GRC Access Control Configuration Guide
Uploaded by
spscrttrainingGRC Access Control Configuration Guide
Uploaded by
spscrttrainingConfiguration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
POST INSTALLATION: ................................................................................................................................. 2
Step: 001 > Post Installation: Configuring RFC Connections ............................................................................ 2
Step: 002 > Post Installation: Active the application in the client ..................................................................... 4
Step: 003 > Post Installation: Activating the Services ..................................................................................... 5
Step: 004 > Post Installation: Perform Automatic Workflow Configuration ......................................................... 7
Step: 005 > Post Installation: Define Business Process & Sub Business Process ................................................. 8
COMMON CONFIGURATION: ........................................................................................................................ 9
Step: 006 > Common Configuration: Activating BC Sets ................................................................................. 9
Step: 007 > Common Configuration: Maintain Connectors to Connection Type ................................................ 12
Step: 008 > Common Configuration: Maintain Connection Settings ................................................................ 16
Step: 009 > Common Configuration: Maintain Connector Settings.................................................................. 18
Step: 010 > Common Configuration: Maintain Configuration Settings ............................................................. 19
Step: 011 > Common Configuration: Maintain Mapping for Actions and Connector Groups ................................ 20
Step: 012 > Common Configuration: Maintain Access Control Owners & other Nominations: ............................. 22
Step: 013 > Common Configuration: Synchronization Jobs ........................................................................... 25
ACCESS RISK ANALYSIS: .......................................................................................................................... 28
Step: 014 > ARA: SoD Rules > Create & Maintain Rule Set, Function ID & Risk ID ........................................... 28
Step: 015 > ARA: SoD Rules > Downloading SoD Rules ................................................................................ 34
Step: 016 > ARA: SoD Rules > Uploading SoD Rules .................................................................................... 36
Step: 017 > ARA: SoD Rules > Generate SoD Rules ..................................................................................... 37
Step: 018 > ARA: Run User Risk Analysis.................................................................................................... 40
Step: 019 > ARA: Batch Risk Analysis ........................................................................................................ 42
Step: 020 > ARA: Mitigation Configuration .................................................................................................. 46
EMERGENCY ACCESS MANAGEMENT:.......................................................................................................... 51
Step: 021 > EAM: Prerequisite: Maintain Connection Settings ........................................................................ 53
Step: 022 > EAM: Prerequisite: Maintain Configuration Settings .................................................................... 54
Step: 023 > EAM: Prerequisite: Create Users and Roles & Maintain in Access Control Owners ............................ 54
Step: 024 > EAM: Prerequisite: Assign Owner to FFID .................................................................................. 58
Step: 025 > EAM: Prerequisite: Assign FFID to Controller and firefighters ....................................................... 60
Step: 026 > EAM: Prerequisite: Create a Reason Code ................................................................................. 62
Step: 027 > EAM: Firefighter log Synchronization ........................................................................................ 62
Step: 028 > EAM: Working of FFID execution by firefighter ........................................................................... 63
Step: 029 > EAM: FFID Reports Execution .................................................................................................. 64
ACCESS REQUEST MANAGEMENT: .............................................................................................................. 65
Step: 030 > ARM: Prerequisite: Create Users with required roles ................................................................... 66
Step: 031 > ARM: Prerequisite: Maintain Connection Settings ....................................................................... 66
Step: 032 > ARM: Prerequisite: Maintain Configuration Settings .................................................................... 68
Step: 033 > ARM: Prerequisite: Configure Number Ranges & Activate ............................................................ 68
Step: 034 > ARM: Prerequisite: Maintain Provision Settings .......................................................................... 70
Step: 035 > ARM: Maintain Define Request types – MSMP Process IDs ........................................................... 71
Sirish Vetcha, Consultant - GRC 10.0 1 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 036 > ARM: Maintain MSMP Workflow ................................................................................................ 72
POST INSTALLATION:
Step: 001 > Post Installation: Configuring RFC Destination
Information : We are creating logical backend system which will be connected through RFC connection from
GRC server. Therefore we can say that the backend server is a RFC destination.
RFC connection should always be created in CAPS only.
T-Code : SM59
Path :
Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Execute Create Connectors
Expand ABAP Connectors
Under “RFC Connections” Click ICON of Create
RFC Destination: XXXXXXX (Give Logical Backend system Name)
Connection Type: 3 – “ABAP Connection”
Get the IP Address of the target host and fill at field “Target Host”.
For practice purpose give the same IP address of server we are working.
To get the IP Address Go To “Run” button at windows Start button
Give command “CMD”
Dos Window will be opened.
Give the command “IPCONFIG”
Find the current server IP address and note down the server name
Give this server name example [Link] at “Target Host” & enter
Now find the Target Host fills with [Link] & IP address field will fill automatically with [Link]
SAVE
Sirish Vetcha, Consultant - GRC 10.0 2 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Test the creation of destination:
Click Connection type & find below result
Sirish Vetcha, Consultant - GRC 10.0 3 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Then Click Remote Logon & find below screen:
Step: 002 > Post Installation: Active the application in the client
Information : GRC have 3 applications in it and as per the agreement with the client we have to activate the
required applications
AC – Access Control
PC – Process Control
RM – Risk Management
T-Codes :
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
General Settings
Execute Active Applications in Client
Sirish Vetcha, Consultant - GRC 10.0 4 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Click “New Entries”
Select required applications from drop down at 3 different rows
TICK all the selected applications under “ACTIVE”
GRC – AC
GRC – PC
GRC – RM
SAVE
Step: 003 > Post Installation: Activating the Services
Information : Here we activate HTTP services. This is used for access Portal, NWBC and Web dynpro Screens.
T-Codes : SICF
Path :
Configuration Details :
Sirish Vetcha, Consultant - GRC 10.0 5 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Provide Hierarchy Type : SERVICE through help & Execute
Select required Host under Virtual Hosts/ Services Maximizing “Default_host”
Select “SAP” under “Default_host” or can select “GRC” under “SAP”
(Please don’t double click. Just Select)
Select “SERVICE/ HOST” Tab at Menu
Select Activate
Sirish Vetcha, Consultant - GRC 10.0 6 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 004 > Post Installation: Perform Automatic Workflow Configuration
Information : We 5 events related to workflow and all should be in Green Tick Mark. Each event has the sub
events and should ensure all these are also in green.
T-Codes :
Path :
Configuration Details : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
General Settings
Workflow
Execute Perform automatic workflow customizing
Sirish Vetcha, Consultant - GRC 10.0 7 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 005 > Post Installation: Define Business Process & Sub Business Process
Information : The business processes are already given by SAP. The Sub processes are to be created by us as
per the client requirement. If the client don’t provides then consider the business process only as
sub process and maintain the same because maintaining the sub process is mandatory.
T-Codes :
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Execute Maintain Business Process & Sub Process
Select required Business Process for which we propose to maintain Sub Business Process
Example take FI00 & Double click Business Subprocess
Sirish Vetcha, Consultant - GRC 10.0 8 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Click New Entries
Give the Sub Business Process as below & SAVE
After creating Sub Business Process we can maintain separate connector group for each sub-process.
If so, Select the target Sub Business Process and double click Assign Application Area to Business Process > Click
New entries and select one of existing connector group
COMMON CONFIGURATION:
If we don’t maintain all integration scenarios for the connector, then system will through a dump when we try to
login with firefighter ID, using GRAC_SPM or GRAC_EAM transaction.
Fix it at Maintain Connection Settings in common component settings.
Step: 006 > Common Configuration: Activating BC Sets
Information : Maintain BC Sets. These Business Configuration sets are to be maintained in a perfect
sequence.
List of BC Sets to be maintained are:
APPLICATION BUSINESS CONFIGURATION SET
GRC_MSMP_Configuration
WORKFLOW GRC_MSMP_Sample_Conf
GRC_MSMP_STD_Conf
GRAC_RA_Ruleset_Common
GRAC_RA_Ruleset_SAP_APO
ACCESS RISK GRAC_RA_Ruleset_SAP_Basis
ANALYSIS GRAC_RA_Ruleset_SAP_NHR
GRAC_RA_Ruleset_SAP_R3
GRAC_RA_Ruleset_SAP_ECCS
Sirish Vetcha, Consultant - GRC 10.0 9 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
GRAC_RA_Ruleset_SAP_HR
EMERGENCY
ACCESS GRAC_SPM_Criticality_ Level
MANAGEMENT
GRAC_Access_Request_Req_Type
ACCESS REQUEST GRAC_Access_Request_Priority
MANAGEMENT GRAC_Access_Request_APPL_Mapping
GRAC_Access_Request_EUP
GRAC_Role_MGMT_Landscape
BUSINESS ROLE GRAC_Role_MGMT_Methodology
MANAGEMENT GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity
T-Codes : SCPR20
Path :
Go to BC Set field
Use help level
Give GRC* for 3 workflow related BC sets & GRAC* for other access control related BC Sets
Select the BC Set
Sirish Vetcha, Consultant - GRC 10.0 10 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Click Activation Button
Click to continue
Windows activation option will be opened
Under overwrite data: 1st time select overwrite & next time onwards select do not overwrite
Under select activation mode select Expert mode
Analyze the other options to know more.
Sirish Vetcha, Consultant - GRC 10.0 11 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 007 > Common Configuration: Maintain Connectors to Connection Type
Information : Connection types are varieties of back end systems which are eligible to connect GRC
You may remember we have created Connectors in the 1 st step as RFC destination. Now we are
maintaining connectors to connection type. This activity is configuring for communicating
backend system from GRC.
This is the Connector configuration for communicating to backend system. This will define the
connectors for common components like AC, PC, RM.
The connector is nothing but RFC connection
T-Codes :
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Maintain Connectors and Connection Types
Sirish Vetcha, Consultant - GRC 10.0 12 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
After creating connectors > we have to say what type of connection we connect at backend.
Connection type is the type of backend system. Types of backend we use is SAP for IDM we will select Web
Services.
Select the required back end type: Let’s take SAP
Select “SAP-SAP System”
Double Click “Define Connectors”
Fill as below:
Target Connector: Use help and select already created connector
Connection Type: Use help & select SAP as we have taken backend as SAP
Source Connector: Give here also the Target Connector name only
Logical Port: Give here also the target connector name only
Max No. of BG: Give 3 here
SAVE
Sirish Vetcha, Consultant - GRC 10.0 13 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Select the created Target Connector
Double Click Define Connector Group
Click “New Entries”
Give Connector Group Name & SAVE
Connector groups are maintained by SAP as per the connector type (backend type) like ECC, CRM, R3, Basis etc.
Here we suggest use the sap given connector groups instead of creating new one. If any customizing is required to
do then copy the connector group and can customize.
These connector groups are especially useful while doing function mass maintenance. (Adding one function in
multiple systems) We can also generate rules for multiple systems using a connector group.
Select created connector group & double click Assign Connectors groups to Group type:
Here we are defining type of connector group. The type is LOGICAL GROUP. Select from drop down.
Sirish Vetcha, Consultant - GRC 10.0 14 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Sirish Vetcha, Consultant - GRC 10.0 15 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 008 > Common Configuration: Maintain Connection Settings
Information : Here For the work area we maintain connection settings. We need to assign connectors to the
integration scenarios – AUTH, PROV, SUPMG, ROLMG
AUTH: Authorization Management/ maintenance used for ARA
PROV: Provisioning user for ARM
SUPMG: Super User Management used for EAM
ROLMG: Role Management used for BRM
Here we define what RFC connections we use for different work areas/ platforms.
Integration between the work areas ARA, ARM, BRM & EAM is already made by SAP. But, if we
maintain different connectors to each work area we have tell to SAP that what work area is in
which connector. Based on the selected connector from help level which we already defined will
be picked. As we defined the type of connector to that it will display by itself whether it is SAP or
People soft etc. automatically.
T-Codes :
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Execute Maintain Connection Settings
Then define a connector Group and assign the connectors to the group.
Assign connectors to integration scenarios Like AUTH, PROV,SUPMG,ROLMG
Sirish Vetcha, Consultant - GRC 10.0 16 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Select the work area maintained
Double click Scenario Connector Link
Give Target Connector from help level & after selecting just press enter
Find connection type & text prefills automatically & SAVE
If require to find the Scenario Connection type link Select given work area & double click “Scenario-Connection
type Link”
Sirish Vetcha, Consultant - GRC 10.0 17 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the interface used for connection type
Step: 009 > Common Configuration: Maintain Connector Settings
Information : Here we categorize the connectors to development, Test, and Production. In addition
to that we also enable Password Self Service – PSS.
The ideal way of connection will be as below
GRC ECC
DEV to DEV
QLT to QLT
DEV, QLT, & PRD to PRD
Ideally GRD & GRQ are in one server and have 2 different clients in the same server. GRP is
maintained separately.
In other cases:
GRD GRQ GRP – GRC SERVER
ECD ECQ ECP – ECC SERVER
CRD CRQ CRP – CRM
SCD SCQ SCP – SCM
Path : SPRO
Sirish Vetcha, Consultant - GRC 10.0 18 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
SAP Reference IMG
Governance Risk & Compliance
Access Control
Maintain Connector Settings
Click “New Entries”
Target Connector is selected using help
Application Type is the connector type – SAP
Environment for which we are connected now in backend > DEV/ PRD/ TST
Tick PSS > Password Self Service & SAVE
Here we maintain Development
We have also a provision to maintain attributes for this version.
Find the application types GRC supports:
Step: 010 > Common Configuration: Maintain Configuration Settings
Information : In this step we will set the parameters for the access control components. This
parameter will define the behavior of the systems or respective module.
Eg. Default risk level when running a risk analysis, default rule set, user type etc. In EAM
we can maintain the maximum issuance days of FFID access to the user
Path :
SPRO
SAP Reference IMG
Sirish Vetcha, Consultant - GRC 10.0 19 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Governance Risk and Compliance
Access Control
Maintain Configuration Settings
Example of Maintained Parameters:
Parameter Group Parameter ID Parameter Value Priority Description
Risk Analysis 1023 02
Risk Analysis 1024 *
Risk Analysis 1025 GLOBAL
Risk Analysis 1026 A
Risk Analysis 1027 NO
Workflow 1061 NO
Workflow 1062 NO
Workflow 1113 WF-BATCH
Workflow 3022 21
Workflow 3023 5
Emergency Access Management 4000 1
Emergency Access Management 4001 30
Emergency Access Management 4002 YES
Emergency Access Management 4003 YES
Emergency Access Management 4004 YES
Emergency Access Management 4005 YES
Emergency Access Management 4006 YES
Emergency Access Management 4007 YES
Emergency Access Management 4008 YES
Emergency Access Management 4009 YES
Emergency Access Management 4010 SAP_GRC_SPM_FFID
UAR Review 2004 011
UAR Review 2005 007
UAR Review 2006 Manager
UAR Review 2007 YES
Risk Analysis - Access Request 1071 NO
Risk Analysis - Access Request 1072 NO
Role Management 3003 AC10.0
Role Management 3004 PRD
Role Management 3005 NO
Access Request Role Selection 2031 YES
Access Request Role Selection 2033 YES
Access Request Role Selection 2035 YES
Access Request Role Selection 2036 NO
Access Request Role Selection 2037 YES
Access Request Role Selection 2038 NO
Access Request Default Roles 2009 NO
Access Request Default Roles 2011 REQUEST
SOD Review 2016 010
SOD Review 2017 009
SOD Review 2018 MANAGER
SOD Review 2019 YES
SOD Review 2023 NO
Assignment Expiry 2041 10
Access Request Training Verification 2024 WS
Elaborate discussion on each Parameter group with open option in attachment:
AC - [Link]
Step: 011 > Common Configuration: Maintain Mapping for Actions and Connector Groups
Sirish Vetcha, Consultant - GRC 10.0 20 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Information : Here we define connector group status and assign below actions/ map connector groups for
below actions:
- Role Generation
- Role Risk Analysis
- Authorization Maintenance
- Provisioning
- HR Trigger
After mapping connector group for application type (SAP) we will select the same and
maintain default connectors to connector group. The default connectors are the choice
mentioned above.
Here we connect the Action/ work area to default connector at back end.
T-Codes :
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Execute Maintain Mapping for Actions and Connector Groups
Click New Entries
Update the group status as below:
Connector Group: Select the Connector Group using help
Activate: Tick activation
Application Type: Select 01-SAP & display as 1
SAVE
Find the created connector group with other list
Select the created connector group as seen in above screen shot &
Double click “Assign default connector to connector group” available in the left side pan.
Then Click New Entries
Provide the information as below:
Connector Group: Select above connector group with help
Action: Select one after another
0001: Role Generation
0002: Role Risk Analysis
0003: Authorization Maintenance
0004: Provisioning
0005: HR Trigger
Update Target Connector: It will come in the help the target we have given only
Click default
SAVE
Sirish Vetcha, Consultant - GRC 10.0 21 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 012 > Common Configuration: Maintain Access Control Owners & other Nominations:
Information : Client will be provided requirement list of owners, monitors, and controllers etc. to
maintain in the system. These are maintained at various levels in GRC.
The owners are to be assigned based on their position with specific predefined roles
given by SAP.
Created owners are to be maintained at Access Control Owners list as below:
Access Control Owners :
Information :
We have to maintain all the owners, controllers, monitors and Security here.
a. Fire Fighter ID Owner: Will be approving the FFID access to user
b. Fire Fighter ID Role Owner: Will be approving the FFID role changes
c. Risk Owner: Will be maintaining the particular risk impacts by t-codes combination
d. Role Owner: Will be owner to maintain the role & approves the changes to the role
e. Mitigation Monitors: Will monitor & controls the implementation of controls for risk
f. Mitigation Approvers: Will approve the implementation of control to mitigate risk for a risk ID
g. Fire Fighter ID Controllers: Monitors and controls a FFID & maintains particular FFID
h. Fire Fighter Role Controllers: Maintains FFID role & approves the changes to role
i. Point of Contact: Uses on escape conditions & escalations etc.
j. Security Lead: Head of security & GRC team uses on any major changes for approval
For details of role description etc. please use the attached file:
Roles list in SAP
Prerequisites: Create the users in GRC server and assign below roles to [Link]
PLATFORM OWNER TYPE ROLES TO BE ASSIGNED IN GRC
EAM FFID Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FFID Role Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_USER
Sirish Vetcha, Consultant - GRC 10.0 22 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Risk Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_RISK_OWNER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
BRM Role Owner SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_ADMIN
SAP_GRAC_ROLE_MGMT_DESINER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRAC_ROLE_MGMT_USER
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Mitigating Monitors SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Mitigating Approvers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FFID Controllers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
EAM FF Role Controllers SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
Sirish Vetcha, Consultant - GRC 10.0 23 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
GENERAL Point of Contact SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
GENERAL Security Lead SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRAC_ALERTS
SAP_GRAC_CONTROL_APPROVER
SAP_GRAC_CONTROL_OWNER
SAP_GRAC_DISPLAY_ALL
SAP_GRAC_REPORTS
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_RULE_SETUP
SAP_GRAC_SETUP
SAP_GRAC_SPM_FFID
SAP_GRAC_SUPER_USER_MGMT_ADMIN
SAP_GRAC_SUPER_USER_MGMT_CNTRL
SAP_GRAC_SUPER_USER_MGMT_OWNER
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRAC_FUNCTION_APPROVER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
Let us assign the users also who requires the special roles to be assigned at the same time as 1
activity:
EAM FFID User SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_END_USER
SAP_GRAC_SUPER_USER_MGMT_USER
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
ARA Access Req. End SAP_GRAC_ACCESS_REQUESTER
User SAP_GRAC_BASE
SAP_GRAC_END_USER
SAP_GRAC_NWBC
SAP_GRAC_RISK_ANALYSIS
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
Path : NWBC SAP_GRAC_NWBC Set Up Access Owners Access Control Owners
Click “CREATE”
Give the User name at “Owner” field, whom we have decided to maintain.
Here we also can maintain for Group created in SAP & even LDAP
Select (through TICK) which type of owner we proposed to assign in the list.
Fill the comments with information as per best practice SAVE & CLOSE
Sirish Vetcha, Consultant - GRC 10.0 24 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
_____________________________________________________________________________________
Step: 013 > Common Configuration: Synchronization Jobs
Information : We cover different synchronization methods below:
I) Authorization SYNC:
We use synchronization jobs to synchronize authorization master data from the backend systems and store it in the
GRAC repository.
If this program is not executed, We cannot add any T-Code to the functions or we will not see any authorization
object details in functions.
This synchronization updates data of the following:
Resource Sync: Permissions, resources, and descriptions for authorization objects.
Action Sync: Descriptions for actions and permissions and resources for authorization objects.
Sirish Vetcha, Consultant - GRC 10.0 25 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Resource Class Sync: Permissions and resources for authorization object classes and their relationships
Resource extension: Organization level, activities level, and descriptions for resource extensions.
Default SU24
Values Sync: Default authorization object and field values for actions.
This activity synchronizes authorization master data from ERP backend system and stores it in GRC AC reposition.
Briefly: Authorization Object, Authorization Object fields, T-Codes to authorization relation plain master data like
which authorization object have which fields, which T-Code have which authorization object only this master data
will synchronize.
This program synchronizes authorization objects, authorization object clauses, authorization level values, auth level
transactions, & SU24 settings.
Authorization Sync can be done through 3 methods:
1) Through executing the Program as given below
Program: GRAC_PFCG_AUTHORIZATION_SYNC
This program is to be run through SA38 or SE38.
This program can be schedules on weekly basis or as per the client requirement
2) Through T-Code as given below
T-Codes: GRAC_AUTH_SYNC
3) Through Path as given in the path below
Path: Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Controls
Synchronization Jobs
Execute Authorization Sync
Fill the Connector: Using Help
II) Repository Object Synchronization:
Here it synchronizes data of Profiles, Roles & Users from backend and legacy systems and stores in GRAC
repository.
This activity allows us to select from the following synchronization options:
Profile Sync : This is required to sync for the SoD risk analysis of profiles
Role Sync : This is required for the SoD risk analysis of the roles
User Sync : This is required for the SoD risk analysis of the users
Prerequisites: Installed the GRCPIERP plug in component in the backend system
Repository Object Sync can be done through 3 methods:
1) Through executing the Program as given below
Program: GRAC_REPOSITORY_OBJECT_SYNC
This program is to be run through SA38 or SE38.
This program can be schedules on weekly basis or as per the client requirement
2) Through T-Code as given below
T-Codes: GRAC_REP_OBJ_ SYNC
3) Through Path as given in the path below
Path: Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Sirish Vetcha, Consultant - GRC 10.0 26 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Access Controls
Synchronization Jobs
Execute Repository Object Synchronization
Select synchronization Jobs as required: PROFILE, ROLE, USER
Find the Logic:
If we select Profile only profiles will synchronize
If we select Roles observe that Profiles also will get automatically selected: This is because the profiles can exist
without roles and when requirement of role synch is there it is for risk analysis and profiles would have already
generated for the role. Therefore when we select role profile will get automatically selected.
When we select User both role and profile will be selected automatically: This is because for access risk analysis
the user is selected when any role is assigned. Therefore role and profile will be selected when we select users.
Fill the Connector: Using Help or give *
Full Sync Mode: It is advised to make full synchronization module for the 1st time and later can do weekly.
Incremental Sync Mode: Incremental synch job is executed on hourly basis that is 24 times per day.
This prevents data inconsistency.
This scheduling can do through SM36
The jobs will breakup in 1000 each and synchronize.
III) Action Usage Synchronization:
Using this job we can synchronize the action or transaction usage data from back end system to GRAC repository.
Action usage data is the data related to the user executed transactions. This will synchronize all T-Codes executed
by users. This is useful for SoD risk analysis.
Action Usage Synchronization can done through 3 methods:
1) Through executing the program as given below:
Program: GRAC_ACTION_USAGE_SYNC
2) Through T-Code as given below:
T-Code: GRAC_ACT_USAGE_SYNC
3) Through path as given below:
Path: SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
Synchronization jobs
Sirish Vetcha, Consultant - GRC 10.0 27 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Connection Usage Synchronization
Give the Connector as Blank or *
Give the Users as Blank or: A* Z*
IV) Synchronize Role Usage Sync:
We can sync the role usage data from back end server to GRAC repository. Role usage data is role related data
that contains transactions executed by users.
Role Usage Synchronization can done through 3 methods:
1) Through executing the program as given below:
Program: GRAC_ROLE_USAGE_SYNC
2) Through T-Code as given below:
T-Code: GRAC_ROLE_USAGE_SYNC
3) Through path as given below:
Path: SPRO
SAP Reference IMG
Governance Risk and Compliance
Access Control
Synchronization jobs
Role Usage Synchronization
Action usage and role usage synchronization is suggested to do once every day is fairly ok.
ACCESS RISK ANALYSIS:
Customizing of Current Rule Set
Creation of New Rule Set
Maintenance of all Rule Sets
Run Risk Analysis
Create & Maintain Mitigation ID
Assign & Maintain Risk Owner, Mitigation Monitor & Mitigation Approver
Reports
Step: 014 > ARA: SoD Rules > Create & Maintain Rule Set, Function ID & Risk ID
Information : This is the transporting rules between GRC System. Here we generate rules for all risks.
Eg: Add - VA01, VA02 in one function - 1 & VB01, VB02 in one function - 2
Risk 001 exists in combination of Function1 & 2.
System will generate rules in each risk with different combinations of t-codes from both
the functions.
Find: VA01 + VB01 = Risk1 > Rule1
VA01 + VB02 = Risk1 > Rule2
VA02 + VB01 = Risk1 > Rule3
VA02 + VB02 = Risk1 > Rule4
Set of all these rules is Rule Set. Global is the rule set given by GRC.
In project we have to copy the Global rule set and do the customization to it. Then
upload with another name. We can make the customizing as:
1) Adding or removing the t-code in the function
2) Creating or removing a risk between the combination of 2 functions
3) Based on this change the rules will generate under each risk.
First Create Rule ID:
T-Code :
Path : NWBC SAP_GRC_NWBC Rule Setup Access Rule Setup Rule Sets
Create
Sirish Vetcha, Consultant - GRC 10.0 28 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Give New Rule Set ID Name, Description & Save
Second Create Function ID:
T-Code :
Path : NWBC SAP_GRC_NWBC Rule Setup Access Rule Setup Functions
Create
Give name of the Function ID as per naming convention
Give Business Process, Analysis Scope to be given as Single System.
Provide description
Sirish Vetcha, Consultant - GRC 10.0 29 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Under Action > Click Add
Provide Batch System (Back end system)
Action: T-Codes to be provided under the function ID and Press Enter
Find t-code description updated automatically
Status to be ACTIVE
Press Add button to add New T-Code
To control from authorization object level use Permission Tab
Sirish Vetcha, Consultant - GRC 10.0 30 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
SAVE
In the same way > Create another Function ID with other t-codes
Third Create Risk ID:
T-Code :
Path : NWBC SAP_GRC_NWBC Rule Setup Access Rule Setup Access Risks
Create
Sirish Vetcha, Consultant - GRC 10.0 31 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Give: Risk ID, Risk Type, Business Process, Description, Risk Level, & Status.
Fill: Description of Risk and Suggested Control Objective
Risk Level: Exists 4 levels of risks: High, Medium, Low and Critical
Critical is the system level risk and others are Business Process risks
Add: Select Function IDs
Sirish Vetcha, Consultant - GRC 10.0 32 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Select Rule Set ID in the Rule Sets tab & SAVE
SAVE
Sirish Vetcha, Consultant - GRC 10.0 33 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Give also the risk owner & SAVE
_____________________________________________________________________________________
Step: 015 > ARA: SoD Rules > Downloading SoD Rules
Information : SoD rules will be down loaded in 9 files. We have to provide the Backend system name
and path to the 9 files with its name in available 9 fields and execute. The downloaded
file can be opened through word pad.
1) Business Process: Business process given by SAP GRC will be downloaded here with Code, Language &
Description
Find the attached actual file downloaded:
Find the example below:
BP Code Language Description
AM EN Account Maintaining
AP00 DE APO
AP00 EN APO
BS00 EN Basis
BS00 DE Basis
CA00 EN Cross Application
CA00 DE Zusammengesetzte Anwendung
CR00 DE CRM
CR00 EN CRM
EC00 EN Consolidating
EC00 DE Konsolidierung
FI00 DE Finanzwesen
FI00 EN Finance
HR00 DE HR and Personalabrechnung
HR00 EN HR and Payroll
Sirish Vetcha, Consultant - GRC 10.0 34 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
MM00 EN Materials Management
MM00 DE Materialwirtschaft
PM00 EN Plant Maintenance
PM00 DE Instandhaltung
PR00 DE Beschaffungsprozess
PR00 EN Procure to Pay
SD00 DE Auftragsabwicklung
SD00 EN Order to Cash
SR00 EN EBP and SRM
SR00 DE EBP and SRM
2) Function: Function IDs with its description and its SoD status as “S” will be downloaded here in English and
German.
Attached the downloaded file:
3) Function Business Process: This file gives us the information of existing function ID with its Business Process
ID.
Attached the downloaded file:
4) Function Actions: List of T- Codes in each function will be presented in this file.
5) Function Permissions: List of auth. objects in each function will be presented in this file.
6) Rule Set: Rule Set name is down loaded here in both the languages English & German,
Attached here the file downloaded:
7) Risk: Report of Risk ID with combination of Function ID1 & Function ID2 and its
Business Process is generated.
Attached here the file downloaded:
8) Risk Description: Risk ID with its risk description in 2 languages English, & German are
downloaded.
Attached here the file downloaded.
9) Risk Rule Set Relationship: Risk ID with rule set name is downloaded. This shows that
which risk ID belongs to which rule set.
Attached here the file downloaded.
T-Code :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Download SoD Rules
Give the backend server i.e. created connector in 1st step
Give the path of destination with file name against each report gets downloaded.
Execute
Find 9 files downloaded in the destination as given by us above.
The files are down loaded which can be opened through WordPad and observe that the report don’t maintain any
headings. To have detailed explanation on each report refer above information provided by us and also can refer
sample files attached at each level.
Sirish Vetcha, Consultant - GRC 10.0 35 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 016 > ARA: SoD Rules > Uploading SoD Rules
Information : After downloading the existing SoD rules from GRC system we can make required
changes in the downloaded 9 files and here we will upload again by providing the path
to the file. We can overwrite the existing SoD rules in GRC or also can add this to the
existing rules.
As per the best business practice we suggest always to Add/ Append instead of
overwrite.
T-Code :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Upload SoD Rules
In the same way we followed in download SoD rules,
We give the backend server i.e. created connector in 1st step.
Give the source of each file prepared to upload in all 9 fields. Upload the changed document as required
“Append” Append is adding these uploaded rules to the existing rules in SAP GRC suit.
“Overwrite” Overwrite is erasing existing rules in the SAP GRC suit and existence of these uploaded rules.
Execute
Sirish Vetcha, Consultant - GRC 10.0 36 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
_____________________________________________________________________________________
Step: 017 > ARA: SoD Rules > Generate SoD Rules
Information : The risk ID we have created in the step 13 are to be generated now.
This will generate rules in the risk we have created.
Please refer the explanation of rule set to find more information
T-Code :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
SoD Rules
Generate SoD Rules
Provide the Risk ID for which we require to generate rules.
Also can give the range of Risk IDs by using the fields From & To
Execute
Sirish Vetcha, Consultant - GRC 10.0 37 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the message generated at bottom of the screen as below:
Also can generate the rules through NWBC:
Path : NWBC SAP_GRC_NWBC Rule Setup Access Rule Maintenance Access Risks
Select the created Risk ID & Click Generate Rules & Select Foreground
Find the Risk exist against the combination of Functions & Confirm
Sirish Vetcha, Consultant - GRC 10.0 38 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find 2 hyperlinks to see the rules generated:
Can Click “View Action Rules”
Inside the “View Action Rules” find the details in below screen:
Find 1 Risk ID having 2 Rule Ids with 2 Function Ids with its T-Codes in it
Eg: We have a Function ID 1 with 1 T-Code: PFCF & Function ID 2 with 2 T-Codes: SCC1 & SU01
Risk ID created with the combination of these 2 function IDs
Find the rules generated with the t-codes combination between 2 function IDs 1 X 2 = 2 rules
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SCC1
Rule ID 0001 = Fn ID 1 & 2 = PFCG Vs SU01
If we go to the “View Permission Rules” find the extra columns Resource & its extension – Auth. Obj.
Sirish Vetcha, Consultant - GRC 10.0 39 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
_____________________________________________________________________________________
Step: 018 > ARA: Run User Risk Analysis
Information : Here we find how to generate risk analysis for User at basic level.
We will provide the inputs at the screen of NWBC path mentioned below and find the
different options of report and format we get below.
T-Code :
Path : NWBC SAP_GRC_NWBC Access Management Access Risk Analysis User
Level
Provide the input to the screen:
System : Give created connector in 1st Step
User : Give the User name using search
+ : Use ‘+’ after User to run for one more user
User Group : Give the group if want to run for user group (Here don’t select & ‘-‘)
+ : Use ‘+’ after User Group to run for one more User Group
Risk Level : Select the sensitivity of the risk we want to run – Select All
Rule Set : Select the rule set from drop down
+ : Use ‘+’ after Rule Set to give one more rule set
User Type : Give Dialog or any other user type as required from drop down
Report Options : At initial stage select ‘Action Level’ & ‘Permission Level’
Run : Select ‘Run in Foreground’
We can make it as a variant & can select this when we want to run at same values
Report gets generated & you can find the option we can use at basic level report:
Expand top header ‘Analysis Criteria’ and find the selected options above
We can change the report from Action (t-code) level to Permission (Auth. Obj.) level
We can change the report format as Summary, Detail, Management Summary, & Executive Summary
Sirish Vetcha, Consultant - GRC 10.0 40 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Option 1) Action Level Report & Summary Format:
Option 2) Action Level Report & Detail Format: Function ID & Role/ Profile is provided
Option 2) Permission Level Report & Detail Format: Auth Obj its extension & values also provided here
Sirish Vetcha, Consultant - GRC 10.0 41 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Option 3) Management Summary is very simple report at top level with hyperlink to details level:
Option 3) Executive Summary is very simple report at top level with hyperlink to details level:
This is generally used by executives who work on maintaining to find the risks ID with list of conflicts:
_____________________________________________________________________________________
Step: 019 > ARA: Batch Risk Analysis
Information : Batch risk analysis is the risk analysis which will run in more number of Users, Roles,
and Profiles & HR Objects. This can be schedules as a background process. Generally
this is used for Reports and Analysis. This is executed on daily basis which will be part of MIS
on SoD. This will be running in nonpeak hours.
T-Code :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
Batch Risk Analysis
Execute Batch Risk Analysis
Sirish Vetcha, Consultant - GRC 10.0 42 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Give the Job Name
Give Server Name
If the analysis is running at daily basis > Run at Incremental mode
If the analysis is running at initial stage > run at Full mode
Give the Rule set to take as source for finding the risks
Under Object Section:
Can give * at User, Role, Profile, & HR Object fields
Tick> Action Level
Tick> Permission/ Critical Action/ Critical Permission Level
Tick> Critical Role/ Profile Level
Execute
Can go to SM37 and check the recent jobs performed.
Sirish Vetcha, Consultant - GRC 10.0 43 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
The other way to find the status of recent background jobs and its report is explained below:
To find out the status of the report as well as to open the background report:
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Access Risk Analysis
Batch Risk Analysis
Monitor Batch Risk Analysis
Provide the Job Name:
Execute
Find the job name displayed with its status:
If it says In Process > Wait till it gets complete
Use the same path & process till here & find the status as Successfully Completed
Double click the line item with Job Name
Sirish Vetcha, Consultant - GRC 10.0 44 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the Package Data displayed
Double Click the displayed line item
Find the below report generated
List of users have risk with System. User name is under the column ‘SOD Object’:
Sirish Vetcha, Consultant - GRC 10.0 45 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 020 > ARA: Mitigation Configuration
Information : Access is not suggested to approve when risk exists to user based on the roles he have.
In this condition manager or role owner who ever approves the access to user should
take below actions:
Remediate: Removing the role creating conflict
Mitigation: Risk exists can be justified & can be mitigated through a
compensating control.
Therefore GRC have given the provision to systematize the mitigating controls with ID,
its owner and controller. This will be in execution under Process Control platform.
After finding the risks in ARA for a user or role or a profile the manager can assign
mitigating control at the same screen by just clicking button ‘MITIGATE’
For this we have to configure the mitigating controls which will be discussed now.
Prerequisites of Mitigating Control Configuration:
1. Create Mitigating Owner through SU01 and assign required roles
2. Create Mitigating Monitor through SU01 and assign required roles
3. Assign the above 2 in Access Control Owners under Access Owners in Setup Tab of NWBC
Sirish Vetcha, Consultant - GRC 10.0 46 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
4. Create Organization Structure Hierarchy
5. Define Mitigating Control ID
6. Activate workflow
First 3 steps were done in Step 11 where we have created all owners, assigned required roles, and
maintained in Access Control owners at NWBC
4: Create Organizational Hierarchy:
Create Root Organizational Hierarchy:
Information : After creating the approvers and other access control owners and assigning roles. We
have seen them declaring as Access Control Owners above.
Now we have to define these owners in Organizational Hierarchy of Risk. A compliance
structure is created where it is defined how to manage risk. Mitigating Control Monitor
and Approver are to be assigned in Organizational Hierarchy as it will be integrating to
Process Control platform in executing the mitigating control in business process.
Let us configure the Mitigating Monitor and Mitigating Approver after assigning them as
access control owners under access owners in Setup tab of NWBC.
To find the organizational Hierarchy HR t-codes PPOSE & PPOME also can be used.
T-Codes :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Shared Master Data Settings
Create Root Organizational Hierarchy
Against Organizational view: we get 2 options
002 – Standard Hierarchy and 003 – Risk Hierarchy
For the purpose to maintain mitigating configuration we select
003 – Risk Hierarchy
Against Root Organization Unit & Child Organization Unit
Give the names as per the naming convention
Ensure you validate the From Date as required.
EXECUTE
Find the below message at the bottom of the screen:
Add Mitigating Control Monitor & Approver to the Organizational Hierarchy:
Sirish Vetcha, Consultant - GRC 10.0 47 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Create Organizational Hierarchy > Risk Hierarchy
Path : NWBC SAP_GRAC_NWBC Setup Organizations Organizations
Select ‘Risk Hierarchy’ against View
Maximize the required Root Org where we have to maintain
Select the Child Org opened after Maximizing.
Click Open
Go to the Owners Tab
Add Owner & SAVE
Sirish Vetcha, Consultant - GRC 10.0 48 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Create Mitigating Control ID
Path : NWBC SAP_GRAC_NWBC Setup Mitigating Controls Mitigating Controls
Click: ‘Show Quick Criteria Maintenance’ & find the fields in it
Click: ‘Create’
Fill the Mitigating Control ID, Name, Description, Process, Notes &
Click Organization:
Sirish Vetcha, Consultant - GRC 10.0 49 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
After completing the General Tab. Go to Access Risks Tab:
Click ‘Add Row’
1st Provide the Risk ID for which we created this mitigating ID through help & Click ‘Start Search’
Sirish Vetcha, Consultant - GRC 10.0 50 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
The Rule ID with description is updated & Go to Owners tab:
Go to the owners tab>
Click Add Row: At Name use help & select the Approver & Select Approver at Assignment Type
Click Add Row: At Name use help & select the Monitor & Select Monitor at Assignment Type
_____________________________________________________________________________________
EMERGENCY ACCESS MANAGEMENT:
In GRC 10.0v Centralized Emergency Access is introduced which we don’t have in GRC 5.3v.
This feature centralizes firefighting and administration across all systems. New workflow provides an auditable
process for tracking log report approval.
This reduces the efforts required to grant and provision emergency access to multiple systems.
Provides a structured, documented process around emergency access
Access Control centralizes firefighter access and administration, enhances provisioning and introduces automation
to the log review process.
Sirish Vetcha, Consultant - GRC 10.0 51 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Unifies all AC capabilities on a standardized ABAP platform, offering enterprise supportability, granular security,
transport and archiving.
In GRC 10, from support pack 10 onwards SAP also provided decentralized fire fighting
1545511 is the note number SAP have given to prevent firefighter IDs direct login to backend systems. This makes
extra check while logging.
If we don’t maintain all integration scenarios for the connector, then system will through a dump when we try to
login with firefighter ID, using GRAC_SPM or GRAC_EAM transaction.
Fix it at Maintain Connection Settings in common component settings.
In 5.3, firefighter is separately created for each ERP and the navigation controller is also created in sequence for
each firefighter. In GRC 10 we have a solution of centralized emergency access. Here all the ERPs are connected to
GRC system and in it all the participants are created where a single GRC system is sufficient for all the backend
ERPs.
Participants in EAM are:
Fire Fighter: User requesting emergency access, who executes transactions through FFID
access
Fire Fighter ID: User ID with elevated privileges. It can be only be accessed in GRC server
using transaction GRAC_SPM
Fire Fighting: Act of using a firefighter ID. The execution activity taken place through
firefighter ID
Owner: User responsible for firefighting ID and the assignment of controlling and
firefighting.
Controller: Reviews and approves. If necessary the log files generated by a firefighter.
Reason Code:
Reporting:
2 types of firefighting applications exist in GRC 10:
Sirish Vetcha, Consultant - GRC 10.0 52 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
ID Based fire fighter: The fire fighter ID created in the remote system will be assigned to the user in the GRC
system either manually or via an access request. The fire fighter accesses their assigned FFID in the GRC server
using the SAP GUI and transaction GRAC_SPM. The fire fighter ID for all remote systems assigned to the fire
fighter will be accessed from this transaction.
Role based Fire fighter: The fire fighter role created in the remote system will be assigned to the user in the GRC
server. The fire fighter directly logs in to the remote system using their user ID and performs the activities which
are provided in the user’s role and fire fighter role assigned to the user.
We have to configure the type of EAM in AC parameters at IMG - Maintain configuration settings under AC. The
Parameter group is EAM & Parameters ID is 4000. The value is to be selected either ID or Role.
Only one application type can be configured at a given time.
It is recommended to use ID based fire fighter application and so far it was found no clients used role based
firefighter.
Architecture:
The main application runs in the GRC server. It is possible to maintain the user assignments for all systems using
NWBC or the portal.
Provisioning of emergency access also can be done via access requests (workflow)
The web interface facilitates the following:
Firefighter ID/ FF Role Owner Maintenance
Firefighter ID/ FF Role Controller Maintenance
Reason Code maintenance (System Specific)
Firefighter ID/ FF Role assignment to Firefighter, Owner, Controller
Firefighter access is done centrally using the GRC server. Firefighters will log on to the GUI backend and execute
transaction GRAC_SPM. Firefighter IDs for emergency access for all systems assigned to the user will display.
Step: 021 > EAM: Prerequisite: Maintain Connection Settings
Sirish Vetcha, Consultant - GRC 10.0 53 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Information : Refer Step 8 of Common Configuration. Select integration scenario SUPMG and then select
target connector in which the integration scenario SUPMG needs to activate.
At scenario connector link after selecting the target connector press enter and find the connection type &
description updating automatically as they are assigned to target connector at step 7 Maintain connector to
Connection type.
Step: 022 > EAM: Prerequisite: Maintain Configuration Settings
Information : Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter group 6-
“Emergency Access Management” which contains 14 Parameter IDs with different values in ID.
ID: 4000 – As discussed in introduction above select the EAM type. Recommended ID type
ID: 4001 – FFID validation of each assignment to user default days mention here & not max
ID: 4002 – On assigning the FFID an E-Mail will be issued immediately if selected YES here
ID: 4003 – Able to retrieve change log made to FFID if selected YES here
ID: 4004 – Able to retrieve system log made by firefighter if selected YES here
ID: 4005 – Able to retrieve Audit log if selected YES here
ID: 4006 – Able to retrieve OS Command log if selected YES here
ID: 4007 – If log report executed immediately notification will be sent if YES here
ID: 4008 – When Firefighter logs in a notification will be sent immediately if YES here
ID: 4009 – Log report execution notification will sent if YES here
ID: 4010 – The role mentioned here is mandatory role to be assigned to FFID in backend
SAP given the predefined role SAP_GRAC_SPM_FFID
ID: 4012 – Audit log will be forwarded in workflow either to any user or only controller
ID: 4013 – If required FFID owner can request access for his owned FFID as firefighter
ID: 4014 – If required FFID controller can request for his controlled FFID as firefighter
Step: 023 > EAM: Prerequisite: Create Users and Roles & Maintain in Access Control Owners
Information : Refer Step 12 of Common Configuration of creating & maintaining the below:
Create end user to act as firefighter who gets mapped to FFID
Create FFID in back end system as a service user
Create FFID owner in the GRC system
Create FFID controller in the GRC system
Refer Step 12 to assign required roles to above.
FFID Owner & Controller created above are to be maintained in Access Control Owners list
FFID in the backend should be assigned with below roles:
Mandatory Role: SAP_GRAC_SPM_FFID the same is to be mentioned in parameter ID 4010
Functional Role: we also need to assign extra authority or wide roles for the FFID in the back end system. SAP_ALL
profile is not required to assign. As the FFID is created business processes wise, for each business processes we
Sirish Vetcha, Consultant - GRC 10.0 54 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
can create a single business role which can be assigned to FFID. This business role works like composite role
carrying all the roles in it.
Create FFID Owner 01>
Create FFID Controller 01>
Sirish Vetcha, Consultant - GRC 10.0 55 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Create FFID in Backend server>
Sirish Vetcha, Consultant - GRC 10.0 56 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Create End User for Firefighter >
Maintaining above as Access Control Owners:
Synchronize first to get the created above FFID participants in NWBC – Repository Sync.
Information : FFID Owner & Controller are maintained in Access Control Owners under Access Owners. The
same is explained in Step No 12 in Common Configuration.
Path : NWBC SAP_GRAC_NWBC Setup Access Owners Access Control Owners
Click Create, Give FFID owner name & tick FFID Owner repeat for controller
Sirish Vetcha, Consultant - GRC 10.0 57 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 024 > EAM: Prerequisite: Assign Owner to FFID
Information :
Path: NWBC SAP_GRAC_NWBC Setup Super User Assignment Owners
Sirish Vetcha, Consultant - GRC 10.0 58 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Click ‘Assign’
A New screen gets opened and Go to help at ‘Owner ID’, Select owner & Click OK
Below screen gets generated & click ‘Add’
Provide FFID by selecting from help option, Select through Arrow & Click OK
Sirish Vetcha, Consultant - GRC 10.0 59 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Provide comments & it resembles as below- Click ‘SAVE’, Now owner assigned for FFID
Step: 025 > EAM: Prerequisite: Assign FFID to Controller and firefighters
Information : The Firefighter ID is assigned to a firefighter who can perform the activities in the back end
system. Multiple fire fighters can be assigned to a single firefighter ID. But, one firefighter only can login at a time.
Controllers are also assigned to the FFID for tracking and auditing the firefighter.
Path: NWBC SAP_GRAC_NWBC Setup Super User Assignment Firefighter IDs
Click Assign button > Firefighter ID assignment window gets opens
Use help at Firefighter ID field and find new window gets pens with list of available FFIDs
Select the required FFID from latest window and Click OK
Find the field fills with FFID & system also gets filled automatically
Sirish Vetcha, Consultant - GRC 10.0 60 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Then Go to Firefighter tab & Click Add
Use help under Firefighter User ID
Select the end user from the list eligible to be the firefighter as per the roles assigned to those users
Then Click OK
Find the screen fills like below and provide comments.
Observe the default valid days came from current date to 30 days which we provided in parameters group EAM &
ID 4001 as 30 days to take as default which is not max. Here we can increase if required.
Now maintain controller through Controller Tab:
Click ADD
Use help and update Controller ID
Select the concern controller & Click OK
Controller name updates automatically
At Notification we find the option of either E-Mail or Workflow or Log Display > Select one
This we maintained at parameters group EAM at ID 4008 to send notification
Provide comments
SAVE
Sirish Vetcha, Consultant - GRC 10.0 61 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Final Screen resembles as below:
Step: 026 > EAM: Prerequisite: Create a Reason Code
Information :
Path: NWBC SAP_GRAC_NWBC Setup Super User Maintenance Reason Codes
Click CREATE > New window get open >
Give the Reason code as per the naming convention
Status to be ACTIVE
Under System Click ADD
Select system using help
Find other fields in the table with description gets updated automatically
Give description & SAVE
Step: 027 > EAM: Firefighter log Synchronization
Information :
Sirish Vetcha, Consultant - GRC 10.0 62 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
We need to schedule the firefighter log synchronization job as per the client requirement.
Recommended to run every 15 minutes
The same can be run through a T-Code: GRAC_SPM_LOG_SYNC
To the run through program: GRAC_SPM_LOG_SYNC_UPDATE
More details about synchronization can find at Step 13 of Common Configuration
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Synchronization
Firefighter Log Synch
Provide Connector as *
Execute
Step: 028 > EAM: Working of FFID execution by firefighter
Information : Login through Firefighter ID
Execute the T-Code GRAC_SPM
Sirish Vetcha, Consultant - GRC 10.0 63 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the Used ID & system etc.
Click ‘Logon’, New window gets opened, Give the reason code: From drop down,
Give the Description of requirement of FFID
Enter the list of actions that proposed to Perform & Click TICK
Observe the Screen displays with Start SAP Easy Access:
_____________________________________________________________________________________
Step: 029 > EAM: FFID Reports Execution
Information : Reports available with regards to Emergency Access Management are discussed below:
Consolidated Log Report: This report provides the information of different logs:
Transaction Log: Captures transaction execution from transaction STAD.
STAD is a transaction code which allows checking the activities of users. It calculates the resource usage of
individual transactions for ABAP systems and provides a detailed analysis of a transaction and the dialog
steps. The selection criteria include user, transaction, program, task type, start date, and start time.
Sirish Vetcha, Consultant - GRC 10.0 64 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
The statistical record contains detailed information about:
Proportions of response time, Database accesses, memory usage, RFC calls
Path : NWBC SAP_GRAC _NWBC Reports & Analytics Emergency Access Management Reports
SoD Conflict Report for FFIDs Results:
_____________________________________________________________________________________
ACCESS REQUEST MANAGEMENT:
Here we learn the configuration of Access request management where business user raises the request to provide
access of to create user. Through workflow manager will approve and while approving the manager can run the risk
analysis where it got synchronized. Later role owner & security will approve then role or user auto provisioning is
done.
MSMP workflow is also discussed in this chapter with SAP predefined process IDs. Please refer step number 35 for
details.
Information: Access Control Compliant User Provisioning functionalities:
Initiator: Will be at Stage 1
Standard Path: Stage 2 to Stage N
Provisioning: Optional
Sirish Vetcha, Consultant - GRC 10.0 65 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
At detour path the standard Path starts from Stage 1 & Provisioning is again Optional
Stage: Stage appearance a step or one action item in process flow
Path: Path defines the sequence of stages which needs to be executed
Initiative: Initiative selects the path based on the condition defined in it.
Detour Path: This path will be executed based upon a condition in a stage in the standard path. Detour path will
not have initiator
Differences in terminology between the versions 5.1/ 2/ 3 and 10.0 of SAP BO
Initiator Initiator Rule
CAD (Custom Approver Determinator) Agent Rule
Detour Routing Rule
Path Path
1 process ID can have multiple request types:
Access requestor: Create request, Change Request etc
Function Approval: Update function, Delete function etc
One initiator rule is able to trigger multiple paths based on the rule result value
At step 35 we discussed different process IDs available for multiple workflows with different request types.
For each request type we can select process ID with different paths and as per the initiator request the path is
decided.
SAP provides default process ID. But, when 2 different stages pattern requires for 2 different paths ew can
customized accordingly. We can select any provided process ID or can copy the existing process ID and can
customize. But, we cannot create a new process ID.
Step: 030 > ARM: Prerequisite: Create Users:
Create below users in GRC server who will be the part of approval group.
Manager to approve at 1st stage for New & Change user. Only stage for Lock & Unlock user
Role owner to approve at 2nd stage for New & Change user. Maintain in Access owners & Role owners
Security to approve at 3rd stage for New & Change user. Maintain in Access owners
The above users are to be assigned with below standard roles. (Use all roles if you copy the users)
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_BASE
SAP_GRAC_NWBC
SAP_GRAC_RISK_ANALYSIS
SAP_GRAC_ROLE_MGMT_DESINGER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
SAP_GRC_FN_ALL
SAP_GRC_FN_BASE
Example of Users to create:
BS_GRACMGR01
BS_GRRLOWN01> Assign in Access owners
As Role Owner in Access Control Owners &
Role Owners as Role Approver & Role content owner
BS_GRACSEC01 > Assign in Access owners as Security
Sirish Vetcha, Consultant - GRC 10.0 66 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 031 > ARM: Prerequisite: Maintain Connection Settings
Information : Refer Step 8 of Common Configuration. Select integration scenario PROV and then select target
connector in which the integration scenario PROV needs to activate.
At scenario connector link after selecting the target connector press enter and find the connection type &
description updating automatically as they are assigned to target connector at step 7 Maintain connector to
Connection type.
Sirish Vetcha, Consultant - GRC 10.0 67 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 032 > ARM: Prerequisite: Maintain Configuration Settings
Information : Refer Step 10 of Common Configuration. Setting Parameters - Select Parameter groups:
PG5-Workflow: Contains 20 Parameter IDs with different values in each ID.
PG9-Risk Analysis Access Request which contains 3 Parameter IDs with values in each ID
Step: 033 > ARM: Prerequisite: Configure Number Ranges & Activate
Create Number Ranges:
Information : To provide request numbers to access request, mitigating request etc. we need to maintain
number range. This number range will be used by workflow to provide a request number when we submit a
request.
T-Code: SNRO
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Maintain Number Range intervals for Provisioning Requests
Select object using help: For workflow GRACREQNO
Click Number Range button & Click change intervals.
Click Interval & fill the details in new window & click enter
Then SAVE
Sirish Vetcha, Consultant - GRC 10.0 68 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Activate Number Range:
Information :
T-Code:
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Define Number Ranges for Provisioning Requests
Click New Entries
Give the ID of Number range created & SAVE
Press ‘Activate’ Radio button & SAVE
Sirish Vetcha, Consultant - GRC 10.0 69 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 034 > ARM: Prerequisite: Maintain Provision Settings
Information : Here we are configuring the values to be considered in the access request management while
provisioning.
An auto provisioning is done based on the values we provide here.
Example: Whether the user can raise request for access to a new role and when this new role is assigned
automatically by the system, Access to SAP by creating the user etc.
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Maintain Provisioning Settings
Select Maintain Global Provisioning at Dialog Structure
Select
Role Provisioning Type: Direct
Direct – If we are not using HR structured authorizations
Indirect – If we are not using HR structured authorizations
Under Indirect
Job
Position
Organization Type
Combined – If we are using direct and indirect role assignments
Auto Provisioning: Auto Provisioning at the End of the Request is recommended
Create User if does not exist: Tick both Change User Action & Assign Role Action
Account Validation Check: Maintain Warning and not error
Role Assignment: TICK Provisioning effective immediately
Old Role Delimit Duration: This will be used in HR structural organizations where a person changes position within
the organization to be deactivated in how many YEARS | MONTHS | DAYS
Password expiry in days or accesses or none and maintain values in next field
Deactivate password checkbox if we are using Single Sign On – Activate
Email Status – Send Password If YES maintain the period in seconds to password visible.
Sirish Vetcha, Consultant - GRC 10.0 70 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 035 > ARM: Maintenance of Define Request types – MSMP Process IDs
Information : We have to configure the workflow and predefined workflows are provided by SAP GRC from
which we can use the suitable one.
Before going ahead with configuring the Multi Source Multi Path-MSMP workflow, we have to ensure that all the
workflow related BC sets are activated.
Workflow related BC sets are 3 in numbers and have the naming as GRC_MSMP_XXXX
Please refer Step 6 Activating BC Sets in common configuration.
With regards to Access Request SAP GRC provides us a workflow process ID SAP_GRAC_ACCESS_REQUEST for
different activities from which we activate required activities.
Total process IDs provided by SAP GRC are:
SN MSMP Process ID Description
1 SAP_GRAC_ACCESS_REQUEST Access request Approval Workflow
2 SAP_GRAC_ACCESS_REQUEST_HR Access request Approval for HR OM Objects Workflow
3 SAP_GRAC_CONTROL_ASGN Control Assignment Approval Workflow
4 SAP_GRAC_CONTROL_MAINT Mitigation Control Maintenance Workflow
5 SAP_GRAC_FIREFIGHT_LOG_REPORT Fire Fighter Log Report Review Workflow
6 SAP_GRAC_FUNC_APPR Function Approval Workflow
7 SAP_GRAC_RISK_APPR Risk Approval Workflow
8 SAP_GRAC_ROLE_APPR Role Approval Workflow
9 SAP_GRAC_SOD_RISK_REVIEW SOD Risk Review Workflow
10 SAP_GRAC_USER_ACCESS_REVIEW User Access Review Workflow
Standard Actions provided under each process ID are given below:
1. Create User
2. Change Users
3. Delete User
4. Lock User
5. Unlock User
6. Assign Object
7. Super User Access
8. Create & Lock User
9. Change & Lock User
10. Change & Unlock User
11. User Defaults
12. Retain
13. Remove
Sirish Vetcha, Consultant - GRC 10.0 71 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
We can select required process ID and the actions we want to activate under each process ID here.
There are 10 Process IDs with 13 actions in MSMP processes given by SAP GRC.
We also can customize the workflow but not required. We can create more paths in each process ID using BRF+
which will be discussed in the last session.
List out the actions required to activate under each ID.
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
User Provisioning
Define Request Type
Step: 036 > ARM: Maintain MSMP Workflow
Information :
Path : SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
EXECUTE Maintain MSMP Workflow
A window will open to configure MSMP workflow:
We have to maintain configuration in all 7
Process Global Settings:
Select required Process ID ‘SAP_GRAC_ACCESS_REQUEST’ & Click ‘Display/ Change’
Sirish Vetcha, Consultant - GRC 10.0 72 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Maintain Process Global Settings:
Information: Escalation is ……………..
Enable Escalation as per business requirement and client agreement
Provide the escalation date:
Notification Settings:
Information: We can send the notifications or emails on the development of the events and the settings are
available to maintain when a notification is to send, what template is to send as notification and whom to send.
Click ‘Add’
Select the Notification using help from the options:
End of Request: Notification is submitted after the approval & request process is completed. Select this
Request Submission: Notification is submitted at the time of request raised
Choose template ID using help: Default one is suggested i.e. GRAC_AR_APPROVED
Choose recipients ID using help: Default one is suggested i.e. GRAC_CURRENT_APPROVERS
Escape Conditions:
Information: In case of auto provision did not happened due to unavailability of Approver or an issue at back end.
The information with the status of request is to be passed.
For this purpose we have to maintain the users to escalate.
Select with ‘Tick’ Mark at ‘Set Escape Routing’ for both ‘Approver not found’ & ‘Auto Provisioning failure’
Provide path at ‘Escape Path’ for whom the escalation is to be happened.
Select: GRAC_DEFAULT_PATH
Click ‘NEXT’
Sirish Vetcha, Consultant - GRC 10.0 73 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Maintain Rules: Maintain rules includes a list of all available rules to be used when configuring a workflow. If a
new rule is created (through Step: 51 Generate MSMP Rules for Processes) then it must be added. Here we also
configure default initiator. Default is suggested GRAC_AR_INITIATOR
Rule Kinds:
1. Initiator Rule: Determines the path upon submission of the request.
2. Agents Rule: Determines the recipient or approvers of a stage
3. Routing Rule: Determines a detour routing based upon an attribute of the request. Eg SoD violation exists,
Training verification, No role owner etc.)
4. Notification Valuable Rule: Determines the variable values at run time used in the notification e-mails.
Rule Types:
1. BRF+ Rule: This rule is defined in the BRF+ application to fetch rule results depending on conditions inside
the rule.
2. Function module based Rule: Function module coded to output rule results
3. ABAP Class based Rule: ABAP class is coded to output rule results.
4. BRF+ Flat Rule Line item by line item: BRF+ rule which is defined for only one line item and the rule will
be called once for each line item in the request. Also referred to as BRF+ easy. Eg. Some default roles not
required for approval. There this rule can be used.
Suggested not to make any changes
If we create a rule ID through Generate MSMP rules for process that can be added here
We will cover BRF+ in the next session and therefore let us go ahead with default rule ID. Just Click ‘NEXT’
Suggested just only to observe the Green Circles & Maintain the Red Circle in below screenshot:
Sirish Vetcha, Consultant - GRC 10.0 74 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Maintain Agents:
There are default Agent IDs available which will not be permitted to modify.
Therefore let us create our own Agent ID with the agents maintaining in it. The agents who are the participants in
the workflow as Approver or Acknowledger are already created by us in the 30th step of ARM.
Let us create the agents as below:
Fill the Agent ID starting with Z
Then appears Approver Group ID: select Help to create as well as Maintain
Click ADD to create a new Approver Group ID & to maintain Users list in it:
Sirish Vetcha, Consultant - GRC 10.0 75 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
New window gets opened to create a new Approver Group ID & to maintain Users list in it & SAVE
Now after maintaining the users in the Approver ID, select it and don’t select ADD again it takes to create new
Approver ID:
SAVE it now
In the same way create new approver ID for role owner as ZGRAC_ROLE OWNER & ZSECURITY. Maintain users
created in step 30
Variables & Templates:
All templates for e-mail notifications are maintained. The templates are created using transaction code SE161.
Notifications can be sent at different events such as:
Approval , Request Submission, Rejection, Request Closure, Escalation, Reminder etc
Consider the default Template & Click ‘NEXT’
Sirish Vetcha, Consultant - GRC 10.0 76 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Maintain Paths:
The path is selected & the stages in the paths are maintained here.
Creation of path is done at BRF+. The stages can be maintained under the each path.
In each stage we maintain the agent ID for whom the approval request is to be forwarded.
To change the stages Select Path ID, go to stage & Click ‘Modify Task Settings’ under ‘Maintain Stages’
Find the Stage settings get opened & try to explore all the options & understand the functionality:
1st Find the Stage of Configuration:
Agent ID: Agent ID can be modified and select the agent ID created to maintain in this stage.
For GRAC_MANAGER stage maintain the agent ID: ZGRAC_MANAGER
For GRAC_ROLEOWNER stage maintain the agent ID: ZGRAC_ROLEMANAGER
For SECURITY stage maintain the agent ID: ZSECURITY
Sirish Vetcha, Consultant - GRC 10.0 77 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Sirish Vetcha, Consultant - GRC 10.0 78 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Sirish Vetcha, Consultant - GRC 10.0 79 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Approval Type:
Any One approver is OK or all the should Approve > Suggest to Select ‘Any One Approver’
We have the agents in group to avoid delay in approving process in case of vacation etc.
Escalation Type:
In case of escalation it is to be done to a specified agent as maintained or Skip to the next stage or No Escalation is
to be done.
Suggest No Escalation as we have not maintained Escalation in Process Global Settings at 1st screen.
Sirish Vetcha, Consultant - GRC 10.0 80 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Confirm Rejection: If rejected confirm to the User – Suggested to Select
Approve Despite Risk: Approve even Risk exists – Suggest not to Select
Request Rejected: Option to reject the request – Suggest to Select
Confirm Approval: After approved confirm to the user – Suggest to Select
Forward Allowed: Forward is possible if required before approval – Suggest to Select
Risk Analysis Mandatory: While approving a role to the user or the creating a user with roles. Risk analysis are
required to run & therefore we say YES
But, the Process ID contains more activities in it & in such a case if Lock or Unlock activity also included in the
Process ID then Risk analysis is not required for it. Therefore suggested to select YAC: Yes when Access Change.
No is not suggested.
Sirish Vetcha, Consultant - GRC 10.0 81 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Approval Level: The approval level is required at
REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request
Rejection Level: The rejection level is required at
REQUEST: User Request
ROLE: Maintaining the Role
SYSTEM AND ROLE: Role Request and access to System-Backend System Request
Comments Mandatory: At the time of approval or rejection whether the comments are Mandatory or not are
mentioned here. Suggested the comments are mandatory at both because the Role owner will be doing the review
of the access at regular frequency and where he can consider the requirement based on the comments. Also
required to find the reasons at the time of approval & to know the why rejected.
And ‘SAVE’
Click ‘NEXT’ to move to Maintain Route Mapping
Maintain Route Mapping:
Suggested no changes required to do here & Click ‘NEXT’
Sirish Vetcha, Consultant - GRC 10.0 82 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Generate Versions:
Click ‘SAVE’
Select the Transport Request:
Select the required transport request available and Click OK.
Also Click OK at ‘MSMP Workflow Configuration’ window
Sirish Vetcha, Consultant - GRC 10.0 83 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the Message Text & Click ‘ACTIVATE’
Now find lot of Message Text created confirming the activation:
Find the 1st row saying that:
Serial Number: 000001 was generated & new records were created for Process Id SAP_GRAC_ACCESS_REQUEST
The Serial Number is what we have generated in above steps of ARM
The Process ID is what we have selected to maintain for ARM
Sirish Vetcha, Consultant - GRC 10.0 84 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 037 > ARM: Find the working of ARM Configuration
Information :
Path : NWBC SAP_GRAC_NWBC Access Management Access Request Access Request
Creator
Find the below screen gets opened:
Request Type: The below are the requests available to choose & Suggested to Choose New Account
Sirish Vetcha, Consultant - GRC 10.0 85 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Request For: Self or Other or Multiple – Suggested for Self or Multiple.
Find the User Name gets changed based on the selection.
If we select ‘Self’ then User name will be freeze.
If we select other then find the User Name gets Blank and available to choose through help.
If we select Multiple the User name field will disappear and will change the main screen below enabling us to select
Users in big level.
All the 3 stages are shown in the below screen shot.
Suggested to select ‘Self’
Select ‘System’ at main screen for request:
Select the required system in the list & Click OK
Sirish Vetcha, Consultant - GRC 10.0 86 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Screen exists like below & Click ‘Submit’
Now after select the Request for ‘Other’
The help level at User field will be as below & provide necessary details of new user & Click OK
Sirish Vetcha, Consultant - GRC 10.0 87 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Select Business Process & Function area if maintained by us at Step 5 of Post Installation:
Go to the main screen & Click ‘ADD’ Find the option ‘ROLE’ & ‘SYSTEM’
Select ‘ROLE’
Find the below screen gets opened & maintain the info as required:
At System we have more options to select User help & select a System with Application
Click OK
At Role Type we have the option to choose from below – ‘Single Role’
Business Role:
Composite Role:
CUA Composite Role:
Sirish Vetcha, Consultant - GRC 10.0 88 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Derived Role:
Group:
PD Profile:
Profile:
Single Role:
Template:
At Role/ Profile Name provide the existing role name proposed to assign:
Click ‘Search’
Find the function as explained below:
After raising the request
Go to NWBC SAP_GRAC_NWBC Access Management Access Request Access Request Creation –
Explained above
Find the status at the same path & select ‘Request Status’ under ‘Access Request’
Find the status at which stage the request is pending.
Login with the user ID where the request is pending for approval.
Go to NWBC SAP_GRAC_NWBC MY HOME Work Inbox Work Inbox Approve by clicking SUBMIT
Login to the requester user ID & find the status where it is pending through ‘Request Status’
Login with user ID where the request is pending for approval at 2nd stage.
Proceed till the end of all stages & find the provision happened as requester.
BRF+: Business Rule Framework
With the new features like BRF+ we can have Function maintenance workflow, Risk Maintenance workflow, Role
Maintenance workflow, Mitigation control maintenance & assignment approval workflow
On executing the T-Code BRF+ its application opens. Initially we use to maintain the rules through ABAP code.
BRF+ workbench is a user interface that enables users to define, test, and maintain rules for various business
scenarios without need of ABAP code.
Rules can be created for initiators, agents, and also for routing workflows on specific conditions.
Conditions:
Sirish Vetcha, Consultant - GRC 10.0 89 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
BRF+ workbench can be opened using BRF+ T-Code.
We perform 2 main activities related to BRF+ T-Code.
1) Define workflow related MSMP rules – This is generating the rule before maintaining it. Select MSMP
Process ID. If it is for access request then select SAP_GRAC_ACCESS_REQUEST
We select the initiator rule among 4.
MSMP BRF+ flat rule (lineitem by lineitem):
This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for
each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As
an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one
lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other
expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the
BRF flat rule is called 3 times by MSMP with following input and output:
Input provided by MSMP to BRF+ flat rule in first call:
Item Name System Role Type LINEITEM KEY...
ROLE1 SYSTEM 1 SIN 0001
Output given by BRF+ to MSMP in first call:
Lineitem Key Rule Result
0001 RolePath
Input provided by MSMP to BRF+ flat rule in second call:
Item Name System Role Type LINEITEM KEY...
ROLE2 SYSTEM 2 COM 0002
Output given by BRF+ to MSMP in second call:
Lineitem Key Rule Result
0002 RolePath
Input provided by MSMP to BRF+ flat rule in third call:
Item Name System Role Type LINEITEM KEY...
SYSTEM1 SYSTEM1 0003
Output given by BRF+ to MSMP in third call:
Lineitem Key Rule Result
0003 SystemPath
So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is
required in case of BRF+ rule.
2.) MSMP BRF+ rule:
In this case, all the lineitems (roles, systems and FFID...) present in the Access Request are sent to the BRF rule in
form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case
of initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to
access request.
INPUT sent by MSMP to BRF+
Item Name System Role Type LINEITEM KEY...
ROLE1 SYSTEM 1 SIN 0001
ROLE2 SYSTEM 2 COM 0002
SYSTEM 1 SYSTEM 1 0003
For the above input, the output of BRF rule will be something like following:
OUTPUT given by BRF+ to MSMP
Lineitem Key Rule Result
0001 RolePath
0002 RolePath
0003 SystemPath
Sirish Vetcha, Consultant - GRC 10.0 90 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Please note that we have not shown the decision table which contains the logic to determine the path in case of
initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called only
once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule. The
decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.
Key differences between BRF+ rule and BRF+ flat rule are again summarized below:
BRF+ Flat Rule BRF+ Rule
1.) Executed multiple times, Once for each lineitem 1.) Executed only once
2.) Details of one lineitem at a time passed to BRF 2.) Complete request details passed to BRF rule by MSMP in
rule by MSMP form of a table
3.)Output of flat rule is result of one line item only 3.) Output of BRF+ rule is complete table with all lineitems
4.) Easy to create as no loop is required 4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat rule 5.) Almost all business cases can be achieved by BRF+ rule
Step: 051 > BRF+: Generate MSMP Rules for Processes
Information:
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Define Workflow-Related MSMP Rules
Select MSMP Process ID: SAP_GRAC_ACCESS_REQUEST
Select Rule Type BRFplus Flat Rule (LineItem by LineItem)
Sirish Vetcha, Consultant - GRC 10.0 91 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Select Rule Kind Initiator Rule
Provide the Rule ID as per our naming convention:
All other options retain as per default > shown below:
And EXECUTE
Sirish Vetcha, Consultant - GRC 10.0 92 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Technical information from below screen displays after execution >
Note the Rule ID generated at 11th Line and the Rule ID we provided ZBTSRI
Rule ID = E309564BA9BA9AF19563ECA86B784858
Sirish Vetcha, Consultant - GRC 10.0 93 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 052 > BRF+: Define Business Rule Framework - Execute T-Code BRF+
Information:
T-Code: BRF+
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Define Business Rule Framework
Find the Name provided by us at Rule ID column while generating the Rule ID
Find the expression created or not. To find right click on the application > Go to Create > Expression > Click
Decision Table
Sirish Vetcha, Consultant - GRC 10.0 94 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Provide the Table Name: “ZBTSRI_DECTBL_INITRL” > reflecting rule ID name + Table + Rule type Initiator Rule
Provide Short Text as “Decision Table”
Provide Text as “Decision Table for Initiator Rule of ZBTSRI
Find the Application displayed as ZBTSRI
Click “CREATE AND NAVIGATE TO OBJECT”
Find the below screen appears:
Don’t change the default options and ensure tick is only for “Return an initial Value if no match is found”
Sirish Vetcha, Consultant - GRC 10.0 95 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Under “Condition Column” > Click Insert Column and Select “From Context Data Object”
The objects got opens and as per our requirement we select ‘REQTYPE’:
Click “SELECT”
Sirish Vetcha, Consultant - GRC 10.0 96 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Now the screen gets updated with “REQTYPE” Now click “Insert Column from Data Object” under “Result Columns”
Plain screen gets displayed and Click “Search” to find the list of objects available:
Sirish Vetcha, Consultant - GRC 10.0 97 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
After Search select “Line Item Key” & “Rule Result”
Line Item Key is selected because we have selected previously the rule type as Flat Rule Line Item by Line Item
Rule Result is selected to ensure if Request type is 1 Go to Path A and if request type is 2 then go to Path B
Deselect Mandatory Inputs & Click OK
We go to the decision table screen where Table contents will be blank. Click “Insert New Row”
Sirish Vetcha, Consultant - GRC 10.0 98 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Contents under the table will be filled with Request Types, Trigger Value, & Line Items list
Now we assign the Path (Line Item) for each Request Type by updating Request Type & Trigger Value:
Update the Request Type by selecting “Direct Value Input”
Find the options to select after clicking Direct Value Input:
Sirish Vetcha, Consultant - GRC 10.0 99 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Go to the Help for selecting other options at 000
Select 001 > “New Account” & Click “OK”
To Add another Condition Click Icon of “Insert Include Condition”
Sirish Vetcha, Consultant - GRC 10.0 100 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Then again go to the Request Value and select Change Account > 002 & Click “OK”
With this we have selected the 2 request types in Decision Table created by us & Click “OK”
1 is New Account
2 is Change Account
Now, Maintain Trigger Values:
Click the Icon under Trigger Value & select “Direct Value Input”
Here we provide the Path name & we provided as “ZBTSRI_DT_IR_PATH1” DT stands for Decision Table & IR is
Initiator Rule & Click “OK”
Sirish Vetcha, Consultant - GRC 10.0 101 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Now observe the Request type updated as 001 New Account & 002 Change Account with Path 1
Left Pane Decision Table is not Green
Now Click SAVE & ACTIVE
After Clicking SAVE it appears as “Object(s) saved Successfully” then Click “Active”
Now after clicking “Active” we observe blink above Active button will be Green & Inactive turns into Active
Also find the left pan decision table becomes Green
Sirish Vetcha, Consultant - GRC 10.0 102 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Now we have to Create another request type Lock & Unlock with same Path i.e. 2 nd Path.
For this Right Click the Decision Table at Left Pan & Select Edit
Click Insert New Row and follow the above steps with the selections as given below:
Request Type: 004 – Lock User & 005 – Unlock the User
Trigger Value: ZBTSRI_DT_IR_PATH2
Click SAVE & ACTIVE
Sirish Vetcha, Consultant - GRC 10.0 103 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Also observe all the expressions at “Decision Table” come Green
Also the Application we provided displayed under Function at Left Pan should be Green
If we find our application is not Green the follow below steps:
Maximize the Function
Right Click the Application name & Click “Edit”
Sirish Vetcha, Consultant - GRC 10.0 104 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Below screen gets displayed & Click the Icon at “Top Expression:”
Select “Select”
Below screen gets displayed with list of decision tables under Application ZBTSRI:
Select the current Table which we want to activate
Click button “Activate”
Sirish Vetcha, Consultant - GRC 10.0 105 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the Function icon at left pan becomes Green & above “Activate” button “Inactive” icon turn “Active” & Greens
Step: 053 > BRF+: Mapping BRF+ Application with MSMP Workflow:
Information:
T-Code:
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Workflow for Access Control
Execute Maintain MSMP workflows
Maintain the users through agent ID in agents & maintain them in the stages through modify task settings before
and now at each path add those stages.
Select the Process ID which we have maintained at BRF+ : SAP_GRAC_ACCESS_REQUEST
Click “Display/ Change”
Click “Next” till “Maintain Paths”
Sirish Vetcha, Consultant - GRC 10.0 106 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
At “Maintain Paths”
Click Add and provide the new 2 paths created by us
Select the 2nd Path i.e. ZBTSRI_DT_IR_Path2
Click ADD at Maintain Stages
Provide the information of the Stage >
Sequence Number as 001
Stage Configuration ID: GRAC_MANAGER
Stage Description: Manager Approval for LOCK – Path2
SAVE
Sirish Vetcha, Consultant - GRC 10.0 107 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the stage added to the stages list on the screen
Repeat the same step for Path1 with 3 stages > Manager, Role Owner & Security
Stage configuration is:
Manager > GRAC_MANAGER
Role Owner > GRAC_ROLEOWNER
Security > GRAC_SECURITY
Go to Maintain Rules
Click ADD
Provide Rule ID: E309564BA9BA9AF19563ECA86B784858 (Generated at Step 051)
Rule Description: Batchsri initiator Rule
Rule Type: BRFplus Flat Rule (Lineitem by Lineitem) – Select from dropdown
Rule Kind: Initiator Rule – Select from Dropdown
SAVE
Sirish Vetcha, Consultant - GRC 10.0 108 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the Rule ID added to the list:
Select the same line & Click ADD at Rule Results:
Manually give the Path names provided at trigger Values without using the help option
ZBTSRI_DT_IR_PATH1
ZBTSRI_DT_IR_PATH2
Change the Global Rules under it to the Rule ID given by us:
Sirish Vetcha, Consultant - GRC 10.0 109 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Go to Maintain Route Mapping:
Click ADD > At Rule ID: Use help and select the Rule ID created by us:
Find the Rule kind gets freeze with Initiator Rule as we have not given any other rules in the ID
Click Help at Rule Result & Select 1 Rule Result value we have created already:
At Path ID > Use help & select the path ID we have provided:
Sirish Vetcha, Consultant - GRC 10.0 110 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Repeat the same way for Rule Result 2 with Path ID 2:
Go to Generate Version:
Select SAVE/ SIMULATE
Opt: Do Not Transport Object & Click OK
Find all the Types are in Green Ticks
Find all the Message text types are in GREEN TICK & also can export the result to Spreadsheet.
Accept at PopUp Blocker
Sirish Vetcha, Consultant - GRC 10.0 111 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Go to Process Global Settings and find the Process ID uploaded with the version we have created now:
BUSINESS ROLE MANAGEMENT
Step: 038 > BRM: Requirements > Maintain Connectors to Connector Group:
Information : The same is done by us in Step No 007 at Common Configuration. It is recommended to use
tha SAP standard Connection group SAP_R3_LG or SAP_BAS_LG etc.
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Integration Framework
Maintain Connectors and Connection Types
Sirish Vetcha, Consultant - GRC 10.0 112 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Sirish Vetcha, Consultant - GRC 10.0 113 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 039 > BRM: Requirements > Maintain Connection Settings:
Information : The same is done in Step No 008 at maintain connection setting. It is recommended to maintain
ROLMG for Business Role Management.
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Common Component Settings
Execute Maintain Connection Settings
Maintain integration scenario PROV & maintain Scenario Connector Link to related Connection Group.
Step: 040 > BRM: Requirements > Maintain Mapping for Actions and Connector Groups:
Information : The same is done in Step No 011 at Common Configuration. Maintain mapping for actions 0001-
Role Generation, 0002-Role Risk Analysis, 0003-Authorization Maintenance, 0004-Provisioning
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Execute Maintain Mapping for Actions and Connector Groups
Sirish Vetcha, Consultant - GRC 10.0 114 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 041 > BRM: Requirements > Maintain Connector Settings:
Information : The same is done in Step No 009 at Common Configuration. Maintain Connector settings i.e.
maintain backend connector whether it’s Development or Testing or Production System.
Currently we are focusing on Role Management. This deals in creation of roles in the backend system. We create
roles in Development, Test them and after user acceptance Test the same is transferred to Production. Therefore
we assign the connector as DEVELOPMENT
Path : Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Execute Maintain Connector Settings
Provide target connector, Application type is SAP & environment is Development & Activate PSS-Password Self
Service & SAVE
Sirish Vetcha, Consultant - GRC 10.0 115 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 042 > BRM: Requirements > Activate Business Configuration BC-Sets:
Information : The same is done in Step No 006 at Common Configuration. Activate Business Configuration
BC-Sets
BC Sets related to Role Management are:
Maintain Connector settings i.e. maintain backend connector whether it’s Development or Testing or Production
System.
GRAC_Role_MGMT_Landscape
GRAC_Role_MGMT_Methodology
GRAC_Role_MGMT_Pre_Req_Type
GRAC_Role_MGMT_Role_Status
GRAC_Role_MGMT_Sentivity
T-Code : SCPR20
Step: 043 > BRM: Requirements > Maintain Configuration Settings:
Information : The same is done in Step No 010 at Common Configuration. Maintain Parameters of Role
Management - Parameter Group–ROLE and at 24 Parameter IDs
3000 – Default Business Process: Select all predefined processes which we defined in Step 005
3001 – Default Sub process: Select all defined Sub Processes which we defined in Step 005
3002 – Default Critical Level:
3003 – Default Project Release:
3004 – Default Role Status: Select PRD
3005 – Reset Role Methodology when changing Role Attributes:
3006 – Allow add functions to an authorization:
3007 – Allow editing organization level values for derived roles:
3008 – A Ticket number is required after authorization data changes:
3009 - Allow Role Deletion from Back-End:
3010 - Allow attaching files to the role definition:
3011 - Conduct Risk Analysis before Role Generation:
3012 - Allow Role Generation on Multiple Systems:
3013 - Use logged-on user credentials for role generation:
3014 - Allow role generation with Permission Level violations:
3015 - Allow role generation with Critical Permission violations:
3016 - Allow role generation with Action Level violations:
3017 - Allow role generation with Critical Action violations:
3018 - Allow role generation with Critical Role/Profile violations:
3019 - Overwrite individual role's Risk Analysis result during Mass Risk Analysis run:
3020 - Role certification reminder notification:
3021 - Directory for mass role import server files:
3024 - Enforce methodology process for derived roles during generation:
3025 - Allow selection of Org. Value Maps without leading org.:
In addition to the above Parameter group 12 & 13 are also require to configure
PG12-Access Request Role Selection: Contains 14 Parameter IDs with values in each ID
PG13-Access Request Default roles: Contains 5 Parameter IDs with values in each ID
Sirish Vetcha, Consultant - GRC 10.0 116 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Step: 044 > BRM: Requirements > Create Role Owner & Assign in Access Owners:
Information : The same is done in Step 12 in which for BRM it is required to create role owner in GRC system
and assign the same as Role Owner in Access Control Owners under Access Owners.
Assign below users to the role owner:
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
SAP_GRAC_ROLE_MGMT_ROLE_OWNER
T-Code for Creating Role Owner : SU01
Path for Assigning in Access Owners: NWBC SAP_GRAC_NWBC Set Up Access Owners Access Control
Owners
Click “CREATE”
Step: 045 > BRM: Requirements > Assign Role Owner in Role Owners:
Information : The same role owner is to be assigned in Role Owners which is located below Access Control
Owners.
Provide ID for Condition Group
Use help and pick the User
Sirish Vetcha, Consultant - GRC 10.0 117 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Assignment Approver: TICK > Used for ARM request. When user request for a role the approval will be coming
here. In general workflow procedure after submitting request the request will go to manager for approval. Then it
will be going to role owner for approval. Here we assign the role owner.
Role Content Approver: He is the owner for the role structure and will be providing approval whenever a change is
required to do for the Role.
We can provide both the eligibilities for a single role owner. Those are to be assigned here.
T-Code:
Path for Assigning in Access Owners: NWBC SAP_GRAC_NWBC Set Up Access Owners Role Owners
Click ‘ADD’
Step: 046 > BRM: Maintain Role type Settings:
Information: Here we maintain basic 3 conditions for role.
i. Mandatory: SAP provides 9 varieties of roles. All these will be provided to use. If we don’t require any of
the role type in our business model those can be deactivated here.
ii. Optional: The above selected roles can be maintained with labels as per our business understanding.
iii. Optional: Here we can set the maximum length of role name for each role type. Maximum length of a
role name given by SAP is 30. Example: Parent role can be with 24 characters and child roles under it can
be 30 characters. 6 extra characters in child role can be the org value we maintain in the child role.
i. Types of Roles:
Business Role: It carries different roles even from different servers. One business role can be assigned for
each business process. This also can be used for FFID
Composite Role:
CUA Composite Role:
Derived Role:
Group:
PD Profile:
Profile:
Single Role:
Template: A Master role is created without any authorizations which can be used while creating a new role.
T-Code:
Path:
Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Deactivate Role Type
Click New Entries
Select required role type which is not required & select Inactive > SAVE
Sirish Vetcha, Consultant - GRC 10.0 118 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
ii. Maintain Labels:
Path:
Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Maintain Labels for Role Types
Click New Entries
Provide language by selecting from 41 options.
Select role type from which are in active
Description we provide to the role as per our business design
Sirish Vetcha, Consultant - GRC 10.0 119 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
iii. Define length of Role for each role type:
Path:
Go to SPRO
SAP Reference IMG
Governance Risk & Compliance
Access Control
Role Management
Maintain Role Type Settings
Execute Specify Maximum Length for Role Type
Click New Entries:
The role types which require org value in its role name will have 30 characters & which don’t contain org values can
be 24 characters. & SAVE
Step: 047 > BRM: Define Business Process & Sub Business Process:
Sirish Vetcha, Consultant - GRC 10.0 120 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Information: This is mandatory to maintain the Business and Sub Business processes. If client don’t provide sub
processes, the business process only can be treated as sub business process. This is also maintained at Step
005.
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Execute Maintain Business Process & Sub Process
Step: 048 > BRM: Specify Naming Convention:
Information: We maintain the naming convention structure here as agreed with the client. This is an optional
requirement.
We maintain the naming convention to each role type with the maximum characters what we maintained in Step
046.
Z 1st Level – Norm of customized Role 1 Character 1-1
B/C/A/D/S/T 2nd Level – Role type is mentioned here 1 Character 2-2
_ 3rd Level – A underscore is used to separate 1 Character 3-3
FI00/AP00/BS00 4th Level – Business Process is mentioned here 4 Characters 4-7
_ 5th Level – A underscore is used to separate 1 Character 8-8
AP/AR/BK/GL/SC 6th Level – Sub Business Process is mentioned here 2 Characters 9-10
_ 7th Level – A underscore is used to separate 1 Character 11-11
INVOICE_PROCC 8th Level – Role function is described at this level 12 Characters 12-23
_ 9th Level – A underscore is used to separate 1 Character 24-24
CC1000/CC0001 10th Level – Org value maintained in derived role 6 Characters 25-30
Based on the above naming convention the Role name examples are provided below:
Business Role: ZB_FI00_AP_BUSINESSROLE_CC1000
Composite Role: ZC_FI00_AP_INVOICEPROCC_CC1000
CUA Composite Role: ZA_FI00_AP_INVOICEPROCC_CC1000
Derived Role: ZD_FI00_AP_INVOICEPROCC_CC1000
Group:
PD Profile:
Profile:
Single Role: ZS_FI00_AP_INVOICEPROCC (At parent role level Org value is not maintained)
Template: ZT_FI00_AP_TEMPLATE0001 (At template role Org value is not maintained)
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Specify Naming Conventions
Click New Entries
Give the Name to the Version, Description of the version, which type of role & the connector group
Sirish Vetcha, Consultant - GRC 10.0 121 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
SAVE & come back
Then Click Naming Convention Position
Click New Entries & provide below information as explained above & SAVE
In the same way create for other role types also.
Step: 049 > BRM: Define Role Attributes:
Information: Other attributes-Values can be assigned to the roles. Some are mandatory & some are optional.
These facilities are explained to the client & as per the design provided by the client.
A Maintain Project Release: This is mandatory. As GRC is central administrator we require to provide
separate project release which will be used in further configuration
B Define Role Sensitivity: This is optional and can create 4 stages of sensitivity which can be selected at the
time of role creation based on the role.
Sirish Vetcha, Consultant - GRC 10.0 122 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
C Maintain Role Status: This is mandatory. While creating the role the status of the role is selected & the
same status is to be assigned as Production here. On selecting this status while creating the role it is
eligible for provisioning and can be requested by the users through ARM. If the development roles also
are required to provide through ARM then the development roles are to be TICKED PROD here.
D Critical Level: This is optional and can create different stages of sensitivity which can be selected at the
time of role creation based on the role.
E Define Companies: Companies are defined here which can be selected while creating the role. In case if
the company have different company codes and maintain same role structure this can be done through
Parent derived role system by maintaining Org. values in the derived roles. By selecting the company
here the role related to the same company will be provided.
F Functional Area: Function area can be mentioned while creating a role for which function it belongs to like
AP, AR, GL etc in FI00 business area. Here we provide all the function areas Codes, Description &
abbreviations. Abbreviations are available in 2 characters and also company can be mentioned here. It is
recommended not to provide the company against function area as same function area exists in all the
companies. If any function available in only one company then it can be maintained.
G Prerequisites: Predefined requisites available are CERTIF – Certification, NDA - & Training. Before
assigning a role to the user if he requires to complete any training or certification to execute the
transactions in the role this is maintained here. We also have the options to create new controls from new
entries. We can add ISO training in SoD procedure.
H Role Prerequisites: Under the prerequisite types created above we can create prerequisites list linking the
type. We can maintain system wise by providing the RFC destination and with course ID. After providing
RFC destination also to be provided the connection type > it is ABAP 3 if asked.
I Define Organizational Value Maps: we need to create this mapping for creation of derived roles. We
require defining our company code here to get them into role creation screen.
A. Maintain Project Release:
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Project and Product Release Name
Click New Entries
Give Project Release ID & Description & SAVE
B. Define Role Sensitivity:
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Define Role Sensitivity
Click New Entries
Sirish Vetcha, Consultant - GRC 10.0 123 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
C. Maintain Role Status: To maintain another titles for Role Status click New Entries & provide the Title & Tick
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Role Status
D. Specify Critical Level: New Entries > provide information as below > SAVE
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Role Status
E. Define Companies: New Entries > provide information as below > SAVE
Sirish Vetcha, Consultant - GRC 10.0 124 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Define Companies
F. Maintain Functional Areas: New Entries > provide information as below. Abbr is 2 characteristics & Co is not
required to provide as the function area belongs to all company codes. If any function exclusively present in a
single company then that function area can be mentioned with that company code. Like HQ will have Corp. Tax role
> SAVE
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas
G. Define Prerequisite type: New Entries > provide information as below > SAVE
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas
Sirish Vetcha, Consultant - GRC 10.0 125 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
G. Define Role Prerequisite: New Entries > provide information as below > SAVE
CERTIF is a Certification
NDA is a Non-Disclosure Agreement
TRAINING is Training
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Maintain Functional Areas
Sirish Vetcha, Consultant - GRC 10.0 126 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
I. Define Organizational Value Maps: New Entries > provide information as below > SAVE
Path: SPRO
SAP Ref IMG
Governance Risk and Compliance
Access Control
Role Management
Execute Define Organizational Value Maps
After saving the above double click the Org Level Mapping Details & provide below information & SAVE
Step: 050 > BRM: Role methodology:
Information: Other attributes-Values can be assigned to the roles. Some are mandatory & some are optional.
These facilities are explained to the client & as per the design provided by the client.
Sirish Vetcha, Consultant - GRC 10.0 127 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Path: NWBC SAP_GRAC_NWBC Access Management Role Management Role Maintenance
Create a Single role in Backend with T-Codes Eg. PFCG & SU01 and don’t generate role just save the role
Do the Synchronization & accept when it says that Role is only saved and not generated
Click ‘Create’ and it will ask what role to create > find the activated roles present here with its labels & not
redefined role type names. Deactivated roles will not displayed for choosing option.
Selected Simple Role – ZS which we labeled for Single Role
Find the wide options to fill as we configured above:
Sirish Vetcha, Consultant - GRC 10.0 128 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Application Type: Select SAP among other GRC supporting backend server types
Landscape: Is a Connector Group & displayed the description here to choose > Select GRC predefined
SAP_BAS_LG or SAP_R3_LG etc
Business Process: Select one of the predefined business process which we have created in step 005
Subprocess: Select one of the created sub business process which we have created in step 005 under BP
Project Release: Select the release created by us
Role Name: Provide the naming convention designed at Step 048 for Single Role
Click ‘SAVE & CONTINUE’
Find the values displayed in Green Highlights & Tick for pushing Authorization Data to Backend System
Click ‘SAVE & CONTINUE’
Sirish Vetcha, Consultant - GRC 10.0 129 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the screen taken us to Run Risk Analysis for finding any role level or within role risks exists as per rule set.
Sirish Vetcha, Consultant - GRC 10.0 130 of 131
Configuration document of GRC – Access Control
Includes Post Installation. Common Configuration, ARA, EAM, ARM, BRM, MSMP through BRF+
Find the result that risk analysis run successful & then click ‘SAVE & CONTINUE’
Will go to Create Role screen & also click ‘SAVE & CONTINUE’
Click Initiate Approval Request and find a new window gets opened & provide comments & Click OK
Sirish Vetcha, Consultant - GRC 10.0 131 of 131
You might also like
- ECC Report Creation and User ManagementNo ratings yetECC Report Creation and User Management30 pages
- SAP Automatic Workflow Customization GuideNo ratings yetSAP Automatic Workflow Customization Guide31 pages
- SAP Security - Day 2 1st Half - Radha Krishna100% (1)SAP Security - Day 2 1st Half - Radha Krishna67 pages
- SAP Security: Role Maintenance OverviewNo ratings yetSAP Security: Role Maintenance Overview121 pages
- Create Organizations and Mitigating ControlsNo ratings yetCreate Organizations and Mitigating Controls33 pages
- GRC Server Installation and Configuration Guide100% (2)GRC Server Installation and Configuration Guide14 pages
- 50 SAP GRC Interview Questions & AnswersNo ratings yet50 SAP GRC Interview Questions & Answers9 pages
- GRC Training: Compliance and Risk ManagementNo ratings yetGRC Training: Compliance and Risk Management32 pages
- GRC Access Control 10.0 Configuration GuideNo ratings yetGRC Access Control 10.0 Configuration Guide186 pages
- SAP GRC Access Control Configuration GuideNo ratings yetSAP GRC Access Control Configuration Guide2 pages
- SAP Spaces and Pages Configuration GuideNo ratings yetSAP Spaces and Pages Configuration Guide44 pages
- Enhancing IT Skills Through Digital LearningNo ratings yetEnhancing IT Skills Through Digital Learning48 pages
- Learning MySQL and MariaDB First Edition Dyer Ebook Testbank Solutions Chapter Rich Content100% (5)Learning MySQL and MariaDB First Edition Dyer Ebook Testbank Solutions Chapter Rich Content156 pages
- Understanding Service-Oriented ArchitectureNo ratings yetUnderstanding Service-Oriented Architecture25 pages