Notes

Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1of 14

INSTALLATION OF GRC SERVER

installation of main components of ac/pc/rm

1. main installation components:


GRCFND_A V1000 GRC FOUNDATION ABAP

GTS (GLOBAL TRADE SYSTEM)

SLL-LEG

NFE (NOTA FISCAL ELECTRONICA)

SLL-NFE

SAP NW AS ABAP 7.02 WITH SP6 OR HIGHER

SAP GRC10.1
SAP NW AS ABAP 7.40 SP02
GRCFND_A V1100

installation of plug-in for ac/pc/rm on erp or nw as

GRCPINW SAP GRC NW PLUGIN


GRCPIERP

R/3 4.7 SAP_BASIS SP 63 620


ECC5 SAP_BASIS SP 18 640
ECC6 SAP_ABAIS SP 13 700
NW 7.01 " 02
01

SAP GUI 7.30 IS RECOMENDED

000-----------------------------DDIC
SAINT/SUM Tool - ADD ONS
add ons available .sar file

sapcar -xvf <abc.sar>

post installation activities:

client copy

*** 400 frontend system in BPD


399 backend system in EH6*****

a. now establish the communication between 400 (front grc server) and 399 (backend
ecc system) client through RFC

b. creating logical systems------ sale/bd54


c. assigning logical systems to clients-----sale/scc4
now perform the same in other client
d. creating rfc connections-------sale/sm59

2. ACTIVATING APPLICATIONS

SPRO
sap reference img
GRC
GENERAL SETTINGS

EXECUTE ACTIVATE APPLICATIONS IN CLIENT

CLICK ON NEW ENTRIES

GRC-PC
GRC-RM
GRC-AC NOW SELECT THE CHECK BOX: ACTIVATE

NOW SAVE.

3. SICF (sap internet communication framework)

T-CODE SICF

EXECUTE

EXPAND DEFAULT HOST

EXPAND SAP

NOW SELECT GRC, RIGHT CLICK ON IT, CLICK ON ACTIVATE

1.Activate each of the following ICF service nodes:


?/sap/public/bc
?/sap/public/bc/icons
?/sap/public/bc/icons_rtl
?/sap/public/bc/its
?/sap/public/bc/pictograms
?/sap/public/bc/ur
?/sap/public/bc/webdynpro
?/sap/public/bc/webdynpro/mimes
?/sap/public/bc/webdynpro/adobeChallenge
?/sap/public/bc/webdynpro/ssr
?/sap/public/bc/webicons
?/sap/public/myssocntl

Activate all GRAC, GRPC, and GRRM services.


Activate all services under /sap/bc/webdynpro/sap.

4. Activating BC Sets
SCPR20

ARA----1 1
GRAC_RA_RULESET_COMMON
ARM----4 7
GRAC_ACCESS_REQUEST_APPL_MAPPING
GRAC_ACCESS_REQUEST_EUP
GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ACCESS_REQUEST_REQ_TYPE
GRAC_DT_REQUEST_DISPLAY_SECTIONS
GRAC_DT_REQUEST_FIELD_LABELS
GRAC_DT_REQUEST_PAGE_SETTINGS
BRM----5 6
GRAC_ROLE_MGMT_LANDSCAPE
GRAC_ROLE_MGMT_METHODOLOGY
GRAC_ROLE_MGMT_PRE_REQ_TYPE
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_SENTIVITY
GRAC_ROLE_SEARCH_COFIGURATION

EAM----1 1
GRAC_SPM_CRITICALITY_LEVEL
BACKEND SYSTEM----1
GRAC_RA_RULESET_SAP_R3

front end: EC5CLNT200 test1234


back end: ec5clnt800

Note
A message with a yellow background is only a warning and you can proceed.
A message with a red background is an error message and you must resolve the error.

If you receive a Basis error message with a red background, contact your system
administrator.

5. creating and maintaining connectors

batclnt800 backend system


batclnt100 frontend system
spro
sap reference img
GRC
COMMON COMPONENT SETTINGS
INTEGRATION FRAMEFORK
CREATE CONNECTORS NOW IT WILL TAKE U TO SM59

connector groups

SRM DEV QUA PRO


ECC DEV QUA PRO
CRM DEV QUA PRO

6. maintain connectors and connection types

GRC- COMMON COMPONENT SETTINGS- INTEGRATION FRAMEWORK- MAINTAIN CONNECTORS


AND CONNECTION TYPES
SELECT SAP-
DOUBLE CLICK ON DEFINE CONNECTORS
CLICK ON NEW ENTRIES:
TARGET CONNECTOR CONNECTION TYPE SOURCE CONNECTOR LOGICAL PORT
MAX. NO. OF BW PS
EH6CLNT455 SAP EH6CLNT455 EH6CLNT455
3

now save
note: source connector and logical port must be the same
NOW SELECT EH6CLNT455
NOW DOUBLE CLICK ON DEFINE CONNECTOR GROUP
CLICK ON NEW ENTRIES

CONN. GROUP CONNECTION TEXT CON. TYPE


JAINY JAINY GROUP SAP
SAVE

NOW SELECT JAINY CONNECTOR GROUP


DOUBLE CLICK ON ASSIGN CONNECTOR GROUP TO GROUP TYPES
CLICK ON NEW ENTRIES

CONNECTOR GROUP TYPE


SELECT LOGICAL GROUP
SAVE

DOUBLE CLICK ON ASSIGN CONNECTORS TO CONNECTOR GROUPS


TARGET CONNECTOR CONNECTION TYPE
EH6CLNT800 SAP
SAVE NOW

7. maintain connection settings

spro-grc-common component settings- integration framework

maintain connection settings

integration scenario: AUTH

CONTINUE

NOW SELECT AUTH

NOW DOBLE CLICK ON SCENARIO CONNECTOR TYPE LINK

NOW SELECT SAP

NOW DOBLE CLICK ON SCENARIO CONNECTOR LINK

CLICK ON NEW ENTRIES


NOW SELECT TARGET CONNECTOR: <RFC DISTINATION OF TARGET SYSTEM>

ENTER

NOW SAVE IT, IT WILL PROMPT FOR CUSTOMIZING REQUEST.

CREATE AND SAVE

AUTH - ARA
PROV - ARM
ROLMG - BRM
SUPMG - EAM

UNICODE

TABLE:
GRFNCGRPCONLK Connector Group and Connector Type Link
GRFNCONNGRP Connector Group definition

GRFNCONNGRPT Connector Group Description

GRFNCONNGRPTYPE Connector Group Type Definition

GRFNCONNSCNLK Connector Scenario Link

GRFNFLDHR HR Configurable Fields

GRFNFREQUENCYS Timeframe Frequencies - SAP delivered entries

8. MAINTAIN CONFIGURATION SETTINGS

Work Center- Work Set (no workset in grc) - Function- Related links

SPRO-SAP REFERENCE IMG- GRC- ACCESS CONTROL

MAINTAIN CONFIGURATION SETTINGS

HERE U CAN CREATE THE NEW PARAMETER BY CLICKING NEW ENTRIES

PARAMETER GROUP PARAMETER ID PAR. VALUE

RISK ANALYSIS 1024 1

SAVE.

OR

U CAN CHANGE THE EXISING PARAMETERS

SAVE.

MAINTAIN RISK ANALYSIS PARAMETERS 1023,1024,1025,1026,1027,1036,1048


ARA 1024 1 (HIGH)
ARM 20
BRM 30
EAM 40

Configuration Parameters: GRACCONFIG table contains the defaults

9. MAINTAIN CONNECTOR SETTINGS

SPRO-SAP REFERENCE IMG- GRC- ACCESS CONTROL

MAINTAIN CONNCETOR SETTINGS

CLICK ON NEW ENTRIES

TARGET CONNECTOR APP. TYPE ENVIRONMENT


RFCDEST. (BACK END SYS.) 001 (SAP) DEVELOPMENT

FROM THIS STEP WE SPECIFY THE SYSTEM BELONGS TO WHICH TYPE OF ENVIRONMENT, WHETHTER
IT IS DEV, QUA, PRO

10. MAINTAIN MAPPING FOR ACTIONS AND CONNECTOR GROUPS:

Usage and Activities for Field Mapping


Field Mapping Usage?
In Role Management there are four phases that require you to choose a connector

The phases are associated with the following actions:

0001 Role Generation


0002 Role Risk Analysis
0003 Authorization Maintenance
0004 Provisioning
0005 HR Triggers

In this Customizing activity, you can assign the actions to a connector group and
then choose the default connector for each group.

SPRO - SAP REF IMG- GRC- ACCESS CONTROL- MAINTAIN MAPPING FOR ACTIONS AND CONNECTOR
GROUPS

CLICK ON NEW ENTRIES

CONNECTOR GROUP ACTIVE APPL. TYPE


BATCH10 CHECK MARK 001

NOW SELECT BACTH10 CONN. GROUP

NOW DOBLE CLICK ON: ASSIGN DEFAULT CONNECTORS TO CONNECTOR GROUPS

NEW ENTRIES
CONNECTOR GROUP ACTION TARGET CONNECTOR DEFAULT
BATCH10 0001 RFC DEST SELECT
BATCH10 0002 " "
BATCH10 0003 " "
BATCH10 0004 " "

save

11. MAINTAIN PLUG-IN SETTINGS

PERFORM THIS STEP IN BACKEND SYSTEM.

SPRO- SAP REF. IMG- GRC (PLUGINS)- MAINTAIN PLUG-IN CONFIGURATIN SETTINGS

NEW ENTRIES

PARMETER ID: 1001


SEQUENCE: 2
PARAMETER VALUE: jainy900 (RFC DEST. OF GRC SYSTEM)
again

NEW ENTRIES

PARAMETER ID: 1000


SEQUENCE: 1
PARAMETER VALUE: jainy455 (RFC DEST. OF BACK END SYSTEM)

SAVE

IT WILL PROMPT FOR CUST. REQUEST, CREATE AND SAVE.

THIS IS THE ONLY STEP WE PERFROM IN THE BACKEND SYSTEM.

NOW GO TO FRONT END SYSTEM

12. SYNCHRONIZATION JOBS:

AUTHORIZATIN SYNCH

BY THIS STEP WE ARE GOING TO SYNCH BACK END SU24 DATA INTO THE GRC SYSTEM.

USOBT AND USOBX TABLES, CUSTOMER TABLE ARE USOBT_C AND USOBX_C.

SPRO- SAP REF. IMG- GRC- ACEESS CONTROL- SYNCHRONIZATION JOBS- AUTHORIZATION SYNCH

CONNECTOR: BATCH800 (BACK END RFC DEST.)

PROGRAM MENU- EXECUTE IN BACKGROUND

CONTINUE AND IMMEDIATE

NOW GRAC_PFCG_AUTHORIZATION_SYNC JOB IS SHEDULE WHICH WILL SYNCH SU24 DATA FROM
BACKEND TO FRONT END SYSTEM.
PROGRAM: GRAC_PFCG_AUTHORIZATION_SYNC
13. NOW SYNCH REPOSITORY OBJECTS

ACCESS CONTROL- SYNCHRONIZATION JOBS- REPOSITORY OBJECT SYNC

BY THIS STEP WE SYNCH ROLES, USERS AND PROFILES

CONNECTOR: BATCH800 (RFC DEST. OF BACK END SYTEM)

PROGRAM MENU- EXECUTE IN BACKGROUND

CONTINUE AND IMMEDIATE

NOW GRAC_REPOSITORY_OBJECT_SYNC JOB IS SCHEDULE WHICH SYNCH USERS, ROLES AND


PROFILES FROM BACK END SYSTEM TO GRC.

THE FOLLOWING ARE THE PROGRAMS/BACKGROUND JOB INCLUDED IN REPOSITORY OBJECT SYNCH:
GRAC_ROLEREP_PROFILE_SYNC
GRAC_ROLEREP_ROLE_SYNC
GRAC_ROLEREP_USER_SYNC

FOLLOWING ARE THE TABLES connector specific users, roles and profiles

USER TABLE: GRACUSERCONN


ROLE TABLE: GRACRLCONN
PROFILE TABLE: GRACPROCONN

14. GENERATING RULE SET:

SPRO- SAP REF IMG- GRC- ACCESS CONTROL- ACCESS RISK ANALYSIS- SOD RULES- GENERATE
SOD RULES

RISK ID: *

SCHEDULE IT IN BACKGROUND JOB

GRAC_GENERATE_RULES IS A BACKGROUND JOB WHICH GENERATES RULE SETS.

RULE SET TABLE: GRACACTRULE (RISK)


RULE SET DEMO RULESET
BUSINESS PROCESS BASIS related
Z_RISK

FUNCTION1 FUNCTION2 FUNCTION3

SU01, SU10, SUGR PFCG, SUPC SM30, SE16N, SE38, STMS, SM69

ACTIONS/PERMISSIONS A/P

ACTIONS - T-CODES

PERMISSIONS - AUTHORIZATION OBJECTS

USER1- SU01, PFCG

standard rule set - global rule set

check out all standard roles: sap_grac*

TABEL: GRACRULESET

15. CREATION OF BUSINESS PROCESS:

SPRO- SAP REF IMG- GRC- ACCESS CONTROL- MAINTAIN BUSINESS PROCESS AND SUB PROCESS

CLICK ON NEW ENTRIES

BUSINESS PROCESS: BATCH10BUS DESCRIPTION: BATCH10 BUSINESS PROCESS

IT WILL PROMPT U TO CREATE REQUEST

SAVE

TABLE
GRACBPROC Business Process
GRACBSUBPROC SUB BUSINESS PROCESS
GRACBPROCT Business Process Text

16. CREATION OF FUNCTIONS:

NWBC- SETUP- UNDER ACCESS RULE MAINTAINANCE-

FUNCTIONS
CREATE-
FUNCTION ID: B10FUN1
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS

DESCRIPTION: SU01

UNDER ACTION TAB

CLICK ON ADD

SYSTEM: RFC DESTINATION


ACTION: SU01

SAVE

NOW CREATE ONE MORE FUNCTION WITH PFCG T-CODE (ACTION)

CREATE-
FUNCTION ID: B10FUN2
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS

DESCRIPTION: pfcg

UNDER ACTION TAB

CLICK ON ADD

SYSTEM: RFC DESTINATION


ACTION: pfcg

SAVE

NOW GENERATE FUNCTIONS

TABLE: GRACFUNC

17. NOW CREATE A RISK AND ATTACH THE ABOVE TWO FUNCTIONS TO THIS RISK:

NWBC- SETUP- ACCESS RULE MAINTAINANCE- ACCESS RISKS- CREATE

ACCESS RISK ID: B10RISK


RISK TYPE: SOD
BUSINESS PROCESS: BATCH10 BUSINESS PROCESS
DESCRIPTION: BACTH10 SEC RELATED
RISK LEVEL: MEDIUM

DESCRIPTION: RISK FOR FUNCTION

UNDER FUNCTION TAB


CLICK ON ADD:
B10FUN1
B10FUN2
NOW IT WILL ASK U FOR RULE SET

NOW WE WILL CREATE RULE SET:

18. NWBC- SETUP- ACCESS RULE MAINTAINANCE- RULE SET

CREATE

RULE SET ID: B10RULE


DESCRIPTION: BATCH10 RULE SET

save

GENERATE RISK AS WELL

20. NOW MAINTAIN ACCESS OWNERS:

NWBC- SETUP- ACCESS OWNERS

ACCESS CONTROL OWNER

CREAT

OWNER: GRCUSER4

SELECT THE CHECK BOX: RISK OWNER

SAVE CLOSE

NOW GO TO BACKEND SYSTEM AND CREATE ROLE WITH THE COMBINATION OF SUO1 AND PFCG

COME TO FRONT END SYSTEM AND PERFORM SYNCHRONIZATION

SPRO- GRC- ACCESS CONTROL- SYNCHRONIZATION JOBS- REPOSITORY OBJECT SYNCH

CONNECTOR: RFC DESTINATION

PROGRAM MENU- BACKGROUND.


EAM:

FF:lara
FFID: backend as service user
FFOWNER:
FFCONTROLLER:

create 3 users by su01 t-code in grc system

ff
ffowner
ffcontroller

and assign the respective roles to the above users.

now go to backend system

create ffid as service user.

/N/VIRSA/VFAT 5X

GRAC_SPM

SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER

The Background Job for Log Collection can be scheduled periodically from SM36
using program GRAC_SPM_LOG_SYNC_UPDATE.

BUSINESS ROLE MANAGEMENT

1. VERIFY DEFAULT CONFIGURATION PARAMETERS

2. Maintain AC owners

Go to NWBC ?Access Management ?Access Control Owners and maintain the owners

After this is done it is possible to configure these users as role owners

Configuration steps for BRM

3. Maintain Role Type Settings

In this customizing activity, you can activate or deactivate role types.


All role types are set as active by default
The following role types are pre delivered:
BUS -Business Role
COM -Composite Role
CUA -CUA Composite Role
DRD �Derived Role
GRP �Group
PRF �Profile
SIN �Single Role
TPL -Template

Deactivate Role Types


In the deactivate role type, check the inactive checkbox for the role types
that you do not want to include in the role types definition.

4. Maintain Labels for Role Types


In this customizing activity, you can maintain the description and language
for the role types and is displayed on the role maintenance screen

5. Specify Maximum Length for Role Type


Here you can specify the maximum length for the name of a role based on the role
type.
For example, you can specify that for Business Role type, the role can have maximum
length of 70 characters.

6. Role Naming Convention


Naming Convention for naming roles can be maintained here:
You can maintain a different naming convention for each role type

7. Role AttributesMaintain Project and Product Release Name


Project and Product release name are attributes that you can assign to roles.
You can create and edit the list of available projects and product releases with
this customizing option

8. Role Attributes Define Role Sensitivity


Role sensitivity is an attribute that you assign to roles.
This provides the ability to organize the authorization structure in the company
with transaction PFCG

ARM Access Request Management


Mandatory configuration for model user:
1. Configuration parameter: 2051 NO
2. Maintain Data Source Configuration:
SPRO-GRC-AC-Maintain Data Source Configuration
- 1. User Search Data Source - New Entries-
- Target Connection: bpdclnt455
- Sequence: 1
- User Data Type: SU01
- 2. User Detail Data Source (same as above)
- 3. User Authentication Data Source (same as above)
- 4. End User validation: YES
BRF+
Please check table FDT_ADMN_0000 for Object Type AP (Application) and FU
(Function). See if you ZINIT_CUST01 exists already

GRFNMW_DBGMONITOR_WD
slg1
sost

CREATE APPROVER:
ROLES:
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRC_NWBC
SAP_GRAC_ACCESS_APPROVER

GRFNMW_CONFIGURE

Prepared by Shahid ([email protected])

The GRACROLE table stores the methodology for the role

RSUVM002
TUTYP
USMM
GRC_MSMP_CONFIGURATION

https://www.youtube.com/watch?v=9vWiJ3tNTTg

ARM 91
BRM 143

Internal policies, processes, procedures


whether we are adequate to the internal policies, procedures that's what this pc
deals with

risk--- good, manufacturing product- risk, safety measures, health and safety

fraud management: preventing the risk before risk takes place and in pc, we are
detecting the existing risk
controls business process person, stake holders, anything is deviating, it will be
notified.

You might also like