How-To Integrate Access Control

5.3 and Business Warehouse 7.0

Applies to:
SAP BusinessObjects Access Control 5.3 and SAP NetWeaver Business Warehouse 7.0

Summary
This technical how-to document explains how to successfully integrate Access Control into Business
Warehouse, and contains the necessary prerequisites and step-by-step instructions to connect the two
solutions to be able to receive Access Control data in Business Warehouse.

Author(s): GRC Regional Implementation Group

Company: Governance, Risk and Compliance
SAP BusinessObjects Division
Created on: 02 April 2009
Updated on: 29 March 2010

Version 2.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2010 SAP AG
Document History
Document Version Description

1.00 First official release of this guide

2.00 Update

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2010 SAP AG
Typographic Conventions Icons
Type Style Description Icon Description

Example Text Words or characters quoted Caution

from the screen. These
Note or Important
include field names, screen
titles, pushbuttons labels, Example
menu names, menu paths,
Recommendation or Tip
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example Variable user entry. Angle
text> brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2010 SAP AG
Table of Contents

1. Business Scenario ..........................................................................................................2

2. Background Information .................................................................................................2

3. Prerequisites....................................................................................................................2

4. Step-by-Step Configuration Procedure ..........................................................................4

4.1 Create Connectivity between Access Control and Business Warehouse System .......4
4.2 Prepare Business Warehouse System ....................................................................10
4.3 Business Warehouse Content Activation .................................................................11
4.4 Post activation tasks ...............................................................................................22
4.4.1 Access Control 5.3 SP06, SP07 and Higher ................................................22
4.4.2 Missing Program Variants ...........................................................................22
4.4.3 Potential Timestamp Extract Issues ............................................................22
4.5 Extraction Process ..................................................................................................22

5. Known Issues ................................................................................................................23

6. Appendix........................................................................................................................ 25

7. Copyright .......................................................................................................................26
1. Business Scenario
The integration of Access Control (AC) and Business Warehouse (BW) solutions meets the following
objectives:
You can access and use the data from your AC system to fit into your enterprise reporting
structure of BW
If there is a demand for more reporting functionality than the delivered features in Access
Control, you can use BW to create reports using your AC data

2. Background Information
This is an overview of the step-by-step configuration provided in this document:
Check all prerequisites
Prepare your systems
Configure your AC 5.3 NetWeaver Application Server Java system
Apply SAP note(s) to your BW system
Create a Universal Data Connect (UDC) from your BW system to your AC system
Install BW Content
Activate the AC specific BW Content in your BW system
After activation perform adjustments specific to your release (details in section 4)
Load data from the AC database into your BW system via UDC
If the system is successfully configured, you will be able to use standard reports and create new
reports in BW using the data from your AC system.

This guide will only focus on the steps necessary to configure the integration. For general
documentation on BW configuration and reporting refer to Business Process Expert (BPX) or Service
Marketplace (SMP) websites.

3. Prerequisites
Before you start, the following prerequisites must be met:
This software release or higher must be installed on the BW system:

Apply SAP note 1229136 before proceeding with the next action.
Create UDC to source system (your AC system) in workbench (RSA1) before BW Content is
installed
Ensure this BW Content version or higher is installed:
Obtain the following before the configuration:
Logon details for a Service user in the BW system to be accessible from your AC system
System details of BW system (host name, gateway, system number, client)
Access to an administrator’s user ID with authorization to:
o Visual Administrator on the AC system
o Execute transactions SM59 and RSA1 on BW system
JDBC driver of your database (JAR file)
Ensure that a new source system activation on EXISTING BW content 704 SP1 (or higher)
installation does not corrupt the already delivered DTP entries in RSBKDTP by following these
steps.
Check to see if the correct number of DTP entries are present in table RSBKDTP against
the newly added source system.
Perform this check by adding a new source system to BW, then check that the RSBKDTP
table has the correct number of entries for the new system:
o For AC Compliant User Provisioning (CUP): 158
o For AC Risk Analysis and Remediation (RAR): 109
4. Step-by-Step Configuration Procedure
This section presents the configuration steps, it is important to read the prerequisites and background
information before you begin.

4.1 Create Connectivity between Access Control and

Business Warehouse System
These steps should be followed in the order presented to enable the AC Application Server Java to
communicate with the BW system.
Use the UDC Guide mentioned in the Appendix for more details on the steps.
...

1. Start J2EE Visual Administrator in the AC system.

2. Goto Services -> Server0 -> “JCo RFC Provider”.
3. Create a new RFC destination as shown in the screenshot using the system details of your BW
system.
Note that the Program ID is freely defined but needs to match with the Program ID specified in
the RFC destination in the BW system in step 4.

4. Create a TCP/IP RFC destination via transaction SM59 in the BW system

a. Make sure you enable the Unicode setting.

b. Test the connection.
5. Go back to the Visual Administrator, then go to Services -> Server0 -> “JDBC Connector”.

6. Add the freely-defined driver name.

7. Choose the JAR file provided by your database vendor.
 8. Go to Services -> Server0 -> “Connector Container”.

9. Select “COM.SAP.IP.BI.SDK.DAC.CONNECTOR.JDBC”.
10. Click on “Resource Adapter” and create an entry under “Loader References” with “library:<driver
name from step 6>”.
11. Click on the “Managed Connection Factory” tab and then “Properties”.

12. Enter values for (these values are specific for each DB vendor):
a. “DriverName” (The java class driver name)
b. “URL” (URL to your DB including port)
c. “UserName” (DB user)
d. “Password” (DB password)
13. Click on “Save” icon.
14. Test your settings with http://<AC Hostname>:<J2EE Port>/TestJDBC_Web/TestJDBCPage.jsp.

After you click “Select Connection” and choose any one DB table you will see a result page:
4.2 Prepare Business Warehouse System
Before you activate BW content, the following steps must be taken to prepare the BW system.
Read the SAP notes in Appendix B.
...

1. Make sure that the prerequisites for Support Package (SP) levels, as mentioned in the
prerequisites section above, are met by the BW system.
2. Apply SAP note 1229136.
3. Go into the workbench of the BW system via transaction RSA1 to create a connector.
o Click on “Modeling” -> “Source Systems” -> “UD Connect”
o Right click on UDC and choose “New”
o Choose the RFC destination you have created earlier
o Define a logical system name such as the system ID of your AC system
o Select “JDBC” for “Type of Connector”
o Select “SDK_JDBC” for “Name of Connector” (This standard name is defined by the J2EE
engine)
o Select “SDK_JDBC” for “Source System Name” (This standard name is defined by the J2EE
engine)
o Select “GAC000” for “Type and Release” (This name is defined by the BW Content)

4. Install SAP BW Content 7.04 SP1 or higher.

4.3 Business Warehouse Content Activation
Read the SAP notes referenced in Appendix B.
This section presents the steps involved to active BW content.
...

1. Go to transaction RSA1 to enter the Data Warehousing Workbench.

2. Click on “BI Content”.
3. Select your AC system under “General” and the entry under “Self-def’d”.

4. Install the InfoObject Catalog ‘0GRC_AE*’ with Grouping “Only Necessary Objects” and
ignore any warnings. (“Grouping” / “Install” are selected via drop-down top of right window)

5. Select the InfoProviders associated with InfoAreas ‘0GAE_MD’ and ‘0GRC_AE’ with Grouping
“In Flow Before”.
6. Ignore the message: “Object name is mandatory, specify name on Extraction tab”; this is just a
warning. After you ignore this message, rerun the activation using “Install”.
You may need to run the activation multiple times because of the dependencies of objects.
7. Install Process Chains ‘0GAE*’ with Grouping “Only Necessary Objects”.
8. Verify via transaction RSPC if process chains show up as selected in step 7.

9. Install Role ‘SAP_BW_GRC_AE_ROLE’ and all Queries ‘0GAE*’ under the ‘0GAE*’
InfoProviders with Grouping “Only Necessary Objects”.
10. Add characters via transaction RSKC. This will add valid characters to BW. Instead of the
individual characters, we now specify “ALL_CAPITAL” as follows and execute.
11. Install InfoObject Catalogs ‘0GCC_*’ for activation, and click ‘Install’ with Grouping “Only
Necessary Objects”.
12. Install the 3.x InfoSource ‘80GCC_URP’ for activation, then click ‘Install’ with Grouping “Only
Necessary Objects”.

13. Install InfoProviders associated with InfoAreas ‘0GCC_*’ with Grouping “in flow before”.
Deselect all objects that are not depended on RAR source system objects before clicking
“Install”. To deselect those objects:
a. Search for ‘0GCC_MUSR’
b. Right-click the “InfoObject” node from the sub tree and click on “Do not install any below”
c. Repeat step a and b for ‘0GCC_USER’
14. Ignore this message and click the “Continue" icon.

15. Install Process Chains ‘GCC*’ with Grouping “Only Necessary Objects”.

16. Install Role ‘SAP_BW_GRC_CC_ROLE’ and all Queries ‘0GCC*’ under the ‘0GCC*’
InfoProvider.
4.4 Post activation tasks

4.4.1 Access Control 5.3 SP06, SP07 and Higher

If you are using AC 5.3 SP06 or higher, then you need to apply SAP note “1319973 - Synchronizing BI
Content with GRC-AC SP database changes” and follow the steps provided in the note.

4.4.2 Missing Program Variants

This is a manual correction where simple steps are followed to create variants for delivered programs
which are referenced in the delivered process chains. These variants are potentially missing prior to BI
Content 7.04 SP06. Please follow the instructions from SAP note 1410480.

4.4.3 Potential Timestamp Extract Issues

Follow instructions from note 518241 if extracts yield the following error(s):
S:RSSDK:300 Cannot convert a value of '1970-01-01 18:53:10.0' from type
java.lang.String to TIME at field UPDTIME (or RUNTIME)
S:RSSDK:300 Query execution failed: [-3050] (at 316): Invalid timestamp format:ISO
The note needs to be completely followed to fix above experienced errors which includes:
This note applies to UD Connect as well as DB Connect
Section ‘Example with a DATE field‘ in the note should be followed to create a view of the
related DataSource table in the RAR system (this is the only solution to date)
The DataSource needs to be updated to refer to the new view
Transformation and DTPs associated with the DataSource may need to be reactivated
The following DataSource/RAR Table combinations have experienced this problem on various
systems but the problem could occur anywhere the type timestamp (TIMS) is used in the RAR table:
0GCC_CRACTVL/VIRSA_CC_CRACTVL
0GCC_RISK_ATTR/VIRSA_CC_RISK
0GCC_ACTUSAGE/VIRSA_CC_ACTUSAGE
0GCC_PRMVL_USER_VIOLS/VIRSA_CC_PRMVL

4.5 Extraction Process

When activating the RAR Process Chains, it may be necessary to run the install step several times
because the interdependency between the chains can sometimes cause the activation to fail during
the chain activation process. This can be monitored in transaction RSPC – “Process Chain
Maintenance”.

Process Chain Activation with Function TOUPPER:

To avoid errors according to lower case letters processed during the process chain activation, please
use function TOUPPER to activate the process chains. (See Appendix A for function documentation)
Execute CUP Process chains in the following sequential order:
...

1. ’0GAE_MD’
2. ’0GAE_TEXT’
3. ’0GAE_ARCH_TO_CUBE’
4. ’0GAE_TRANSACTION’ (See “Known Issues” section for possible errors)
5. ’0GAE_TRANSACTION_AR’
 6. ’0GAE_ANALYTICAL_GENERAL’
Execute RAR Process chains in following sequential order:
1. ’GCC_INITIAL_FULL_LOAD_704’
This step is run only one time for initial setup, and may take a full day or longer to complete
depending on the volume of existing data.
2. ’GCC_INITIALIZE_DELTA’ (Check Section “Known Issues” for possible errors)
This is the recurring job that will run as often as you schedule it, such as daily or weekly, and
contains the delta processing.
This job also contains the full master data loads. Therefore reporting should not be performed
until after the ‘GCC_INITIAL_FULL_LOAD_704’ chain is run and the first run of the
‘GCC_INITIALIZE_DELTA’ chain is done.
For BW job scheduling, refer to the standard BW documentation.

5. Known Issues
In some cases, these known issues could appear (issues could also apply to other objects)
Please refer to the referenced SAP notes in section Appendix B.
Make sure AC source system and BW system have languages in sync
Timestamp issues while extracting using UD Connect as per note 518241
Missing program variants as per note 1410480
Following InfoObjects had to be changed to accept lowercase characters:
 o ’0GAE_RLPRN’
o ’0GCC_ACT’
Customers have identified objects which contain only ‘#’ or ‘!’ character in long text. This is
addressed in note 1319978
6. Appendix
Appendix A –Other Reference Documentation
How to Configure UD Connect on the J2EE Server for External Databases (NW2004):
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/58f4db47-0501-0010-a2bf-
ff01b150fdff
Documentation of the delivered BI Content for Access Control:
http://help.sap.com/saphelp_nw70/helpdata/en/f5/ff3eae25a44667800d781670eec16e/frameset.htm
BI Content 7.04 SP05:
http://help.sap.com/saphelp_nw70/helpdata/en/c3/32da2fa4164b8fb93ea3ea1865b5f9/frameset.htm
BW function TOUPPER :
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7e/031f8304dd11d2801d00c04fadbf76/frameset.
htm

Appendix B –SAP Notes

Note Description

1243085 Available Documentation for GRC Access Control

1229136 70SP19: Incorrect shadow DTP during release upgrade

1319973 Synchronizing BI Content with GRC-AC SP database changes

1319977 Invalid language extraction from GRC-AC RAR sources
1319978 Permitted, Lowercase and Invalid Characters in GRC-AC Cont

1009497 UD Connect: How to update JDBC driver

1260280 GRC AC BI Content 7.04 SP01 Release Notes Documentation
1260279 GRC AC BI Content 7.03 SP10 Release Notes Documentation
1410480 Variants missing for RAR delta deletion programs
518241 DB Connect in BW for an external Oracle database
7. Copyright
© 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner,
WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or
registered tradem arks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered tradem ark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well
as their respective logos are tradem arks or registered trademarks of SAP AG in Germany and in several other countries all over
the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in
this docum ent serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those
that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.
These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages
that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within
these materials. SAP has no control over the information that you may access through the use of hot links contained in these
materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party
web pages.
Any software coding and/or code lines/strings (“Code”) included in this documentation are only exam ples and are not intended
to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing
rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be
liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or
grossly negligent.