Tuesday 29 October 2013

How to create a transportable BRF+flat initiator rule for MSMP in GRC 10.0
The BRF (Business Rule Framework)+ is a strong tool when it comes to the
definition of ABAP rules to reflect business scenarios.
In the GRC 10.0 MSMP (Multi-Stage Multi-Path) workflow a business rule
can be utilized for different purposes as in the following example where we want to create a transportable initiator rule.
Step 1 -Creation of a development package:The transaction SE21 is to be called and a desired name for the new package
to be entered. The development package is to be associated with a transport layer.
The creation results in a workbench request.
The software component is GRCFND_A.

Step 2- Creation of an application:In transaction BRF+ the path --> Workbench --> Create Application is to be selected.
The desired name needs to be entered, and a link of the application to the respective "Development Package” needs to be established.

After clicking on „Create And Navigate To Object“ a prompt for a transport request will appear.

Step 3 - Activation of an application:
After creation the application is inactive. The application needs to be activated
for utilization.

The button "Activate" needs to be clicked: .

Step 4 - Generate MSMP Rule for process:
In transaction GRFNMW_DEV_RULES the relevant MSMP process ID
(here SAP_GRAC_ACCESS_REQUEST) can be selected.
Same with rule type BRFplus Flat Rule (Line item by line item), and rule kind
Initiator Rule.
The entered Rule ID name should be self-explanatory, and the name of the
application that was previously created needs to be added.

Same with initial attributes for the decision table as e.g. “Business Process”:

Finally the generation is to be started via “F8”.
The log should reflect the previous input.

Step 5 - Creation of a decision table:
Back to transaction BRF+.

In case the decision table is not yet generated a click on “Top Expression” and
“Create” needs to be performed.

There the appropriate Type is to be selected and the desired naming information
to be added.
The step is to be accomplished via a click on “Create And Navigate To Object”.

The “Result Data Object” requires double-check, and the mandatory
“Result Columns” for this particular rule need to be inserted, as well as the
“Condition columns” for the business scenario.

Step 6 - Finalize business rule:
In a last step the desired rule and result scenario need to be maintained, and
the function to be activated.

Finally the rule id is to be associated to the MSMP process id.
Note!Make sure that for every result a corresponding path is considered in MSMP.

Organization Rules in GRC AC 10

Organization Rules in AC 10

Source: http://www.mariewagener.de/Notes.September.2011

Organization Rules in GRC AC 10

Organizational rules allow you to filter „false positives” from the risk analysis.

What does that mean?
You have a role concept with master derived roles, where e.g.
the leading organizational level is the company code with
a corresponding organizational value set.

Role_A_0001 for Company Code 0001 – (FB60)

Role_B_DE01 for Company Code DE01 – (FK02)

The Role_A_0001 now contains transaction FB60 (posting of vendor invoices),
whereas Role_B_0001 contains transaction FK02 (changing vendor master data).

A combination of transaction FK02 (e.g. function ID PR01) and FB60
(e.g. function ID AP02) is a SOD risk reflected by the risk ID ZP001,e.g..

A user who gets the above roles assigned would have a combination of both transactions according to a regular rule set, and would show up with a SOD
risk if the organizational values are not considered.

This could be a “false positive” as the user can actually not call FK02 and FB60
for the same company code (legal entity) – depending on the company’s policies.
For filtering these “false positives” you can utilize organizational rules.

There are multiple ways to set up organizational rules depending on your actual
filter requirements, but always be careful when setting them up, so that you do not accidentally eliminate “real positives”.

Situation:
User DE01_01 has the role Role_B_DE01 and the role Role_A_0001.
With that he has transaction FK02 and FB60, but for different company codes.
When we run a regular risk analysis for this user, he would show up with a SOD
conflict, as he has transaction FK02 as well as FB60 assigned.

User 0001_01 has the roles Role_A_0001 and Role_B_0001 assigned.
With that he has FK02 and FB60 within one company code, and would also
show up in the risk analysis.

Situation:
Now we create an organizational rule that “filters” the Company Code 0001:

In a next step we want to apply this organizational rule to the analysis.

NOTE!
Please be aware that the corresponding organizational value has to be set to
Active in the functions, and that the rules need to be regenerated

After that, only the user 0001_01 will continue to show up in the
risk analysis report when the corresponding organization rule is applied.

User DE01_01 will not have a SOD conflict listed when the organizational rule is applied.

You want to create an organizational rule that generally eliminates all possible
“false” positives for roles that are strictly assigned based on organizational
level differentiation, meaning that users should never have SOD within one
legal entity, but may definitely perform these functions for different company codes.
The rule could look like this:

The risk ID could be generic:

Sunday 27 October 2013

Good Link for GRC Installation and Configuration Documents -Sap BusinessObjects Access Control 10.0

Sourse: http://scn.sap.com/docs/DOC-8562

A fragmented, reactive approach to managing access risk isn't just inefficient and costly - it's bad for business. The SAP BusinessObjects Access Control application can enable your business to confidently manage and reduce access risk across the enterprise by helping you prevent unauthorized access and achieve real-time visibility into access risk.

To learn more about SAP GRC solutions, please visit our product page, or go to the GRC area of BPX. We also invite you to learn more about SAP GRC Access Control 5.3.

Getting Started

GRC 10.0 Pre-Installation
The presentation explains the new architecture and the necessary prerequisites for a successful installation of SAP BusinessObjects GRC 10.0 and guides the reader through the installation procedure of the software.

GRC 10.0 Post-Installation
The presentation explains the necessary post-installation steps in SAP BusinessObjects GRC 10.0.

AC 10.0 Post-Installation
The presentation covers the basic steps required for setting up SAP BusinessObjects GRC 10.0. For setting up specific functionality please refer to corresponding pre-implementation guide.

AC 10.0 - Installation Checklist
This guide provides a checklist for your installation activities for the Access Control 10.0 application.

Access Risk Analysis

AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis
This document allows implementation consultants and administrators to setup the required functionality for running a user level risk analysis after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Access Risk Analysis component, rather it allows testing the application is working properly by setting up a basic test case.

AC 10.0 - Enhanced Access Risk Analysis
This document describes the major enhancements to the access risk analysis capability of GRC, including end user customization and personalization. It covers how to navigate through the different reports, and also about new functionality such as new bulk maintenance, automation, audit trail, and mitigation options.

Emergency Access

AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access
This document allows implementation consultants and administrators to setup the required functionality for running an emergency access (firefighter) session after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Emergency Access Management component, rather it allows testing the application is working properly by setting up a basic test case.

AC 10.0 - Centralized Emergency Access
This document is a detailed guide on the emergency access capability of Access Control 10.0. It explains the basic concepts about emergency access and provide details on how to configure the application. Also this document includes additional information on the types of logs available for monitoring the emergency accesses.

Business Role Management

AC 10.0 Pre-Implementation From Post-Installation to First Role Creation
This document allows implementation consultants and administrators to setup the required functionality for creating a single role in AC after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Business Role Management component, rather it allows testing the application is working properly by setting up a basic test case.

AC 10.0 - Business Role Management
This document allows implementation consultants and administrators to setup the required functionality for creating roles in AC after the post-installation has been finished. This guide provides the configuration steps for setting up Business Role Management.

Access Request Management

AC 10.0 Pre-Implementation From Post-Installation to First Access Request
This document allows implementation consultants and administrators to setup the required functionality for creating an access request after the post-installation has been finished, please notice that it is required to configure Role Management before being able to request role assignments. This is by no means a comprehensive guide for setting up MSMP workflows, rather it allows testing the application is working properly by setting up a basic test case.

AC 10.0 - Customizing Workflows for Access Management
This document allows implementation consultants and administrators to setup the required functionality for enabling the workflow engine in AC 10.0. You will learn the main components of the new workflow engine and how to customize them, also how to create agents and initiators using Function Modules and BRFplus.

AC 10.0 - How to Customize Notification Templates for AC Workflow
This how-to-guide explains how to set up the SAPconnect communication interface in your application server in order to send out email notifications triggered by workflow events in Access Control 10.0. This guide provides a comprehensive overview of workflow events that can trigger email notifications and notification variables used to populate the message bodies with information that is specific to each request. The guide also explains how the pre-delivered message bodies can be replaced by custom messages as well as how email reminders are set up.

AC 10.0 - Managing Custom Fields for Access & Role Management
This document explains how to setup the required functionality for adding custom fields to access requests and roles maintained in GRC 10.0.

AC 10.0 - End User Personalization
This how-to-guide explains the End User Personalization concept in Access Control 10.0 and the technical configuration to attain that functionality.

AC 10.0 - Performing Segregation of Duties Review
This how-to-guide explains the Segregation of Duties Review concept and the technical configuration to attain that functionality.

Integration with Other Applications

GRC 10.0 Integration Guide:

Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management These documents cover all the new web services for Access Control 10.0 and integration scenarios with IDM solutions. The main foundation for this integration is based on NetWeaver Identity Management 7.2.

SAP BusinessObjects GRC 10.0 Integration Guide - Access and Process Control 10.0

With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution, both at the data layer and at the user interface layer. This new unified platform enables increased harmonization of key master data. Organization, process and control structures can now be shared across components of Access Control and Process Control, which supports a more integrated approach to governance, risk, and compliance. Access risks identified in Access Control can be mitigated using controls managed by Process Control, as an example. This document details methods for harmonizing data across Access Control and Process Control.

Access Control 5.3

SAP GRC Access Control 5.3
SAP GRC Solutions for Access Control handle sustainable prevention of segregation-of-duties (SoD) violations.

SAP GRC AC 10.1 - Enhancements

Sourse: http://scn.sap.com/community/grc/blog/2013/10/26/sap-grc-ac-101--enhancements?goback=%2Enmp_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1#%21

GRC consultants might be curious to read and see the new feature that came in GRC AC 10.1. So here comes a glimpse of some key enhancements and its configuration that has been incorporated in SAP GRC AC 10.1.

GRC Access Control version 10.1 look and feel is almost similar to version 10 except few additional options that SAP has included based on customer feedback. The new changes predominantly focus on HANA integration, access request, rule set creation and enhanced remediation process.

1. Disable link functionality in attachment and Links:

This option helps customer to enable or disable link functionality in access request.

In Access request, by default ‘Add file’ and ‘Add Link’ option are enabled (see below):

We can use this disable ‘Add Link” functionality of GRC Access Request to disable the 'Add Link' Functionality.

Disable the link:

Link got Disabled (see below)

2. New connection HANA Database Connection Type

GRC AC 10.1 is provided with a new connection type – HDB (HANA Database).

GRC can be integrated with HANA or I would say instead Oracle, GRC AC 10.1 can use HANA as database to store master data. GRC can even do user management for HANA system similar to any other SAP systems. With HANA, GRC can be used for analytic and can provide analytical reports on roles and users.

If you are using SAP HANA database, make sure that plug-in SAP GRC 10.1 Plug-In SAP HANA is installed.

3. Maintain Firefighter ID role name per connector

GRC AC 10.1 came up with this new feature to maintain Firefighter ID role name per system/connector. Instead of maintaining the SPM role in configuration parameter we can utilize the new option to map FF ID role per connector.

4. Organization rule creation wizard

Sometime client’s uses dummy controls or deactivated some risk to avoid false positive, GRC AC 10.1 brings one excellent feature to create organizational role using a wizard to avoid false positive. You can create Org rule using this wizard and can even also download and upload it in other system. No need to bother about the org fields or value which you will use to create org rule. GRC AC 10.1 will guide in all possible way.

To create organizational rule you can use below option under IMG or there is an option available in NWBC as well.

IMG - SPRO:

Later on we can download and upload the organizational rule using Additional rule upload and download option.

NWBC:

5. Configure Attributes for Role search criteria in Access requests

This feature I would feel give more benefits to end user who raise CUP request on daily basis.

While raising CUP request, requester has to search for role based on business process, Functional area or some other role attributes. Some of the key search criteria are visible straight away there but some other requestor has to add manually.

Now with this new feature we can customize the search criteria screen and can make only the important search criteria visible in search request so that requester can fill in the details and can search the roles.

We can even set the default values for those criteria.

Role Search screen

IMG (SPRO) Customization

Search criteria got changed as per customization done in above screen.

6. Simplified Access Request

Simplified Access Request is one more excellent feature that will give benefits to requester who does the following frequently:

1. Assign role to user

2. Remove role from user

3. Extend the validity of existing role

With this option users does not have fill all the fields which normally appear in normal access request. Simplified access request form will ask for least information to perform the activity.

See below Simplified Access Request Screen:

Review and Submit: this button is used to review the request for risk and submit it for approval

Save Draft: you can save the access request and can review and submit it later

Open in advance Mode: Open the request in normal access request screen.

Reset: Reset the fields

Risk Analysis: Run risk analysis on the role selected for provisioning and can even suggest mitigating.

This is an excellent feature which gives us a detailed risk analysis report (risk/role view) and even provides an option to mitigate the risk before submitting the request.

System added roles: It will bring out the default roles or mapped role added by the system itself if any.

This screen is built on UI5 and can be customized by using below four options:

We can customize the display section (User details, Request details and Customer info (not visible by default))

Field levels can also be customized.

We can also set some set of request reasons which can be seen and selected during request creation to save time and effort

There is no separate workflow configuration for simplified access request. It follows the same MSMP configuration maintained for normal access request. The request created can be seen under “Work Inbox – Simplified (see below)” in NWBC as well as in normal work inbox request. It follows the same number range. So the processing and working of simplified access request is same only request submission screen is different.

My Inbox:

To check simplified access request

7. Risk analysis on SU01 Attributes

Sometimes business wants to perform risk analysis on SU01 attributes of user for ex: Function, department, parameters etc. GRC AC 10 does have this functionality but we can at max do risk analysis on user group level of users only.

In GRC AC 10.1 With this new enhanced feature we can now create custom group based on SU01 attributes as shown below and can perform risk analysis on the user belongs to that attributes

That GRC AC 10.1 is integrated with some of key attributes of SU01 which we can use a selection criteria to perform risk analysis

Following are the attributes available:

Enter some attributes, search the users and perform the risk analysis.

We can save it as well so that same can be used later.

8. Remediation View

This is one the best feature and would be very much appreciated by business.

The main task or I would say pain start after implementing GRC AC is to make all users SOD free i.e. to be clean. For this we have to download user level detailed report and then analyze the root cause to see whether we can remediate or mitigate to be clean. Business is taking lots of time analyzing the report and deciding the solution.

Now GRC AC 10.1 has come up with a remediation view report where business itself can analyze all aspects of risk and also help business to take decision to be clean. This will save lots of time of business and can effectively guide business to take a decision to be SOD clean.

GRC AC 10.0 was having technical and business view of risk analysis. Now GRC AC 10.1 has come up with a new view called “Remediation View”

Risk Analysis report:

This remediation view report will provide us a lot of option to remediate the risk then and there only.

We can mitigate the user on risk and rule from this screen itself. See below:

Or else we can remove the role by selecting remove role option. See below:

The one of the greatest feature of GRC AC 10.1 comes into action when you choose remove role from remediation view screen

and a Change Account Access Request automatically gets created for removal of the role from user. See below:

That means we can initiate remediation (removing role) or mitigation (assigning control) for user from this screen. No need to download the report and then analyze the report to take a decision.

This view also provides all sort of detailed information on user, role and risk. To get the information click the user, risk, rule and role (all bold text). See below:

Note: GRC AC 10.1 runs smoothly on IE 9 and Chrome. New feature like Remediation view and simplified access request mandatorily need IE9 and Chrome. Remediation View will run in SAP Access Risk Analysis only when an SAP Netweaver Gateway connection is established. Please configure SAP Netweaver gateway as per the GRC AC 10.1 installation guide “ACPCRM_10-1_INSTALL”.

GRC 10.1-Governance Risks and Compliance

Pages