6.12 Summary
274
7 Access Request Management
275
7.1 Introduction to Access Request Management
275
7.1.1 Why Use an Access Request Management Solution?
275
7.1.2 Advantages and Business Benefits
277
7.2 Setting Up Access Request Management
280
7.2.1 Activating Business Configuration Sets
280
7.2.2 Setting Up Parameters
281
7.2.3 Setting Up a Number Range for Access Requests
298
7.2.4 Setting Up an Access Request Workflow
300
7.2.5 Maintaining Provisioning Settings
301
7.2.6 Defining Request Types
304
7.2.7 Maintaining End User Personalization
305
7.2.8 Setting Up Default Roles
308
7.2.9 Maintaining User Defaults
309
7.2.10 Setting Up Templates
311
7.2.11 Defining Service Level Agreements
313
7.3 Using Access Request Management
316
7.3.1 Raising Requests
316
7.3.2 Approving a Request
330
7.3.3 Administration Activity for Requests
333
7.3.4 Searching Requests
333
7.3.5 Provisioning Logs
336
7.3.6 Managing Password Self-Service
337
7.3.7 Delegating Requests
338
7.3.8 Working with Requests
340
7.4 Summary
341
8 Business Role Management
343
8.1 Introduction to Business Role Management
343
8.1.1 Why Use a Business Role Management Solution?
344
8.1.2 Advantages and Business Benefits
344
8.1.3 Terminology
345
8.2 Setting Up Business Role Management
346
8.2.1 Setting Up Connectors and Connector Groups
346
8.2.2 Maintaining Connection Settings
347
8.2.3 Maintaining Mapping for Actions and Connector Groups
347
8.2.4 Activating Business Configuration Sets
349
8.2.5 Maintaining Configuration Settings
349
8.2.6 Defining Role Owners
357
8.2.7 Maintaining Role Type Settings
363
8.2.8 Specifying Naming Conventions
366
8.2.9 Defining Other Role Attributes
368
8.2.10 Maintaining Organizational Level Mapping
372
8.2.11 Maintaining Role Prerequisites
374
8.2.12 Setting Up Role Methodologies
376
8.3 Maintaining Multistage Multipath Workflows
382
8.4 Working with Roles
382
8.4.1 Define Role
383
8.4.2 Maintain Authorizations
383
8.4.3 Derive Role
384
8.4.4 Analyze Access Risks
386
8.4.5 Request Approval
386
8.4.6 Generate Roles
387
8.4.7 Maintain Test Cases
388
8.5 Role Mass Maintenance
389
8.5.1 Role Import
389
8.5.2 Role Mass Update
392
8.5.3 Derived Role Organizational Value Update
393
8.5.4 Role Derivation
395
8.5.5 Role Generation
396
8.6 Role Recertification
397
8.7 Role Management Reports
398
8.8 Summary
399
9 Periodic Reviews
401
9.1 User Access Review
402
9.1.1 Performing User Access Review Configuration
402
9.1.2 Configuring User Access Review Workflows
407
9.1.3 Validating Role Methodology
417
9.1.4 Generating Data for User Access Review
418
9.1.5 Admin Reviews
422
9.1.6 Triggering User Access Review Workflows
423
9.1.7 Updating the Workflow for User Access Review Requests
423
9.1.8 Performing User Access Reviews
424
9.2 Segregation of Duties Risk Review
428
9.2.1 Performing Segregation of Duties Risk Review Configuration
428
9.2.2 Scheduling Synchronization Jobs
432
9.2.3 Setting Up and Managing Coordinators
434
9.2.4 Verifying Risk Owners
434
9.2.5 Generating Data for Segregation of Duties Risk Reviews
436
9.2.6 Admin Reviews
437
9.2.7 Updating the Workflow for Segregation of Duties Risk Reviews
437
9.2.8 Performing Segregation of Duties Risk Reviews
438
9.3 Firefighter ID Review
440
9.3.1 Multistage Multipath Configuration
441
9.3.2 Setting Up Notification Templates
441
9.3.3 Generating Data for Firefighter ID Reviews
442
9.3.4 Reviewing Firefighter ID Requests
443
9.4 Summary
443
10 End User Home Page
445
10.1 End User Home Page Services
445
10.2 Implementation
446
10.2.1 Prerequisites
446
10.2.2 Activating the End User Home Page Services
449
10.2.3 Using End User Home Page
452
10.3 Advantages for End User Licenses
454
10.4 Password Self-Service, Access Request Creation, and Managing Access Control Information
454
10.4.1 Password Self-Service
454
10.4.2 Name Change Self-Service
462
10.4.3 Access Request Creation
464
10.5 Summary
466
11 Multistage Multipath Workflows
467
11.1 Introduction to Multistage Multipath Workflows
467
11.1.1 What Is a Workflow?
468
11.1.2 Terminology
471
11.2 Process Global Settings
472
11.2.1 Workflow Process Definitions
473
11.2.2 Global Settings
475
11.2.3 Notification Settings
475
11.2.4 Escape Conditions
476
11.3 Maintaining Rules and Rule Results
477
11.3.1 Rule Kinds
477
11.3.2 Rule Types
478
11.4 Maintaining Agents
479
11.4.1 Agent Types
479
11.4.2 Directly Mapped Users
480
11.4.3 PFCG Roles
482
11.4.4 PFCG User Groups
483
11.4.5 GRC API Rules
484
11.5 Setting Up Notification Variables and Templates
485
11.6 Maintaining Paths
492
11.6.1 Working with Approval Paths
492
11.6.2 Approval Types
494
11.6.3 Routing Enabled (Detour Conditions)
494
11.6.4 Escalation Types
495
11.7 Setting Up Notifications: Definition
502
11.8 Maintaining a Route Mapping
504
11.9 Generating Versions
506
11.10 Troubleshooting Multistage Multipath Issues
507
11.10.1 Transaction GRFNMW_GEN_VERSION
507
11.10.2 Transaction GRFNMW_CN_VERA
508
11.10.3 Transaction GRFNMW_CONFIGURE
508
11.10.4 Transaction GRFNMW_DBGMONITOR_WD
510
11.10.5 Transaction GRFNMW_DEBUG_MSG
511
11.10.6 Transaction GRFNMW_DEBUG
511
11.10.7 Transaction GRFNMW_DEV_CONFIG
513
11.10.8 Transaction GRFNMW_MONITOR
513
11.10.9 Transaction SLG1
514
11.11 Summary
515
12 BRFplus: Business Rule Framework
517
12.1 Introduction and Activation
517
12.2 Generating Multistage Multipath Rules for Processes
521
12.3 Understanding BRFplus Scenarios
523
12.3.1 Creating a BRFplus Initiator-Based Rule
523
12.3.2 Creating a BRFplus Agent-Based Rule
529
12.4 Creating a BRFplus Routing-Based Rule
537
12.4.1 Creating a Data Object
538
12.4.2 Creating a Procedure Call
540
12.4.3 Creating a Table Operation
543
12.4.4 Creating a Decision Table
544
12.4.5 Creating a Ruleset
547
12.5 Transporting a BRFplus Application
550
12.6 Summary
554
13 SAP Fiori for SAP Access Control
555
13.1 Introduction
555
13.1.1 SAP Fiori Architecture
556
13.1.2 Deployment Options
558
13.1.3 Terminology
561
13.1.4 Types of SAP Fiori Apps
562
13.2 SAP Fiori Configuration
564
13.2.1 Prerequisites
565
13.2.2 Activate SAP Gateway
566
13.2.3 Setting Up Remote Function Call Connections
566
13.2.4 Setting Up System Aliases
568
13.2.5 Activating SICF Services
573
13.2.6 System Alias Mapping
574
13.2.7 Maintaining Aliases: SAP Gateway Routing Configuration
576
13.2.8 Replicating the SAP GRC Technical Catalog
577
13.2.9 Types of Users and Authorizations
579
13.3 Working with SAP Fiori Apps
581
13.4 Troubleshooting SAP Fiori App Issues
583
13.4.1 Cache Issues
584
13.4.2 Reference Lost Errors
585
13.4.3 Verifying Error Logs
585
13.4.4 Troubleshooting Core Data Services Authorization Issues
586
13.5 Summary
586
14 HR Triggers
587
14.1 Introduction to HR Triggers
587
14.2 Configuring HR Triggers
588
14.2.1 Maintaining Parameters in the Plug-In System
589
14.2.2 Activating Plug-Ins
589
14.2.3 Assigning Connectors to an Integration Scenario
590
14.2.4 Maintaining Data Source Configuration
590
14.2.5 Defining Request Types
591
14.2.6 Maintaining Action IDs and Systems for HR Triggers
592
14.2.7 Creating BRFplus Applications for HR Triggers
594
14.2.8 Maintaining BRFplus Function IDs
609
14.3 Troubleshooting HR Trigger Issues with Debugging
610
14.4 Summary
612
15 Enhancements and Developments
613
15.1 Enhancements
613
15.1.1 Notification Template Enhancements
614
15.1.2 Adding Licensing Category Custom Field in Access Request Form
619
15.1.3 Deactivate Unused Risk Analysis Types in Access Request Form
626
15.1.4 Limit Number of Line Items in the Access Request Form
629
15.1.5 Assign User Group in the Logon Data Tab
631
15.1.6 Changing Menu Tab Order in Access Request Form
632
15.1.7 Customize Role Search Screen in Access Request Form
636
15.2 Custom Developments
637
15.2.1 Cancel Pending Requests Automatically for Departed Users
638
15.2.2 Route Log Review for Critical Firefighter IDs to Critical Review Path
647
15.2.3 Restrict Manager ID to Only Numeric Values in Access Request Form
659
15.2.4 Restrict Contract User ID Role Assignment Validity to Six Months
664
15.2.5 Managing Your Mitigating Controls
670
15.3 Summary
680
The Author
681
Index
683