SAP Security

GRC Access Controls Configuration

INTEGRATED BUSINESS MANAGEMENT PROGRAM

Project ID iBM
Document Owner SAP Security
Document Date 24 May 2017
Document Version 1.0
Document Status Final
Document Control
Document Revision History

Version Date Name Description

0.1 23/05/2017 Warren Lui Initial Draft

0.2 14/07/2017 Warren Lui Update with GRC Access Controls
1.0 24/09/2019 Warren Lui Final

Contents
INTEGRATED BUSINESS MANAGEMENT PROGRAM ................................................................................................................... 1
1 GRC Access Control Configuration ............................................................................................................................................ 4
1.1 Activating GRC Access Controls ....................................................................................................................................... 4
1.2 Maintain Integration Framework ..................................................................................................................................... 4
1.2.1 Maintain Connectors and Connection Types ......................................................................................................... 4
1.2.2 Maintain Connector Settings ........................................................................................................................................ 7
1.3 Maintain Access Control Connector Settings ...........................................................................................................11
1.4 Maintain Access Control Actions and Connector Groups ....................................................................................12
1.5 Maintain GRC Access Control Configuration Settings ..........................................................................................12
1.6 Maintain GRC Access Control Configuration Settings – Plug-in system........................................................14
1.7 Maintain GRC Access Control Configuration Settings – Reason codes..........................................................15
2 Emergency Access Management ..............................................................................................................................................16
2.1 GRC AC EAM Log Review Workflow .............................................................................................................................16
2.1.1 Perform Automatic Workflow Customizing ..........................................................................................................16
2.1.2 Enable GRC AC specific Event Linking ....................................................................................................................19
2.1.3 Activate MSMP BC Set ..................................................................................................................................................20
2.1.4 Maintain MSMP Workflows ........................................................................................................................................21
2.1.5 Enable GRC Firefighter Workflow Escalations ......................................................................................................24
2.1.6 Enable Escape Path .........................................................................................................................................................27
2.1.7 Enable Workflow for Controllers ...............................................................................................................................28
2.1.8 Enable Email Reminders ...............................................................................................................................................29
2.1.9 Customise Email Messages .........................................................................................................................................30
3 Access Risk Analysis .......................................................................................................................................................................33
3.1 Activate ARA Default Ruleset ..........................................................................................................................................33
3.2 Update ARA Ruleset with New Connector .................................................................................................................34
3.3 Generate Rulesets ................................................................................................................................................................36
4 Schedule Background Jobs .........................................................................................................................................................38
4.1 Schedule GRC Synchronization jobs .............................................................................................................................38
5 Firefighter User Exit ........................................................................................................................................................................38
6 Activate SICF......................................................................................................................................................................................38
1 GRC ACCESS CONTROL CONFIGURATION

1.1 ACTIVATING GRC ACCESS CONTROLS

SPRO - Governance, Risk and Complaince -> General Settings -> Activate Applications in Client

Check Active box for GRC-AC

1.2 MAINTAIN INTEGRATION FRAMEWORK

1.2.1 Maintain Connectors and Connection Types
SPRO - Governance, Risk and Compliance -> Common Component Settings -> Integration Framework ->
Maintain Connectors and Connection Types
Add Connection Type
 ZSAP_ERP

Connection type. Select Define Connectors and enter the following details
 Target connector: ECPCLNT010
 Connection Type: ZSAP_ERP
 Logical Port: ECPCLNT010
 Max No. of BG WP: 3
Define Connector Group and add new connector group.
 Conn.Group: ERP Connector Group
 Con.Type: ZSAP_ERP

Assign Connector Groups to Group Types.

 Connector Group Typ: Logical Group

Highlight Connector Group. Select Assign Connectors to Connector Groups. Enter Target Connector

Target Connector Connection Type

ECPCLINT010 ZSAP_ERP
1.2.2 Maintain Connector Settings

SPRO - Governance, Risk and Complaince -> Common Component Settings -> Integration Framework ->
Maintain Connector Settings.

Update Connecter settings for the following 4 integration scenarios.

- AUTH (Authorization Management)
- PROV (Provisioning)
- ROLEMG (Role Management)
- SUPMG (Super user Privilege Management)

Due to some interdependencies related to certain scenarios in GRC AC10.0 it is required to maintain a
Scenario to Connector link for all 4 scenarios available for Access Controls in version 10:

If all the integration scenarios are not linked to the connector then it may cause some issue so it is a
mandatory configuration step.

Maintain Integration Scenario - SUPMG

Highlight Sub Scenario SUPMG and select Scenario-Connection type Link

Check and update Connection type.

Select Scenario-Connector Link. Update the following
 Target Connector
 Connection Type

Target Connector Con.Type Connection Type Text

ECPCLNT010 ZSAP_ERP SAP ERP Systems

Repeat steps for Maintain Integration Scenario – ROLMG

Target Connector Con.Type Connection Type Text

ECPCLNT010 ZSAP_ERP SAP ERP Systems
Repeat steps for Maintain Integration Scenario – PROV

Target Connector Con.Type Connection Type Text

ECPCLNT010 ZSAP_ERP SAP ERP Systems

Repeat steps for Maintain Integration Scenario – AUTH

 Target Connector Con.Type Connection Type Text
ECPCLNT010 ZSAP_ERP SAP ERP Systems

1.3 MAINTAIN ACCESS CONTROL CONNECTOR SETTINGS

SPRO -> Governance, Risk and Compliance -> Access Control -> Maintain Connector Setting.
Maintain
 Target Connector: ECPCLNT010
 Application Type: 1
 Environment: Production
 PSS: Yes
1.4 MAINTAIN ACCESS CONTROL ACTIONS AND CONNECTOR GROUPS

SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Mapping for Actions and
Connector Groups

Maintain Mapping for actions and Connector Groups

Conn.Group Action Target Connector Default

ERP 1 ECPCLNT010 X
ERP 2 ECPCLNT010 X
ERP 3 ECPCLNT010 X
ERP 4 ECPCLNT010 X
ERP 5 ECPCLNT010 X

1.5 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS

SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Configuration Settings

Specify the 'Parameter ID' values for parameters in each of the following 'Parameter Groups':

 Change Log
  Mitigation
 Risk Analysis
 Emergency Access Management
 Management Dashboard Reports

Parm Group Param ID Parameter Value Priority Description

Change Log 1001 YES 0 Enable Function Change
Log
Change Log 1002 YES 0 Enable Risk Change Log
Change Log 1003 YES 0 Enable Organization Rule
Log
Change Log 1004 YES 0 Enable Supplementary
Rule Log
Change Log 1005 YES 0 Enable Critical Role Log
Change Log 1006 YES 0 Enable Critical Profile Log
Change Log 1007 YES 0 Enable Rule Set Change
Log
Change Log 1008 YES 0 Enable Role Change Log
Mitigation 1011 365 0 Default expiration time
for mitigating control
assignments (in days)
Mitigation 1012 NO 0 Consider Rule Id also for
mitigation assignment
Mitigation 1013 NO 0 Consider System for
mitigation assignment
Risk Analysis 1021 NO 0 Consider Org Rules for
other applications
Risk Analysis 1023 02 0 Default report type for
risk analysis
Risk Analysis 1024 3 0 Default risk level for risk
analysis
Risk Analysis 1026 A 0 Default user type for risk
analysis
Risk Analysis 1027 YES 0 Enable Offline Risk
Analysis
Risk Analysis 1028 NO 0 Include Expired Users
Risk Analysis 1029 NO 0 Include Locked Users
Risk Analysis 1030 NO 0 Include Mitigated Risks
Risk Analysis 1031 YES 0 Ignore Critical Roles &
Profiles
Risk Analysis 1032 YES 0 Include Reference user
when doing user analysis
Risk Analysis 1033 YES 0 Include Role/Profile
Mitigating Controls in
Risk Analysis
Risk Analysis 1035 NO 0 Send email notification to
the monitor of the
updated mitigated object
Risk Analysis 1036 NO 0 Show All Objects in Risk
Analysis
Risk Analysis - 1053 D 0 Spool Type
Spool
 Emergency Access 4000 1 0 Application type
Management
Emergency Access 4001 30 0 Default Firefighter
Management Validity Period (Days)
Emergency Access 4002 NO 0 Send Email Immediately
Management
Emergency Access 4003 YES 0 Retrieve Change Log
Management
Emergency Access 4004 YES 0 Retrieve System log
Management
Emergency Access 4005 YES 0 Retrieve Audit log
Management
Emergency Access 4006 YES 0 Retrieve OS Command
Management log
Emergency Access 4007 YES 0 Send Log Report
Management Execution Notification
Immediately
Emergency Access 4008 NO 0 Send FirefightId Login
Management Notification
Emergency Access 4009 YES 0 Log Report Execution
Management Notification
Emergency Access 4010 ZX80P00:FF_FIREFIGHT 0 Firefighter ID role name
Management ER_ID:00
Emergency Access 4015 Yes 0 Enable Decentralized
Management Firefighting

1.6 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS – PLUG-IN SYSTEM

SPRO->Governance, Risk and Compliance (Plug-In)->Access Control->Maintain Plug-In Configuration

Settings
 Param Id Sequence Parameter Value Short Description
1000 0 ECPCLNT010 Please maintain Plug-in Connector
1001 0 GRPCLNT010 Please maintain GRC connector
4000 0 1 Application type
4001 0 30 Default Firefighter Validity Period (Days)
4008 0 YES Send Firefight ID Login Notification
4010 0 ZX80P00:FF_FIREFIGHTER_ID:00 Firefighter ID role name

1.7 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS – REASON CODES

NWBC -> Access Management -> Emergency Access Maintenance -> Reason Codes
Add Reason Codes

Reason Code Description

01 Support - Incident/Work Order
02 Support - Change Request
03 Support - Investigation
04 Support - Admin (BASIS)
05 Support - Admin (Security
20 Project - IBM Cutover Activities
50 SBS - Procurement Admin
Changes Associated with an Incident or Work Order
Changes Associated with a Change Request / Change Request
Number
Display / Read tasks where 'Normal' User-ID is not authorized
Basis Administration / Housekeeping Tasks
Security Administration / Housekeeping Tasks
iBM Project-Planned Cutover Tasks
SBS-Procurement Administration-Access to Maintain Pur Reqs

2 EMERGENCY ACCESS MANAGEMENT

2.1 GRC AC EAM LOG REVIEW WORKFLOW

2.1.1 Perform Automatic Workflow Customizing

SPRO ->Governance, Risk and Compliance-> General Settings->Workflow->Perform Automatic Workflow

Customizing

Ensure that workflow settings are maintained.

SPRO ->Governance, Risk and Compliance-> General Settings->Workflow->Perform Task-Specific
Customizing

Enable GRC AC specific Workflow under folder GRC->GRC-AC

Assign Task as General Task via Task Attribute.

Make sure all tasks that are not using Background task have been assigned as General Task.
Ensure EAM Audit Review Tasks are enabled e.g.
TS 76308028
WS 76300089
2.1.2 Enable GRC AC specific Event Linking

Click Activate event linking

2.1.3 Activate MSMP BC Set

The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-
> Workflow for Access Control-> Activate MSMP Content for AC

Activate BC Set GRC_MSMP_CONFIGURATION

Activate using “Expert” Mode.

2.1.4 Maintain MSMP Workflows
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-
> Workflow for Access Control-> Maintain MSMP Workflows

Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT

Click display/change and select next
Select Maintain Paths
Select Step 001 and click “Modify Task Settings”

Agent ID: GRAC_SPM_CNTRL_AGENT

Approval Type: Any One Approver
Forward Allowed: Yes
Confirm Approval: Yes
Comments Mandatory: Approval
Notification: Approver
Ensure Stage Configuration is also updated.

Select Generate Versions

You will need to save and activate this workflow.
You can use simulate first, this will validate if there is an issue with the workflow.
2.1.5 Enable GRC Firefighter Workflow Escalations
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-
> Workflow for Access Control-> Maintain MSMP Workflows

Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT

Click display/change and select next
Select Maintain Paths
Select Step 001 and click “Modify Task Settings”

Update the following fields:

Escalation Time Mins: 20,160
Escalation Type: Escalate to Specified Agent
Ensure Stage Configuration is also updated.

Navigate to Step 3 (Maintain Agents)

Create Escalation Manager Agent
 Agent IDL ZGRAC_ESCALATION_MANAGER
 Agent Name: Escalation Manager
  Agent Purpose: Approval
 Agent Type: Directly Mapped Users
 Approver Group ID: Escalation Manager

Add the Approver User and Approver ID

2.1.6 Enable Escape Path

The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-
> Workflow for Access Control-> Maintain MSMP Workflows

Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT

Click display/change and select next
Navigate to Step 3 (Maintain Agents)
Define Agent for Security Team ZGRAC_SEC_TEAM
 Agent Name: Security Team
 Agent Purpose: Approval
 Agent Type: PFCG Roles
 Role: YX:P00:SEC_ADM_HR:PRD_NM

Navigate to Step 1 (Process Global Settings)

Add Escape Condition for the workflow process SAP_GRAC_FIREFIGHT_LOG_REPORT

2.1.7 Enable Workflow for Controllers

In the GRC application, all the controllers need to be adjusted. The notification by email needs to be
switched with “Workflow”
Select "Controllers" under Emergency Access Maintenance
Select Controller and Click "Open"
Enable Notification By "Workflow"

2.1.8 Enable Email Reminders

Schedule Job GRFNMW_BATCH_EMAIL_REMINDER to send email reminders.

MSMP Process ID: Fire Fighter Log Report Review Workflow
Period (in days) 7
Don't Remind Again (in days): 0Template ID: ZGRAC_NOTIFICATION
Variant: ZSPM_WORKFLOW
2.1.9 Customise Email Messages

Creating a New Template ID

SE61 – Maintain Document Text
Select Document Class General Text

ZGRAC_MSMP_REMINDER
Enter the following Text
There are GRC (Firefighter) workitem(s) in your work inbox that are yet to be actioned. Please
perform the necessary actions.

GRC Inbox
NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox

This reminder has been sent for any GRC (Firefighter) workitem(s) that have not been actioned after
7 days, any GRC (Firefighter) workitem(s) that have not been actioned after 14 days will be
escalated.

Kind regards,
Access Control Administrator

Creating a New Template ID

SE61 – Maintain Document Text
Select Document Class General Text
ZGRAC_MSMP_LOGRPT_NEWWORKITM
Enter the following Text
There are new Firefighter workitem(s) in your work inbox. Please review and perform the necessary
actions.
Workitem can be reviewed by accessing the <a href = "%LINK_WORKITEM%"> GRC Inbox </a>

GRC Inbox
NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox

Kind regards,
Access Control Administrator

SM30 - Maintain table GRFNVNOTIFYMSG

Create new Notification Message
ZAC_SPM_LOGRPT_NEWWI

Create new Notification Message

ZAC_SPM_REMINDER
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control->
Workflow for Access Control-> Maintain MSMP Workflows

Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT

Click display/change and select next

Navigate to Step 4 (Variables and Templates

Create a new Notification Template ZGRAC_LOGRPT_WORK_ITEM
Message Class: ZAC_SPM_LOGRPT_NEWWI
Docu. Object: ZGRAC_MSMP_LOGRPT_NEWWORKITM
Create a new Notification Template ZGRAC_NOTIFICATION
Message Class: ZAC_SPM_REMINDER
Docu. Object: ZGRAC_MSMP_REMINDER

3 ACCESS RISK ANALYSIS

3.1 ACTIVATE ARA DEFAULT RULESET

Default Risk Analysis and Remediation (RAR) rulesets are delivered via BC Sets. Activate BC sets. Note:
use the “expert mode” during the activation of theses BC sets
Execute transaction SCPR20
Activate GRAC_RA_RULESET_COMMON

Activate GRAC_RA_RULESET_SAP_R3
3.2 UPDATE ARA RULESET WITH NEW CONNECTOR

Depending on the BC Set that was activated, the connector needs to be adjusted to map the the
connecters defined in section 2 and 3. The system defined in all functions need to be changed.

To update the rules to work with the connecters defined in section 2 and 3 we will download and upload
rules back into GRC system. When uploading there is an option to select the connector to use.
SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Download
SoD rules
SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Upload SoD
rules
3.3 GENERATE RULESETS

SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Generate

SoD Rules
Select Risk ID which needs to be generated

NWBC->Rule Setup->Access Rule Maintenance->Access Risks

Highlight Risk ID that needs to be generated. Click Generate Rules

Risk Description Generate

AP00 APO No
BS00 Basis Yes
 CA00 Cross Application No
CR00 CRM No
EC00 Consolidation No
FI00 Finance Yes
HR00 HR and Payroll Yes
MM00 Materials Management Yes
PM00 Plant Maintenance No
PR00 Procure to Pay Yes
SD00 Order to Cash Yes
SR00 EBP and SRM No

4 SCHEDULE BACKGROUND JOBS

4.1 SCHEDULE GRC SYNCHRONIZATION JOBS

The following background jobs need to be scheduled in the system

Job Job Name / Program Frequency User ID

Repository Object GRAC_REPOSITORY_OBJECT_SYNC Weekly (Full) B_GRC_SEC
Sync
Repository Object GRAC_REPOSITORY_OBJECT_SYNC Daily (Increment) B_GRC_SEC
Sync
Action Usage Synch GRAC_ACTION_USAGE_SYNC Daily B_GRC_SEC
Firefighter Log Synch GRAC_SPM_LOG_SYNC_UPDATE Hourly B_GRC_SEC
Firefighter Workflow GRAC_SPM_WF_REMINDER Daily B_GRC_SEC
Reminder

5 FIREFIGHTER USER EXIT

Apply OSS Note 1545511 Firefighter User Exit

This note will prevent users from logging onto SAP using a SAP account which is identified as a firefighter
account.

1545511.pdf

6 ACTIVATE SICF

ACTIVATE SICF
/sap/bc/webdynpro/SAP/GRAC_UI_SPM_AUDIT_WF