**** – GRC – Post Installation checklist

System – **** 100

Steps to be performed (VERIFY STEP ONLY, NO CHANGES) except for Workflow activation steps.

1. Client Copy
After logging into the system, perform the post installation steps for GRC.
First check is to verify the client copy from client 000 to client 100 has completed successfully.
We previously made this copy using client copy profile SAP_ALL. This is the recommended way to copy the client for
a new system.
Navigate the menu tree, Tools Administration Client Administration Copy Logs

Verify the copy was successful. Screen is as shown above.

 2. Activate GRC Apps
Next step is done using transaction SPRO. Transactions are entered into the blank field in the upper left.

Click on the button “SAP Reference IMG.”

NOTE: Much of the configuration is done using transaction SPRO and the SAP Reference IMG during this session.

In the Menu that comes up, go to the area Governance, Risk and Compliance General Settings Activate
Applications in Client.
Three applications exist in this setting: GRC-AC, GRC-PC, and GRC-RM. We are activating only GRC-AC and PC for this
system.
Verify the setting only, no changes needed.

Exit this screen.

3. Time Zone
Still remaining in Transaction SPRO (IMG), check the settings for Time Zones. Choose Maintain System Settings.
Enter SAP_REFERENCE_IMG and go to SAP NetWeaver Time Zones Maintain System Settings.
Verify the Time Zone is set to PST. No changes needed here, verify only. Exit this screen.

4. SICF Settings
Now enter transaction SICF.
Verify the Services are activated. See the screen below: public, bc, grc. (Just check it, no need to do any changes
here.)
Maintain Services for Web Applications allows the content to be used in the system. It must be activated.
See that the public, bc, grc, iwbep, and opu are bold, this means they are activated.
No changes needed here, verify only. Exit this screen.

5. ICM Settings
Now enter transaction SMICM. Go to menu Goto Services.
Check the services. Verify the HTTP, HTTPS, and SMTP services are enabled. Verify the timeout settings are 1800for
Keep Alive, and for Process Timeout.
No changes needed here, verify only. Exit this screen.
 6. SSO Setting
Now enter transaction STRUSTSSO2. Check that the System PSE is green and the SSL server, client, and client SSL are
green.
This setup requires entries in the system profiles and the SAPCRYPTO libraries to be installed in the Kernel at the
operating system level of the SAP system. This is needed for NWBC operation. No changes needed here, verify only.
Exit this screen.

7. UI5 ODATA Gateway SETTING

Setup new User Interface (UI5) views and SAP Netweaver Gateway. This is required for the new Access Control
Request Screens in the NWBC and the Remediation View User Risk Analysis.
Go back into SPRO again. Navigate to Netweaver Gateway Odata Channel Administration General
Settings and execute Activate and Maintain Services
Look at the ICF Nodes and System Aliases at the bottom of the screen. The ICF Node needs to be active and the
System Alias need to have assigned LOCAL Alias.
No need to make any changes here, this step is verify only. Exit this screen.

****** As of today, 10/05 1:04 PM IST, system aliases are not yet been defined, action item pending on BASIS team.

8. NWBC Screen
Launch and test the NWBC interface. Now that all the previous steps have been completed, it is possible to test the
NWBC interface. Enter transaction NWBC in the transaction window to the right of the green check. If you are
current not at the main menu and inside another screen, enter /nNWBC to run the transaction.
The NWBC screen should appear in a new browser window (pop up).

9. Workflow Customizing
Go back into SPRO IMG again. Navigate to GRC  General Settings  Workflow, and execute Perform Automatic
Workflow Customizing.

Execute Perform Automatic Workflow Customizing

Make sure that all tasks are green after the generation as show in the screenshot
Note: you may have to create a transport request
During the activation procedure you might receive an error message, then check the created system user „WF-
BATCH“ in SU01 if the user has sufficient roles assigned –see SAP Note 1251255and the GRC Security Guide.
 You may need to run program RHSOBJCH to fix HR control tables

10. Perform Task-Specific Customizing (To be repeated for Node – AC and

PC)
Go to transaction SPRO again, into the IMG. Enter into Workflow, Perform Task Specific Customizing by selecting
Governance, Risk and Compliance General Settings  Workflow  Perform Task-Specific Customizing

Execute Perform Task-Specific Customizing. Expand the GRC node. Click the Assign Agents link at the right side of the
GRC node.
Assign Task as General Task via Task Attribute. Make sure all tasks that are not using Background task have been
assigned as General Task.
Click Activate event linking

Click the Properties icon. Set the Linkage Status to No errors

Make sure Event linkage activated is checked. Set Error feedback to do not change linkage
Be sure to activate all WS.
The above changes are captured in transport - ****K900028
 11. Appendix –Task-Specific customizing with plugins

Go to transaction SWE2 and maintain the following linkages by double clicking on each line in Change mode. This has
to be done ONLY for ABAP Class Object category and type = CL_GRAC*

Double click on the each line item and maintain the entries as in the following windows which come up.
Go to transaction PFTC and select the type and task as shown below,
you need to repeat the whole process for each item.
Display Approval webdynproApplTS 76307918
Display Role Approval AppTS 76307944
user access review approval taskTS 76307964
Role approval UI taskTS 76307966
GRAC Read StageTS 76307967
GRAC Read StageTS 76308011
GRAC DiaplayApproval for ARTS 76308013
Access Request Approval dialogTS 76308021
Access Request Approval dialogTS 76308026
SPM Audit Review ApprovalTS 76308028
RAR Rule for Function Approval TS 76308029
Display Approval webdynproApplTS 76308031
Display Approval webdynproRAR RiskTS 76308038
Display Approval webdynproApplTS 76308047
Role assignementdialog stepTS 76308056
Control assignment approval dialogTS 76308057

Double click and open in change mode, below screen appears

Then go to Additional Data -> Agent assignment -> Maintain. If the “Transfer container elements” window shows answer always
“No”
Now select “Attributes” and change the task to General Task

The same above steps will be repeated for all the tasks listed as above.

WorkFlow –
Access Request Approval Workflow WS76300056
User Access Review Workflow WS76300082
Function Approval Workflow WS76300084
Mitigation Control Maintenance WS76300088
Risk Approval Workflow WS76300085
SOD Risk Review Workflow WS76300081
Role Approval Workflow WS76300080
Fire Fighter Log Report Review WF WS76300089
Control Assignment Approval Workflow WS76300087
Role Assignment Review WorkflowWS76300086
Repeat the step for all the below workflows –

User Access Review Workflow WS76300082

Function Approval Workflow WS76300084
Mitigation Control Maintenance WS76300088
Risk Approval Workflow WS76300085
SOD Risk Review Workflow WS76300081
Role Approval Workflow WS76300080
Fire Fighter Log Report Review WF WS76300089
Control Assignment Approval Workflow WS76300087
Role Assignment Review WorkflowWS76300086
After you have changed all tasks you need to activate the workflows
tasks using transaction SWDD
Need to repeat the below steps for all the workflows id mentioned.

User Access Review Workflow WS76300082

Function Approval Workflow WS76300084
Mitigation Control Maintenance WS76300088
Risk Approval Workflow WS76300085
SOD Risk Review Workflow WS76300081
Role Approval Workflow WS76300080
Fire Fighter Log Report Review WF WS76300089
Control Assignment Approval Workflow WS76300087
Role Assignment Review WorkflowWS76300086
Transport - ****K900031