Академический Документы
Профессиональный Документы
Культура Документы
Project ID iBM
Document Owner SAP Security
Document Date 24 May 2017
Document Version 1.0
Document Status Final
Document Control
Document Revision History
Contents
INTEGRATED BUSINESS MANAGEMENT PROGRAM ................................................................................................................... 1
1 GRC Access Control Configuration ............................................................................................................................................ 4
1.1 Activating GRC Access Controls ....................................................................................................................................... 4
1.2 Maintain Integration Framework ..................................................................................................................................... 4
1.2.1 Maintain Connectors and Connection Types ......................................................................................................... 4
1.2.2 Maintain Connector Settings ........................................................................................................................................ 7
1.3 Maintain Access Control Connector Settings ...........................................................................................................11
1.4 Maintain Access Control Actions and Connector Groups ....................................................................................12
1.5 Maintain GRC Access Control Configuration Settings ..........................................................................................12
1.6 Maintain GRC Access Control Configuration Settings – Plug-in system........................................................14
1.7 Maintain GRC Access Control Configuration Settings – Reason codes..........................................................15
2 Emergency Access Management ..............................................................................................................................................16
2.1 GRC AC EAM Log Review Workflow .............................................................................................................................16
2.1.1 Perform Automatic Workflow Customizing ..........................................................................................................16
2.1.2 Enable GRC AC specific Event Linking ....................................................................................................................19
2.1.3 Activate MSMP BC Set ..................................................................................................................................................20
2.1.4 Maintain MSMP Workflows ........................................................................................................................................21
2.1.5 Enable GRC Firefighter Workflow Escalations ......................................................................................................24
2.1.6 Enable Escape Path .........................................................................................................................................................27
2.1.7 Enable Workflow for Controllers ...............................................................................................................................28
2.1.8 Enable Email Reminders ...............................................................................................................................................29
2.1.9 Customise Email Messages .........................................................................................................................................30
3 Access Risk Analysis .......................................................................................................................................................................33
3.1 Activate ARA Default Ruleset ..........................................................................................................................................33
3.2 Update ARA Ruleset with New Connector .................................................................................................................34
3.3 Generate Rulesets ................................................................................................................................................................36
4 Schedule Background Jobs .........................................................................................................................................................38
4.1 Schedule GRC Synchronization jobs .............................................................................................................................38
5 Firefighter User Exit ........................................................................................................................................................................38
6 Activate SICF......................................................................................................................................................................................38
1 GRC ACCESS CONTROL CONFIGURATION
SPRO - Governance, Risk and Complaince -> General Settings -> Activate Applications in Client
Connection type. Select Define Connectors and enter the following details
Target connector: ECPCLNT010
Connection Type: ZSAP_ERP
Logical Port: ECPCLNT010
Max No. of BG WP: 3
Define Connector Group and add new connector group.
Conn.Group: ERP Connector Group
Con.Type: ZSAP_ERP
Highlight Connector Group. Select Assign Connectors to Connector Groups. Enter Target Connector
SPRO - Governance, Risk and Complaince -> Common Component Settings -> Integration Framework ->
Maintain Connector Settings.
Due to some interdependencies related to certain scenarios in GRC AC10.0 it is required to maintain a
Scenario to Connector link for all 4 scenarios available for Access Controls in version 10:
If all the integration scenarios are not linked to the connector then it may cause some issue so it is a
mandatory configuration step.
SPRO -> Governance, Risk and Compliance -> Access Control -> Maintain Connector Setting.
Maintain
Target Connector: ECPCLNT010
Application Type: 1
Environment: Production
PSS: Yes
1.4 MAINTAIN ACCESS CONTROL ACTIONS AND CONNECTOR GROUPS
SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Mapping for Actions and
Connector Groups
SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Configuration Settings
Specify the 'Parameter ID' values for parameters in each of the following 'Parameter Groups':
Change Log
Mitigation
Risk Analysis
Emergency Access Management
Management Dashboard Reports
NWBC -> Access Management -> Emergency Access Maintenance -> Reason Codes
Add Reason Codes
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-
> Workflow for Access Control-> Activate MSMP Content for AC
In the GRC application, all the controllers need to be adjusted. The notification by email needs to be
switched with “Workflow”
Select "Controllers" under Emergency Access Maintenance
Select Controller and Click "Open"
Enable Notification By "Workflow"
ZGRAC_MSMP_REMINDER
Enter the following Text
There are GRC (Firefighter) workitem(s) in your work inbox that are yet to be actioned. Please
perform the necessary actions.
GRC Inbox
NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox
This reminder has been sent for any GRC (Firefighter) workitem(s) that have not been actioned after
7 days, any GRC (Firefighter) workitem(s) that have not been actioned after 14 days will be
escalated.
Kind regards,
Access Control Administrator
GRC Inbox
NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox
Kind regards,
Access Control Administrator
Default Risk Analysis and Remediation (RAR) rulesets are delivered via BC Sets. Activate BC sets. Note:
use the “expert mode” during the activation of theses BC sets
Execute transaction SCPR20
Activate GRAC_RA_RULESET_COMMON
Activate GRAC_RA_RULESET_SAP_R3
3.2 UPDATE ARA RULESET WITH NEW CONNECTOR
Depending on the BC Set that was activated, the connector needs to be adjusted to map the the
connecters defined in section 2 and 3. The system defined in all functions need to be changed.
To update the rules to work with the connecters defined in section 2 and 3 we will download and upload
rules back into GRC system. When uploading there is an option to select the connector to use.
SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Download
SoD rules
SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Upload SoD
rules
3.3 GENERATE RULESETS
1545511.pdf
6 ACTIVATE SICF
ACTIVATE SICF
/sap/bc/webdynpro/SAP/GRAC_UI_SPM_AUDIT_WF