Security Guide Sap Businessobjects Process Control 3.0 / Risk Management 3.0
Uploaded by
marcello76Security Guide Sap Businessobjects Process Control 3.0 / Risk Management 3.0
Uploaded by
marcello76Security Guide SAP BusinessObjects Process Control TM 3.0 / Risk ManagementTM 3.
0
Target Audience System administrators Technology consultants
PUBLIC Document version: 1.30 2011-03-10
Document History
CAUTION
Before you start the implementation, make sure you have the latest version of this document. You can find the latest version on the SAP Service Marketplace at: http://service.sap.com/ securityguide. The guide is located under SAP BusinessObjectsr. The following table provides an overview of the most important document changes.
Version Date Description
1.00 1.10 1.20 1.30
2009-04-22 2009-09-21 2010-08-17 2011-03-10
Final. Changes to wording for clarity. Technical content is not changed. Updated section 5.1 Authorizations Overview per SAP Note: 1488787. Updated section 5.4.2 Maintaining Application Role Authorizations to clarify that CHANGE/ ORGUNIT/*/ROLES is for FN objects and CHANGE/ORGUNIT/*/ROLES_PC is for Process Control objects..
2/60
PUBLIC
2011-03-10
Table of Contents
Chapter 1 Chapter 2 Chapter 3 Chapter 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 Chapter 5 5.1 5.1.1 5.1.2 5.2 5.2.1 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.4 5.4.1 5.4.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration with Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring NW VSI in the Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorizations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining Authorizations (Risk Management) . . . . . . . . . . . . . . . . . . . . . . . Maintaining Authorizations (Process Control) . . . . . . . . . . . . . . . . . . . . . . . . First-Level and Second-Level Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Second-Level Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delivered Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SAP Standard Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Roles (Process Control) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Roles (Risk Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Portal Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated Rule Roles (Process Control) . . . . . . . . . . . . . . . . . . . . . . . . . . . . BusinessObjects Enterprise XI Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining Application Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Object Element Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining Application Role Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . 11 11 11 14 14 15 16 16 17 18 19 20 22 24 25 25 28 30 30 31 32 32 33 35 37
2011-03-10
PUBLIC
3/60
5.5 5.6 5.7 5.7.1 5.8 5.9 Chapter 6 6.1 6.2 6.3 6.3.1 6.3.2 6.3.3 6.3.4
Configuring New Compliance Initiatives (Process Control) . . . . . . . . . . . . . . . Reporting Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Workflow Recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining Workflow Recipient Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ticket Based Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard Authorization Objects Relevant to Security . . . . . . . . . . . . . . . . . . . Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delivered Workflow Recipient BC Set (Process Control) . . . . . . . . . . . . . . . . . Business Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Object Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subentities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dataparts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39 41 41 42 44 45 47 47 49 51 51 51 53 55
4/60
PUBLIC
2011-03-10
Introduction
1 Introduction
SAP BusinessObjects Process Control is an enterprise software solution for internal controls management. It enables organizations to document their control environment, test and assess controls, track issues to remediation, and certify and report on the state and quality of internal controls. Using a combination of data forms, automated workflows, certification, and interactive reports, this solution enables members of internal control, audit, and business process teams to effectively manage compliance activities. SAP BusinessObjects Risk Management enables companies to proactively identify and mitigate risk across lines of business, reduce the impact of risk events, and increase the success rate of their strategic objectives. The solution provides continuous monitoring of key risk indicators and control effectiveness, and aligns risks with corporate strategy and performance objectives to deliver risk-enabled management of strategy and performance. The process control and risk management applications use the same security components, therefore, the information in this guide is relevant to you if you implement only process control, only risk management, or both process control and risk management applications. The security guide provides an overview of the application relevant security information. You can use the information in this document to understand and implement system security, and to understand and implement the application security features.
NOTE
Unless explicitly stated, it is understood the information in this guide applies to both applications.
NOTE
For information about the changes to security from Process Control 2.5 to Process Control 3.0, see the SAP BusinessObjects Process Control 3.0 Upgrade Guide.
CAUTION
This guide does not replace the daily operations handbook that we recommend customers create for their specific productive operations.
Target Audience
The security guide is written for the following audience, and requires existing knowledge of SAP security model and of PFCG, SU01, and IMG tools: Technology consultants System administrators
2011-03-10
PUBLIC
5/60
Introduction
About this Document
This Security Guide covers two main security areas: Network and system security This area covers the system security issues and addresses them in the following sections: Technical System Landscape Network and Communication Security Communication Channel Security Communication Destinations Integration with Single Sign-on (SSO) Environments Data Storage Security User Administration Trace and Log Files Application Security This area covers the following application security information for the process control and risk management applications: Authorizations Overview First and Second Level Authorizations Delivered Roles Maintaining Application Roles Configuring New Compliance Initiatives Reporting Authorizations Workflow Agent Determination Ticket Based Authorizations Standard Authorization Objects Relevant to Security
6/60
PUBLIC
2011-03-10
Before You Start
2 Before You Start
The process control and risk management applications use SAP NetWeaver, SAP NetWeaver Portal, and SAP NetWeaver Business Warehouse . Therefore, the corresponding security guides and other documentation also apply.
Guide Location
service.sap.com/securityguide service.sap.com/securityguide
SAP NetWeaver ABAP Security Guide SAP NetWeaver Business Warehouse Security Guide
Important SAP Notes
These SAP Notes contain the most recent information about the applications, as well as corrections to the documentation. Make sure that you have the up-to-date version of each SAP Note, which you can find on SAP Service Marketplace at http://service.sap.com/notes. For a complete list of important SAP Notes for the process control application, see the SAP BusinessObjects Process Control 3.0 Master Guide at https://service.sap.com/instguides Business Objects SAP Solutions for GRC SAP GRC Process Control SAP GRC Process Control 3.0 . For a complete list of important SAP Notes for the risk management application, see the SAP BusinessObjects Risk Management 3.0 Master Guide at https://service.sap.com/instguides Business Objects SAP Solutions for GRC SAP GRC Risk Management SAP GRC Risk Management 3.0 .
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on the SAP Service Marketplace
service.sap.com/security service.sap.com/securityguide service.sap.com/notes service.sap.com/platforms service.sap.com/network service.sap.com/securityguide
Security Security Guides Related SAP Notes Released platforms Network security Technical infrastructure SAP Solution Manager
service.sap.com/ti service.sap.com/solutionmanager
2011-03-10
PUBLIC
7/60
This page is left blank for documents that are printed on both sides.
Technical System Landscape
3 Technical System Landscape
For information about the technical system landscape for the process control application, see the SAP BusinessObjects Process Control 3.0 Master Guide at https://service.sap.com/instguides SAP Business Objects SAP Solutions for GRC SAP GRC Process Control SAP GRC Process Control 3.0 . For information about the technical system landscape for the risk management application, see the SAP BusinessObjects Risk Management 3.0 Master Guide at https://service.sap.com/instguides SAP Business Objects SAP Solutions for GRC SAP GRC Risk Management SAP GRC Risk Management 3.0 .
2011-03-10
PUBLIC
9/60
This page is left blank for documents that are printed on both sides.
4 4.1
Network and Communication Security Communication Channel Security
4 Network and Communication Security
The network topology for process control and risk management is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to process control and risk management. You can use the information in this section to understand and implement the network and communication security for the process control and risk management applications. For more information, see the following sections in the SAP NetWeaver Security Guide in the SAP Library: Network and Communication Security Security Aspects for Connectivity and Interoperability
4.1 Communication Channel Security
The following table contains the communication paths used by the process control and risk management applications, the connection protocol, and the transferred data type:
Communication Path Protocol Data Requiring Special Type of Data Transferred Protection
SAP NetWeaver ABAP server using SAP GUI SAP NetWeaver Portal DS Extraction (application server to BI system) Application server to BI system BI system to application server BusinessObjects Enterprise Server
DIAG
All application data
Logon data Logon data Logon data Logon data Logon data Logon data
HTTP/HTTPS All application data RFC All application data HTTP/HTTPS All application data HTTP/HTTPS All application data TCP/IP All application data
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL) protocol.
More Information
Transport Layer Security in the SAP NetWeaver Security Guide Using the Secure Sockets Layer Protocol with SAP NetWeaver Application Server ABAP on the SAP Help Portal.
4.2 Communication Destinations
The information in this section applies to both process control and risk management applications.
2011-03-10
PUBLIC
11/60
4 4.2
Network and Communication Security Communication Destinations
For information about BusinessObjects Enterprise Server, see the Integration for SAP Solutions Install and Admin Guide at https://service.sap.com/instguides SAP Business Objects Business Objects XI 3.1 . For more information about non-SAP applications, see solutions provided by SAP partners such as Greenlight Technologies.
Process Control
The table below lists the required connection types and authorizations for the process control application to communicate with other SAP components:
Destination Type Comments
Process Control to SAP ERP / RTA Required
RFC
Process Control to SAP ERP/ Standard Control Required
RFC
This is only required if you plan to use automated controls: This also depends on the SAP module authorization for the user. The RFC user requires the following authorizations for setting up the Process Control rule script and scheduling background jobs in ERP: RFC access (S_RFC: 16; *; FUGR) Transaction Start (S_TCODE: SE37, SM37, SM59, SU53) System Authorizations (S_ADMI_FCD: STOR) Background Administrator (S_BTCH_ADM: Y) Operations on Background Jobs (S_BTCH_JOB: RELE, JOBGROUP) ABAP Workbench (S_DEVELOP: 03, *, *, *, *) Grant additional authorizations accordingly to the RFC user to execute controls to retrieve ERP application specific data. For more information, see your system administrator and the SAP NetWeaver Security Guide. This is only required if your organization plans to use the automated control functionality. This also depends on the SAP module authorization for the user. The RFC user requires the following authorizations for setting up the Process Control rule script and scheduling background jobs in ERP: RFC access (S_RFC: 16; *; FUGR) Transaction Start (S_TCODE: SE37, SM37, SM59, SU53) System Authorizations (S_ADMI_FCD: STOR) Background Administrator (S_BTCH_ADM: Y)
12/60
PUBLIC
2011-03-10
4 4.2
Network and Communication Security Communication Destinations Type Comments
Destination
SAP ABAP Query Required BI Query Required Risk Analysis and Remediation (RAR) Integration Optional
RFC RFC RAR runs two Web services: RAR Violated User Web Service RAR Risk Analysis Web Service Each requires its own HTTP logical port.
Operations on Background Jobs (S_BTCH_JOB: RELE, JOBGROUP) ABAP Workbench (S_DEVELOP: 03, *, *, *, *) Grant additional authorizations accordingly to the RFC user to execute controls to retrieve ERP application specific data. For more information, see your system administrator and the SAP NetWeaver Security Guide. This is required for the Automated Controls Framework. This is required for the Automated Controls Framework. The logical ports need to be assigned to the connector for RAR in IMG for the following: GRC Process Control Assessment and Test Automated Testing and Monitoring Risk Analysis and Remediation Integration Register connector for Web Service We recommend you call and assign logical ports to the RAR connector. The following authorizations are required: RAR Violated User Web Service The ABAP proxy class in Process Control is CO_GRPCVIRSA_CCSODVIOLATED _USE. RAR Risk Analysis Web Service The ABAP proxy class in Process Control is CO_GRPCCCVIRSA_CCRISK_ANAL YSIS.
Risk Management
The table below lists the required connection types and authorizations for the risk management application to communicate with other SAP:
Destination Type Comments
SAP ABAP Query Required BI Query Required Risk Management to Business Suite
RFC RFC RFC
This is required for the risk management Key Risk Indicator (KRI) framework. This is required for the risk management KRI framework. This also depends on the SAP module authorization for the user.
2011-03-10
PUBLIC
13/60
4 4.3
Network and Communication Security Integration with Single Sign-On Environments Type Comments
Destination
Required
Risk Management to SSM Required
Web service
For more information, see your system administrator and the SAP NetWeaver Security Guide. This also depends on the SAP module authorization for the user. For more information, see your system administrator and the SAP NetWeaver Security Guide.
4.3 Integration with Single Sign-On Environments
The information in this section applies to both the process control application and risk management application. The process control and risk management applications support the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver Application Server ABAP. The security recommendations and guidelines for user management and authentication described in the SAP NetWeaver Application Server Security Guide also apply to process control and risk management. The process control and risk management applications leverage the SAP NetWeaver ABAP Server and SAP NetWeaver Portal infrastructure, therefore they support the same SSO mechanisms.
Secure Network Communications (SNC)
For more information about SNC, see Secure Network Communications (SNC) in the SAP NetWeaver Application Server Security Guide.
SAP Logon Tickets
For more information about SAP Logon Tickets, see SAP Logon Tickets in the SAP NetWeaver Application Server Security Guide.
Client Certificates
For more information about X.509 Client Certificates, see Using X.509 Client Certificates on the SAP Help Portal (http://help.sap.com).
4.4 Data Storage Security
The information in this section applies to both the process control application and risk management application. Master data and transaction data is stored in the database of the SAP system on which the application is installed. Data storage occurs in Organizational Management, Case Management, and in separate tables for this purpose. In some applications, you can upload documents into the system. The default document management system for storing data is the SAP Content Server and Knowledge Provider (KPro) infrastructure. Once
14/60
PUBLIC
2011-03-10
4 4.5
Network and Communication Security User Administration
uploaded, the documents can be accessed using a URL. The application security functions govern authorization for accessing the URL directly in the portal. To prevent unauthorized access to the document through copying and sending the URL, a URL is only valid for a given user and for a restricted amount of time (the default is two hours). If you choose to implement a different document management system (DMS), the data storage security issues are deferred to that particular DMS.
4.5 User Administration
The application user administration uses the mechanisms provided by SAP NetWeaver, such as user types, tools, and the password concept.
User Types
You use user types to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The following user types are required for the process control and risk management applications: Dialog users: Required for logging on to the SAP GUI and Web Dynpro Communication users: Required for executing Automated Controls. (Process control application only) Required for KRI value extractions. (Risk management application only) Required for RFC connection to the BI system This is a user on the target system. Configure this user according to the security requirements of the target system. Required for RTAs. (Process control application only) This is a user on the target system. Configure this user according to the security requirements of the target system. A communication user (WF-BATCH) is required to run the workflow infrastructure.
User Administration Tools
The applications use SAP NetWeaver Application Server ABAP user and role maintenance. The following lists the tools available to manage users:
Tool Detailed Description
Transaction SU01,
Use SU01 for ABAP user management: create and update users and assign authorizations. Transaction PFCG (Profile Generator) Use PFCG for ABAP role maintenance and creating authorization profiles.
2011-03-10
PUBLIC
15/60
4 4.6 Tool
Network and Communication Security Trace and Log Files Detailed Description
Customizing SAP NetWeaver Portal
Use transaction SPRO to open Customizing. You can use Customizing to configure and maintain the application. This is the application front end. Most users only access the application through the portal.
For more information, see Customizing for GRC Process Control and for GRC Risk Management.
4.6 Trace and Log Files
For information about trace and log files for the process control and risk management applications, see the SAP BusinessObjects Process Control 3.0 and Risk Management 3.0 Operations Guide at https:// service.sap.com/instguides SAP Business Objects SAP Solutions for GRC SAP GRC Process Control SAP GRC Process Control 3.0 . You can also find the guide under SAP GRC Risk Management 3.0.
4.7 Configuring NW VSI in the Landscape
The process control and risk management applications provide the ability to upload documents. We recommend you scan all documents for potential malicious code before you upload them. You can use the NetWeaver Virus Scan Interface (NW VSI) to scan the documents. For more information, see SAP Virus Scan Interface in the SAP NetWeaver Library.
16/60
PUBLIC
2011-03-10
Application Security
5 Application Security
The information in this section applies to both the process control application and risk management application. This section explains the application authorizations model and concepts. The process control and risk management applications leverage the standard SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal user management and authorization. The security information for SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal also apply. For information about SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal see the SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal security guides.
Prerequisites
You have knowledge of the following tools, terms, and concepts: ABAP Application Server IMG PFCG SU01 Portal User Administration Content Administration Portal Roles Worksets (Process Control only) Application Specific Terms and Concepts Multiple Compliance Framework (Process Control only). Business User Regulations/Policy (Process Control only) For more information about process control concepts and features, see the SAP BusinessObjects Process Control 3.0 Application Help at http://help.sap.com/bu. Under Governance, Risk and Compliance, click SAP GRC Process Control SAP GRC Process Control 3.0 . For more information about risk management concepts and features, see the SAP BusinessObjects Risk Management 3.0 Application Help at http://help.sap.com/bu. Under Governance, Risk and Compliance, click SAP GRC Risk Management SAP GRC Risk Management 3.0 .
2011-03-10
PUBLIC
17/60
5 5.1
Application Security Authorizations Overview
5.1 Authorizations Overview
Role Authorizations
Process Control and Risk Management leverage the SAP NetWeaver authorization model and assign authorizations to users based on roles. SAP standard roles (PFCG basic roles) provide the standard authorizations for the NetWeaver ABAP Server. Application roles (PFCG model roles) refine the standard role authorizations and define a user's detailed authorizations. Portal roles provide user authorizations for the SAP NetWeaver Portal. The following figure illustrates the application elements and the roles responsible for authorization:
Figure 1: Item Description Access Determined by Role Type
1 2 3 4 5
Navigation Menu Work Set Work Center Menu Group Menu Item
Portal role Portal role Portal role Application role Application role
You can customize the specific menu items in the IMG. In Process Control Customizing, click GRC Process Control General Settings Maintain Customer-Specific Menus . In Risk Management Customizing, click GRC Risk Management General Settings Maintain CustomerSpecific Menus
EXAMPLE
This is an example for Process Control. The example illustrates the following:
18/60
PUBLIC
2011-03-10
5 5.1
Application Security Authorizations Overview
The delivered roles, SOX Internal Control Manager and SOX Process Owner, have similar portal role authorizations. This means they have similar work sets and work centers. Their application role authorizations are different. The SOX Internal Control Manager role has authorizations to view the Evaluation Setup Planner menu group, whereas the SOX Process Owner role does not.
EXAMPLE
This is an example for Risk Management. It illustrates the following: The Central Risk Manager can only access the Risk Assessment Reports and Surveys work sets. The Risk Owner role can additionally access the Response and Enhancement Plans, Incident Management, and Scenario Management work sets.
EntityLevel Authorizations
All the application entities are structured in hierarchy, providing top-down authorizations. Roles and entities at a higher entity level have greater authorizations to perform tasks and greater access to the application than roles at a lower entity level. The hierarchy also affects task assignments, work flows, and business event processing. The following figure illustrates the Process Control and Risk Management entity hierarchies:
Figure 2:
Both applications share the corporate and organization objects. For Risk Management, activity is optional.
5.1.1 Maintaining Authorizations (Risk Management)
The following is the procedure to define users, roles, and assign them to the risk management authorization objects:
2011-03-10
PUBLIC
19/60
5 5.1
Application Security Authorizations Overview
Figure 3:
1. 2. 3. 4.
In Customizing, define the roles, such as risk owner, activity owner, and so on. In Customizing, assign the roles to the GRC entities, such as organization. In the user interface, assign the users to the entity-assigned roles. In Customizing, maintain the agent determination rules.
5.1.2 Maintaining Authorizations (Process Control)
The figure lists the procedure to maintain authorizations for the process control application:
20/60
PUBLIC
2011-03-10
5 5.1
Application Security Authorizations Overview
Figure 4:
1. 2.
3.
4.
5.
Define PFCG roles. You can create your own PFCG roles or use the delivered application roles for Process Control. For more information, see Application Roles (Process Control). Maintain first and second level authorization. 1. In the Process Control Customizing activities, select Authorizations Maintain Authorization Customizing. The Authorization Customizing Maintenance screen appears. 2. Maintain the authorization levels as needed and save your work. For more information, see First and Second Level Authorizations. Assign relevant PFCG roles to Process Control entities. In this activity, you bind the PFCG roles to specific Process Control entities. 1. In the Process Control Customizing activities, select Authorizations Maintain Entity Role Assignments. The Relevant Roles for GRC Authorization screen appears. 2. Maintain the Entity ID and Roles as needed. 3. Save your work. Define regulations. You configure new regulations in the Configure Compliance Initiatives Customizing activity. You can create your own or use the sample regulations. For more information, see Configuring New Compliance Initiatives. Assign PFCG roles to regulation entities. You assign the PFCG relevant roles (created in Step 1 and configured in Step 3) to specific regulations (created in Step 4) in the Maintain Regulation Role Assignment Customizing activity.
2011-03-10
PUBLIC
21/60
5 5.2
Application Security First-Level and Second-Level Authorizations
1.
6. 7. 8.
9.
Open the Maintain Regulation Role Assignment Customizing activity. The Relevant Roles for GRC Authorization table appears. 2. Maintain the Entity ID, Role, and assignments as needed. 3. Save your work. You configure the agent (or recipient) of a workflow task in the Maintain Roles to Receive Task in Workflow Customizing activity. For more information, see Workflow Recipient. Maintain the portal workset for regulations. For more information, see Configuring New Compliance Initiatives. Add the portal worksets (created in Step 7) to the portal roles. You can use the delivered sample portal roles or create your own. For more information, see the following: Configuring New Compliance Initiatives Portal Roles In the Process Control user interface, you assign users to PFCG roles (created and configured in Steps 1 through 9.) For more information, see the SAP BusinessObjects Process Control 3.0 Application Help.
5.2 First-Level and Second-Level Authorizations
The information in this section applies to both the process control application and risk management application. This configuration flag determines the approach that is used to perform user-role assignments. The default application authorization is First Level Authorization. You can choose to enable Second Level Authorization in the IMG. For more information, see Configuring Second-Level Authorizations.
First-Level Authorizations
When first-level authorization is active, the pool of users assigned to the Business User role (SAP_GRC_FN_BUSINESS_USER) is the set of users available for any entity-user-role assignment. Once a user is assigned to an entity-user-role, the user assigned to the specific entity inherits the authorizations associated with the corresponding application role, as configured in PFCG.
EXAMPLE
The figure illustrates that all users are included in the pool of potential users for the subprocess owner and control owner roles.
22/60
PUBLIC
2011-03-10
5 5.2
Application Security First-Level and Second-Level Authorizations
Figure 5: First Level Authorization Details Authorizations Entity Data Assignments Delegation
User assignment Business user role assignment For all general users, this assignment is mandatory to access the restricted to application. business users
Any business user can be a delegate and inherit data and authorizations.
Second Level Authorizations
In second-level authorization, the pool of users available for a given entity-user-role assignment is restricted to only those users who have that specific application role assigned to their user profile. This allows the pool of business users to be segmented into different entity-user-role groups.
EXAMPLE
The following figure illustrates that, in Process Control, you can define that only users assigned to the Subprocess Owner application role can be considered for subprocess entity-user-role assignments. Similarly, in the risk management application, you can define that only users assigned to the Opportunity Owner application role can be considered for opportunity entityuser-role assignments.
2011-03-10
PUBLIC
23/60
5 5.2
Application Security First-Level and Second-Level Authorizations
Figure 6: Second-Level Authorization Details Authorizations Entity Data Assignments Delegation
User assignment restricted to Any business user can be a Business user role assignment Application role assignment is required users assigned to application delegate and inherit data and roles. authorizations.
5.2.1 Configuring Second-Level Authorizations
To enable and disable Second-Level Authorizations, do the following: 1. Open the IMG: For Process Control, click GRC Process Control Authorizations Maintain Authorization Customizing . For Risk Management, click GRC Risk Management General Settings Maintain Authorization Customizing . The Authorization Customizing Maintenance screen appears.
Figure 7:
2.
Configure the Second Level Authorization.
24/60
PUBLIC
2011-03-10
5 5.3
Application Security Delivered Roles NOTE
This setting is shared by both process control and risk management applications. Therefore, if you are implementing both applications, maintaining the setting for one application affects both applications. This is a global setting and affects all application roles for your application. Second-Level Authorizations affect only entity-user-role assignments while the flag is active. Entity-user-role assignments maintained prior to enabling Second-Level Authorizations may lose authorizations to perform certain activities in the application if they do not have the appropriate entity user-roles assigned. In this case, you must assign the additional authorizations to the specific users.
5.3 Delivered Roles
The process control and risk management applications use the following role types: SAP standard roles Application roles Portal roles Automated rule roles (Process Control only) Automated rule roles grant the technical authority to perform SAP NetWeaver ABAP Server job execution, such as submitting the jobs and retrieving job results data from the connected ERP system for automated jobs.
5.3.1 SAP Standard Roles
Process Control and Risk Management use the following delivered standard roles:
Role ID Application Description
SAP_GRC_FN_BASE
Process Control Risk Management SAP_GRC_FN_BUSIN Process Control ESS_USER Risk Management
This technical role is required for all users to access the application. This is the default role assigned to all users. You must assign additional entity-level authorizations to users to enable them to perform activities and act on objects in the application. The role can only access the application through the portal.
NOTE
SAP_GRC_FN_ALL
Process Control Risk Management
Users who set up master data need to be assigned additional rights to perform uploads using program GRPCB_UPLOAD. This is the power user role. The role can access both the front end and back end.
2011-03-10
PUBLIC
25/60
5 5.3 Role ID
Application Security Delivered Roles Application Description
It does not use entitylevel security and therefore bypasses the authorizations from the SAP_GRC_FN_BUSINESS_USER role. In addition, it includes the following authorizations: Administration functions in Process Control and Risk Management Customizing Structure setup in expert mode Data upload for structure setup
RECOMMENDATION
This role provides extensive access. For security purposes, we recommend you only use the role in emergencies including troubleshooting role and task issues. The role does not contain the authorizations for customizing workflows, case management, or Web services activation. For these authorizations in Process Control use SAP_GRC_SPC_CUSTOMIZING. For these authorizations in Risk Management use SAP_GRC_RM_CUSTOMIZING. This role can access the SAP NetWeaver ABAP Server. This role contains all necessary authorizations for Customizing settings in the application. This includes authorization objects for the following: SAP BusinessObjects GRC Process Control Customizing Workflow Case management RFC connections Shared objects monitor Client comparison with Customizing Crosssystem Viewer Job scheduling E-mail notification settings Web service activation
NOTE
SAP_GRC_SPC_CUS TOMIZING
Process Control
You may be required to record all your changes in the Customizing request. Review the client settings in transaction SCC4 and make sure you have a request available for you, or you are authorized to create one.
NOTE
This role does not have authorizations to perform the following tasks:
26/60
PUBLIC
2011-03-10
5 5.3 Role ID
Application Security Delivered Roles Application Description
SAP_GRC_RM_CUST Risk Management OMIZING
Activating and creating BAdI implementations SAP NetWeaver Business Intelligence integration Remote Logon to configure the RFC connections This role can access the SAP NetWeaver ABAP Server. This role contains all necessary authorizations for Customizing settings in the application. This includes authorization objects for the following: SAP BusinessObjects GRC Risk Management Workflow Customizing Case management RFC connections Shared objects monitor Client comparison with Customizing Crosssystem Viewer Job scheduling E-mail notification settings Web service activation
NOTE
You may be required to record all your changes in the Customizing request. Review the client settings in transaction SCC4 and make sure you have a request available for you, or you are authorized to create one.
NOTE
SAP_GRC_FN_DISPL Process Control AY Risk Management
This role does not have authorizations to perform the following tasks: Activating and creating BAdI implementations SAP NetWeaver Business Intelligence integration Remote Logon to configure the RFC connections This role can access the SAP NetWeaver ABAP Server. This role contains the display authorizations for Customizing and entity level authorizations. .
RECOMMENDATION
Assign this role to external auditors if you want to give them display access throughout the application. This role bypasses the SAP_GRC_FN_BUSINESS_USER role to grant display authorizations in the back end.
2011-03-10
PUBLIC
27/60
5 5.3 Role ID
Application Security Delivered Roles Application Description
SAP_GRC_SPC_SCHE Process Control DULER SAP_GRC_SPC_SETU Process Control P
PFCG Basic Role Authorization Object
If you wish to have more control over what is displayed, use the SAP_GRC_FN_BUSINESS_USER instead. This role grants the authority to perform background job execution. This role grants the authority for system setup and installation.
GRFN_USER This authorization object is used to separate business users and power users, and controls the access to perform your own or central delegation. It has only the Activity element.
5.3.2 Application Roles (Process Control)
The information in this section applies only to the process control application. The delivered application roles are examples. You can use them as is, copy them, or create your own.
Global Compliance Office Application Roles
The following are the delivered application roles for the global compliance office work set:
Role Entity Level Assigned by Portal Role
Global Organization Admin Global Organization Owner Global Process and Control Admin Global Regulation and Policy Admin Global Question and Survey Admin Global Test Plan Admin Global Automated Rules Customizing Admin Global CEO/CFO Global Internal Auditor
Corporate Organization Corporate Corporate Corporate Corporate Corporate Corporate Corporate
System Admin
GRC Process Control Global Global Organzation Admin GRC Process Control - All System Admin System Admin System Admin GRC Process Control Global GRC Process Control - All
GRC Process Control Global System Admin GRC Process Control Global System Admin GRC Process Control Global Global Organzation Admin GRC Process Control Global Global Organzation Admin GRC Process Control - All
The delivered Global application roles have the following attributes: They are assigned to the Global work set. They are assigned through the Global User Access work center.
28/60
PUBLIC
2011-03-10
5 5.3
Application Security Delivered Roles
They require the following standard roles: SAP_GRC_FN_BASE SAP_GRC_FN_BUSINESS_USER
SOX Regulation Application Roles
The following are the delivered application roles for the SOX regulation work set:
Role Entity Level Assigned by
SOX Internal Control Manager SOX Process Owner SOX Subprocess Owner SOX Control Owner SOX Tester SOX Organization Tester SOX Automated Rule Specialist SOX Certification and Sign-Off Admin
Corporate Process Subprocess Control Process Organization Corporate Corporate
Global Regulation/Policy Admin SOX Internal Control Manager SOX Internal Control Manager SOX Internal Control Manager SOX Internal Control Manager SOX Internal Control Manager SOX Internal Control Manager SOX Internal Control Manager
The delivered SOX application roles have the following attributes: They are assigned to the SOX work set. They are assigned by the SOX Internal Control Manager. They are assigned through the SOX User Access work center. They require the following standard roles: SAP_GRC_FN_BASE SAP_GRC_FN_BUSINESS_USER They require the portal role: GRC Process Control - SOX.
FDA Regulation Application Roles
The following are the delivered application roles for the FDA regulation work set:
Role Entity Level Assigned by
FDA Internal Control Manager FDA Process Owner FDA Subprocess Owner FDA Control Owner FDA Tester FDA Organization Tester FDA Automated Rule Specialist FDA CAPA Plan Approver FDA CAPA Execution Approver
Corporate Process Subprocess Control Process Organization Corporate Corporate Corporate
Global Regulation/Policy Admin FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager FDA Internal Control Manager
The delivered FDA application roles have the following attributes: They are assigned to the FDA work set.
2011-03-10
PUBLIC
29/60
5 5.3
Application Security Delivered Roles
They are assigned by the FDA Internal Control Manager. They are assigned through the FDA User Access work center. They require the following standard roles: SAP_GRC_FN_BASE SAP_GRC_FN_BUSINESS_USER They require the portal role: GRC Process Control - FDA.
5.3.3 Application Roles (Risk Management)
The information in this section applies only to the risk management application. The delivered application roles are example roles. You can use them as is, copy them, or create your own. The risk management application roles have the following attributes:
Role Entity Level Assigned by
Activity Owner Central Risk Manager CEO/CFO Enhancement Plan Owner Incident Editor Internal Auditor Opportunity Owner Organization Owner Response Owner Risk Owner System Administrator Unit Risk Manager
Activity, Corporate Corporate, Organization Corporate, Organization Enhancement Plan Incident Corporate, Organization Opportunity? Corporate, Organization Response Plan Risk Corporate Corporate, Organization
Unit Risk Manager Power User Central Risk Manager Response Owner Unit Risk Manager Central Risk Manager Unit Risk Manager Central Risk Manager Risk Owner Unit Risk Manager Central Risk Manager Central Risk Manager
They are assigned through the User Access work set. They require the following standard roles: SAP_GRC_FN_BASE SAP_GRC_FN_BUSINESS_USER They require the portal role: GRC Risk Management.
5.3.4 Authorization Objects
The application roles are composed of the following authorization objects: GRFN_API This is the most utilized authorization object. It controls access to the master data objects and drives the user authorizations for the business entities. It includes the following elements: activity, entity, subentity, and datapart.
30/60
PUBLIC
2011-03-10
5 5.3
Application Security Delivered Roles
GRFN_REP This authorization object controls the access to retrieve data for reports. It has the elements: Activity and Report Name. For more information about the possible element values, see Authorization Object Elements in the Appendix.
5.3.5 Portal Roles
This section provides information about the delivered portal roles for the process control and risk management applications. The delivered portal roles are sample portal roles. You can use them as delivered, copy them, or create your own. For information about the BOE portal roles, see the BusinessObjects Enterprise XI 3.1 Publisher's Guide and BusinessObjects XI Integration for SAP Installation Guide.
Process Control Portal Roles
These are the delivered portal roles for process control:
Role Work Sets Comments
GRC_Process_Control_All
All work sets
GRC_Process_Control_Global
My Home Global Compliance Office
GRC_Process_Control_SOX
My Home SOX
GRC_Process_Control_FDA
My Home FDA
We recommend the portal role be assigned to these delivered application roles: Global Organization Owner Global Regulation & Policy Admin Global Internal Auditor We recommend the portal role be assigned to these delivered application roles: Global Organization Admin Global Process & Control Admin Global Question & Survey Admin Global Test Plan Admin Global CEO/CFO Global Automated Controls Customizing Admin This portal role can be assigned to all the delivered SOX application roles. For more information, see Application Roles (Process Control). This portal role can be assigned to all the delivered FDA application roles. For more information, see Application Roles (Process Control).
2011-03-10
PUBLIC
31/60
5 5.3
Application Security Delivered Roles
Risk Management Portal Roles
The risk management application has one delivered portal role: COM.SAP.GRC.RM.Role_All (GRC Risk Management). The risk management application has only one work set.
5.3.6 Automated Rule Roles (Process Control)
The information in this section applies to only the process control application. This information covers the role authorizations required for the Automated Rules Framework: Global Automated Rule Administrator The user with this role can perform the automated control master data setup (such as Rule, Rule Script, Rule Criteria, OLSP, and Ad Hoc Query). Assign the user the SAP_GRC_FN_BUSINESS_USER PFCG standard role. SOX/FDA Automated Rule Specialist The user with this role can create and submit the jobs, and can view the job status, but has no authorization to view the job results. The role can perform control-rule assignments, schedule jobs, view job and event logs. Assign the user the SAP_GRC_FN_BUSINESS_USER and SAP_GRC_SPC_SCHEDULER standard roles. SOX/FDA Internal Control Manager/Process Owner/Subprocess Owner/Control Owner These users can access the Job Monitor and Event Queue Log to view the results. This role needs the PFCG standard role (SAP_GRC_FN_BUSINESS_USER assigned. Z_GRPC_CONN This role is not delivered; you must create it. Assign the role to the connector for automated control testing and monitoring. Assign the role to users and application roles that require authorization to view the job results of automated control testing and monitoring. The user can only view results of information for the specific connector. The role uses the authorization object GRPC_CONN.
5.3.7 BusinessObjects Enterprise XI Roles
The process control and risk management applications integrate with the BusinessObjects Enterprise XI (BOE) for Crystal Reports functionality. BOE has the following role requirements: SAP Standard Roles These roles are delivered and can be used for BOE administration.
Role ID Application Description
SAP_GRC_SPC_CRY Process Control STAL_ROLE
This role is required for creating and modifying Crystal Reports for process control, and
32/60
PUBLIC
2011-03-10
5 5.4
Application Security Maintaining Application Roles Role ID Application Description
SAP_GRC_RM_CRY Risk Management STAL_ROLE
installing and publishing Crystal Reports to the BOE Server. This role is required for creating and modifying Crystal Reports for risk management, and installing and publishing Crystal Reports to the BOE Server.
Application Roles This role is not delivered because it is not in the SAP namespace. You must create this role and assign it to users to enable them to view the Crystal Reports. Start the name of the role with a Z, such as Z_Reports. Assign it the following:
Object Description
ZSSI ZSEGREPORT
Reporting authorization object class Reporting authorization object
BOE Portal Role The Crystal Admin Role portal role is delivered. It provides administrators access to Crystal Report administration functions on the portal. This role is required for Crystal Administrators for updating the SAP Server location for Crystal Reports after it is published to the BOE server. For more information about the BOE roles, see the BusinessObjects Enterprise XI 3.1 Publisher's Guide and BusinessObjects XI Integration for SAP Installation Guide.
5.4 Maintaining Application Roles
The following procedure covers maintaining application roles in transaction PFCG.
Copy an existing role and modify the attributes as needed.
1. 2. 3.
Log on to the NetWeaver ABAP server and call up transaction PFCG. The Role Maintenance screen appears. Select an existing role, and click Copy All. Update the role description.
NOTE
4.
Start the role name with a Z. Do not start the name with SAP; it is reserved. On the Authorization tab, customize the authorization objects. For more information, see Authorization Object Element Relationships, and Maintaining Application Role Authorizations.
Create a completely new application role.
1. 2.
Log on to the NetWeaver ABAP server and call up transaction PFCG. The Role Maintenance screen appears. Input the name of the new role.
2011-03-10
PUBLIC
33/60
5 5.4
Application Security Maintaining Application Roles NOTE
Start the role name with a Z. Do not start the name with SAP; it is reserved. 3. Click Single Role. The Enter role attributes screen appears. Input your user name and the package of the role. ,Input the package as GRPC_CUSTOMIZING and save it in package $TMP (saving it as local object). You can use your own package. Click the green check mark to confirm. The Create Roles screen appears. Input the description of the new role and click the save button. Click the Authorizations tab, and click Change Authorization Data. The Change role: Authorizations screen appears. Click Do not select templates, then click Manually. Input the authorization object (GRFN_API, GRFN_USER, or GRFN_REP) and click the green check mark to confirm. Expand the authorization object and update the authorization object elements as needed.
4. 5. 6. 7.
Figure 8:
8.
For list of the delivered authorization object elements, see Authorization Object Elements. For list of the possible value combinations, see Authorization Object Element Relationships. For guidelines and notes on customizing the authorization object elements, see Maintaining Application Role Authorizations. Click Save and generate the profile.
NOTE
9.
You must generate the profile to set the role with authorization control. For Risk Management 1. Assign roles to the GRC entities, such as organization. 2. Maintain custom agent determination (workflow recipient) rules. For Process Control 1. Define compliance initiatives, such as SOX. 2. Assign roles to compliance initiatives. 3. Maintain the workflow recipient rules for the roles. 4. Maintain portal work sets and add work sets to portal roles. 5. Assign users to the roles assigned to entities.
34/60
PUBLIC
2011-03-10
5 5.4
Application Security Maintaining Application Roles
5.4.1 Authorization Object Element Relationships
The following table lists the possible values and relationships for the authorization object elements. Keep the following information in mind when customizing the role authorizations:
Entity Subentity DATAPART Possible Activity
ACC_GROUP COBJECTIVE CONTROL CONTROL CONTROL CONTROL CONTROL CRGROUP CRISK ECONTROL ECONTROL EVENT EVENT_D EXEC JOBLOG JOBRESULT OLSP ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT
Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable
ORGUNIT
ORGUNIT
ORGUNIT ORGUNIT SUBPROCESS SUBPROCESS SUBPROCESS SUBPROCESS
DATA create/change/delete/display DATA create/change/delete/display CDATA create/change/delete/display DATA create/change/delete/display RISK create/change/delete/display RULE create/change/delete/display TDATA create/change/delete/display Not applicable change/display Not applicable change/display DATA change/display TDATA change/display Not applicable display Not applicable display Not applicable display Not applicable display Not applicable display DATA create/change/delete/display DATA create/change/delete/display ECONTROL create/change/delete/display INSCOPE create/change/delete/display RISK_ASSESSMEN create/change/delete/display T Not applicable ROLES create/change/delete/display If you choose the activity change, such that the combination is ORGUNIT/*/ROLES/ CHANGE, you must assign the authorization to a corporate role. Not applicable ROLES_PC create/change/delete/display If you choose the activity change, such that the combination is ORGUNIT/*/ROLES/ CHANGE, you must assign the authorization to a corporate or organization role. Not applicable ROLES_RM create/change/delete/display If you choose the activity change, such that the combination is ORGUNIT/*/ROLES/ CHANGE, you must assign the authorization to a corporate or organization role. Not applicable SIGNOFF create/change/delete/display Not applicable SUBPROCESS create/change/delete/display Not applicable COR_GLOB change/display Not applicable COR_ORG change/display Not applicable DATA change/display Not applicable INSCOPE change/display
2011-03-10
PUBLIC
35/60
5 5.4 Entity
Application Security Maintaining Application Roles Subentity DATAPART Possible Activity
XCONTROL XCONTROL XECONTROL XECONTROL G_AS G_AS G_AS G_AS G_AS G_AS G_CP G_CP G_CP G_CP G_IS G_IS G_IS G_IS G_IS G_IS G_IS G_IS G_PL G_PL G_PL G_PL G_PL G_PL G_PL G_PL G_TL G_TL G_TL G_TL PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER
Not applicable Not applicable Not applicable Not applicable CD CE CR MCOU PD RISK CE CO MO TE CD CE CO MCOU MO MTOU PD TE CD CE CO MCOU MO MTOU PD TE CO MO MTOU TE PERF-AOD PERF-CDASS PERF-CEASS PERF-CRISK PERF-ETEST PERF-MCAOU
DATA TDATA DATA TDATA Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable
create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display
36/60
PUBLIC
2011-03-10
5 5.4 Entity
Application Security Maintaining Application Roles Subentity DATAPART Possible Activity
PLANNER PLANNER PLANNER PLANNER PROCESS REG_GROUP REG_REQ REGULATION RISK RULCR RULE SAPQUERY SCRIPT SIGNOFF SRV_QUESTION SUBPROCESS SURVEY TESTPLAN XECGROUP XPROCESS XSUBPROCESS
PERF-PDASS PERF-RISK PERF-SOFOU PERF-TEST Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable
Not applicable Not applicable Not applicable Not applicable DATA DATA DATA DATA DATA DATA DATA DATA DATA Not applicable DATA DATA DATA DATA DATA DATA DATA
create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display change/display change/display change/display change/display change/display change/display change/display change/display change/display display create/change/delete/display change/display create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display create/change/delete/display
5.4.2 Maintaining Application Role Authorizations
These are guidelines for maintaining the authorization data for the application roles: When Activity is Change, you must enter a value for Datapart. When Activity is a value other than Change, enter the value as an asterisk (*) for Datapart. For all entities, use the Datapart DATA for the general attributes, which do not belong to any other Datapart. If the Entity does not have a subentity, input an asterisk (*) for the subentity value. Activity/Change includes the Activity/Display authorization. Therefore, if you have authorization to change test attributes of a local control, then you automatically have the authorization to display the local control and all its attributes. CREATE/ENTITY includes authorizations for CHANGE/DATA. CREATE/ENTITY also covers the CHANGE/DATA authority of child objects within the same entity. The authorization logic applies only to the entities that can be self-nested. For example, you are assigned a role that contains the CHANGE/ORGUNIT authority. With this authorization you can create organizations and maintain the general data of child organizations.
2011-03-10
PUBLIC
37/60
5 5.4
Application Security Maintaining Application Roles
In PC3.0, the entities that can be self-nested are: XPROCESS central process XECGROUP central indirect entity-level control group ACC_GROUP account group CRGOUP central risk group, REG_GROUP regulation group For the assignment and un-assignment behavior, you need to configure the authorization object GRFN_API with the PFCG combination Activity/Entity/Subentity/Datapart as Create/child entity/*/* and Delete/child entity/*/*. For example, Create/CRISK/*/*. However, there are exceptions for this principle. The exceptions to the principle are: Assignment of roles to FN objects CHANGE/ORGUNIT/*/ROLES
NOTE
The entities are the entities you maintained for each role in the tables: GRFNRELROLES and GRFNRELROLESREG. You can view the components for the entities in table GRFNENTITY. Assignment of roles to Process Control (PC) objects CHANGE/ORGUNIT/*/ROLES_PC
NOTE
The entities are the entities you maintained for each role in the tables: GRFNRELROLES and GRFNRELROLESREG. You can view the components for the entities in table GRFNENTITY. Assignment of indirect entity-level controls to organization CHANGE/ORGUNIT/*/ECONTROL Assignment of subprocess to organization CHANGE/ORGUNIT/*/SUBPROCESS Assignment of risk to local control CHANGE/CONTROL/*/RISK Assignment of rule to local control CHANGE/CONTROL/*/RULE Assignment of test plan to local control CHANGE/XCONTROL/*/TESTPLAN Assignment of test plan to central indirect entity-level control CHANGE/XECONTROL/*/TESTPLAN Assignment of global control to subprocess, control objective, and risk CHANGE/SUBPROCESS/*/COR_GLOB Assignment of referenced control to subprocess, control objective, and risk
38/60
PUBLIC
2011-03-10
5 5.5
Application Security Configuring New Compliance Initiatives (Process Control)
CHANGE/SUBPROCESS/*/COR_ORG Activity/Delete gives you the following options for providing the authorization to delete the entity: Delete the entity by Delete or Remove button. Delete the entity by setting the Valid to date to earlier than your current date. This sets the object past its validity date and is deleted. Use the Remove button to un-assign the entity from its parent entity. You must include the following permissions for each process control application role you create:
Entity Subentity Activity Datapart
REGULATION REG_GROUP REG_REQ
* * *
DISPLAY DISPLAY DISPLAY
* * *
5.5 Configuring New Compliance Initiatives (Process Control)
The process control application provides the multiple-compliance framework, which enables you to create and customize compliance initiatives as needed. This is the procedure for configuring new compliance initiatives:
Figure 9: Configure new compliance initiative in the IMG.
1.
Define the subtype that stores the regulation/policy-specific Organization attributes.
2011-03-10
PUBLIC
39/60
5 5.5
Application Security Configuring New Compliance Initiatives (Process Control)
2.
3.
4.
In the IMG, click GRC Process Control Multiple-Compliance Framework Define Subtype for Organization Attributes . Create a name for the compliance initiative, such as Oil and Gas: 1. In the IMG, click GRC Process Control Multiple-Compliance Framework Configure Compliance Initiative . 2. Click Define Regulation Configuration. 3. Create a new entry, or copy and modify an entry as needed. 4. Save your work. Define a new Regulation Type (if needed), and all associated configurations, such as account groups, CAPA, sign-off, and so on. The regulation type is a template. If an existing type meets your requirements, you can use it and do not have to create a new type. Map the compliance initiative to the regulation type: 1. Under Define Regulation Type, double-click Regulation Configuration Assignment. The Work Area Entry screen appears. 2. Click Work Area and select the regulation type. 3. Save your work.
Maintaining roles to receive tasks in workflow
In the IMG, click GRC Process Control Authorizations Maintain Roles to Receive Task in Workflow . Maintain the configuration as needed. For more information, see Workflow Recipient and Maintaining the Workflow Recipient Rules.
Creating portal work sets for the new compliance initiative.
1. 2. 3. 4.
In the portal, click Content Administration Portal Content . Copy an existing model work set (either SOX or FDA) to a new work set. Remove any work centers (such as Report Center) from the model work set that are not needed (if necessary). For each work center, edit the Application Parameters setting in the property category Content Web Dynpro, change the parameter REGULATION = <Regulation Configuration>, where Regulation Configuration is the ID of the Regulation Configuration configured in the IMG.
40/60
PUBLIC
2011-03-10
5 5.6
Application Security Reporting Authorizations
Figure 10:
5. 6.
Add the new work center to the appropriate portal roles. Assign the portal roles to the relevant users or user groups, as required.
5.6 Reporting Authorizations
The information in this section applies to both the process control application and risk management application. The process control and risk management applications use the BusinessObjects Enterprise XI (BOE) Crystal Reports functionality. To enable users to view reports within the applications, you must create a reporting role and assign it to the users. This role is not delivered because it is not in the SAP namespace. When you create the role, use the naming convention of starting the role name with a Z, such as Z_Reports. Assign it the following attributes:
Object Description
ZSSI ZSEGREPORT
Reporting authorization object class Reporting authorization object
5.7 Workflow Recipient
The applications determine the agent (or recipient) of a workflow task based on the mapping of business events and roles. You can override the default configuration and maintain your own agent determination rule in the application IMG:
2011-03-10
PUBLIC
41/60
5 5.7
Application Security Workflow Recipient
For the process control application, open the IMG and click GRC Process Control Authorizations Maintain roles to receive task in workflow . For the risk management application, open the IMG and click GRC Risk Management Workflow Enabling Maintain Custom Agent Determination Rules . In the Customized Business Events table, you configure rules for determining the recipient of a workflow task by customizing the business events, sort, roles, entities, and subentities.
5.7.1 Maintaining Workflow Recipient Rules
The following is an overview for maintaining the workflow recipient rules: The value of the sort number has no numerical significance. It is only for grouping. The following figure illustrates that the Perform Assessment business event for SOX Control Owner is in the same group as the SOX Subprocess Owner.
Figure 11:
The business event processing starts with the lowest entity-level role and proceeds upwards. In the following example, control owner is lower than subprocess owner in the entity-level hierarchy, therefore it is processed first.
Figure 12:
Entity and subentity are optional. You can leave them empty. You only need to include them in special cases as a differentiate business events. In the following example, Perform Signoff and Perform AOD do not need entities or subentities because the task can only be performed in one way. Perform Assessment is differentiated so that control owner performs control design assessment (CD) and subprocess owner performs process design assessment (PD).
42/60
PUBLIC
2011-03-10
5 5.7
Application Security Workflow Recipient
Figure 13:
For all business events (except for Incident_Validate and Master_Data_Change_Notify), the application processes the business events on the basis of first group found. In the following example, the application processes the first group found (Sort 1) for the Perf_Assessment business event and stops.
Figure 14:
The Incident_Validate business event is processed in serial for All Groups Found. The following example illustrates that the application first processes the sort 8 group, then the sort 9 group.
Figure 15:
The MasterData_Change_Notification business event is processed in parallel for All Groups Found, The following example illustrates the notification is sent to the control owner, SOX internal control manager, and FDA internal control manager concurrently.
Figure 16:
You can specify a backup role to receive the workflow task by placing different roles in the same sort group with the same business event. The following example illustrates that, because the control owner role is lower in the entity hierarchy, it is processed first. However, if there is no user assigned to that role, the task is assigned to the subprocess owner.
2011-03-10
PUBLIC
43/60
5 5.8
Application Security Ticket Based Authorizations
Figure 17:
These business events must be configured as follows: 0PC_RECE_ISSUE When the subentity is CO or MO, enter the entity as G_IS. For other all other subentities, enter the entity as G_AS. 0PC_RECE_REM_PLAN Enter the entity as G_IS (issue); the entity of the remediation plan creator. 0PC_PERF_SIGNOFF and 0PC_PERF_AOD Enter the entity as ORGUNIT, not SIGNOFF.
5.8 Ticket Based Authorizations
The information in this section applies to both the process control application and risk management application. Most users have the appropriate authorizations to complete their assigned work item. However, in some cases, it is required to pass on a work item to a user who does not typically have these required authorizations. Ticket Based Authorizations provides temporary authorizations to the user to enable them to complete the assigned work item. Once the work item has been completed, or reassigned to another user, the ticket expires for this user.
NOTE
The delivered ticket based authorizations cannot be modified. Further, the functionality is transparent to the user. This information is provided for explanatory purposes only.
Users Who May Need Ticket Based Authorizations
Process control users: Assessment Performer Assessment Reviewer Effectiveness Tester Test Reviewer Issue Owner Remediation Owner Any user who needs to assign a workflow task to substitution or to the next processor. Risk management users: Risk survey performer
44/60
PUBLIC
2011-03-10
5 5.9
Application Security Standard Authorization Objects Relevant to Security
Activity survey performer KRI survey performer
Time Related Aspects
Once a user starts to perform the task from the work inbox, the authorization is given to the user. The authorization is temporary. A user who no longer holds the ticket is no longer authorized to perform the task. The authorization expires when the task is submitted. If the time has passed beyond the task due date, but the user has not submitted the task, the authorization remains active. The authorization is subject to the SAP Business Workflow escalation functionality.
5.9 Standard Authorization Objects Relevant to Security
The information in this section applies to both the process control application and risk management application. You must maintain the process control and risk management application authorizations for application server objects: Personnel Planning (PLOG) from Organizational Management: The general object type Organization (orgunit) is used in the process control and risk management applications.
NOTE
Organizations created in other projects are also available in the process control and risk management applications, and organizations created in Process Control and Risk Management are available in other projects. Case Management and Records Management: The process control assessments, tests, issues, and remediation plans are stored in Case or Records Management. The RMS ID for the process control application is GRPC_PC. The risk management analysis, responses, and surveys are stored in Case or Records Management. The RMS ID for the risk management application is GRRM_RM.
2011-03-10
PUBLIC
45/60
This page is left blank for documents that are printed on both sides.
6 6.1
Appendix Delivered Workflow Recipient BC Set (Process Control)
6 Appendix
6.1 Delivered Workflow Recipient BC Set (Process Control)
The information in this section applies to only the process control application. The use of this BC set is optional. The risk management application uses the default agent determination rules and does not have a BC set. The process control application is delivered with the following agent determination rule BC sets: Global Compliance Office
Business Event Sort Role Entity Subentity
0PC_PERF_AOD 0PC_PERF_SIGNOFF 0PC_PERF_SIGNOFF 0PC_PERF_IELC_ASSES SMENT 0PC_PERF_IELC_ASSES SMENT 0PC_PERF_IELC_TESTI NG 0PC_PERF_RISK_ASSES SMENT 0PC_CONTROL_PROP OSAL_APPR
Business Event
1 1 2 1 2 2 1 3
SAP_GRC_SPC_GLOBAL_ ORG_OWNER SAP_GRC_SPC_GLOBAL_ ORG_OWNER SAP_GRC_SPC_GLOBAL_ CEO_CFO SAP_GRC_SPC_GLOBAL_ ORG_OWNER SAP_GRC_SPC_GLOBAL_ INT_AUD SAP_GRC_SPC_GLOBAL_ INT_AUD SAP_GRC_SPC_GLOBAL_ ORG_OWNER SAP_GRC_SPC_GLOBAL_ ORG_OWNER
Sort Role
ORGUNIT SIGNOFF SIGNOFF G_AS G_AS G_TL G_AS Not applicable
Not applicable Not applicable Not applicable MCOU MCOU MTOU RISK Not applicable
Subentity
SOX Compliance Initiative
Entity
0PC_PERF_AOD 0PC_PERF_ASSESSMENT 0PC_PERF_ASSESSMENT 0PC_PERF_ASSESSMENT
2 1 2 1
0PC_PERF_IELC_TESTING 1
SAP_GRC_SPC_SOX_ ICMAN SAP_GRC_SPC_SOX_ CTL_OWNER SAP_GRC_SPC_SOX_ CTL_OWNER SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ ORG_TESTER
ORGUNIT G_AS G_AS G_AS G_TL
Not applicable CD CE PD MTOU
2011-03-10
PUBLIC
47/60
6 6.1
Appendix Delivered Workflow Recipient BC Set (Process Control) Business Event Sort Role Entity Subentity
0PC_PERF_TESTING 0PC_PERF_TESTING 0PC_RECE_ISSUE 0PC_RECE_ISSUE 0PC_VALI_ASSESSMENT 0PC_VALI_ASSESSMENT 0PC_VALI_ASSESSMENT
1 2 1 1 1 2 1
0PC_VALI_IELC_ASSESSM 1 ENT 0PC_VALI_IELC_TESTING 1 0PC_VALI_TESTING 1
0PC_VALI_RISK_ASSESSM 1 ENT 0PC_VALI_RISK_ASSESSM 1 ENT 0PC_PERF_CRA 1 0PC_VALI_CRA 1
0PC_CONTROL_PROPOSA 1 L_APPR 0PC_CONTROL_PROPOSA 2 L_APPR
SAP_GRC_SPC_SOX_ PRC_TESTER SAP_GRC_SPC_SOX_ PRC_TESTER SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ CTL_OWNER SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ PRC_OWNER SAP_GRC_SPC_SOX_ ICMAN SAP_GRC_SPC_SOX_ ICMAN SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ ICMAN SAP_GRC_SPC_FDA_ ICMAN SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ ICMAN SAP_GRC_SPC_SOX_ SPR_OWNER SAP_GRC_SPC_SOX_ PRC_OWNER
Role
G_TL G_TL G_IS G_IS G_AS G_AS G_AS G_AS G_TL G_TL ORGUNIT ORGUNIT G_AS G_AS Not applicable Not applicable
CO TE CO MO CD CE PD MCOU MTOU TE Not applicable Not applicable CR CR Not applicable Not applicable
FDA Compliance Initiative
Business Event Sort Entity Subentity
0PC_PERF_ASSESSME 2 NT 0PC_PERF_TESTING 1 0PC_PERF_TESTING 0PC_RECE_ISSUE 0PC_RECE_ISSUE 2 1 1
SAP_GRC_SPC_FDA_ CTL_OWNER SAP_GRC_SPC_FDA_ PRC_TESTER SAP_GRC_SPC_FDA_ PRC_TESTER SAP_GRC_SPC_FDA_ SPR_OWNER SAP_GRC_SPC_FDA_ CTL_OWNER
G_AS G_TL G_TL G_IS G_IS
CE CO TE CO MO
48/60
PUBLIC
2011-03-10
6 6.2
Appendix Business Events Business Event Sort Role Entity Subentity
0PC_VALI_ASSESSME NT 0PC_VALI_CAPA_EX EC 0PC_VALI_CAPA_PL AN 0PC_VALI_TESTING
2 1 1 1
0PC_CONTROL_PRO 1 POSAL_APPR 0PC_CONTROL_PRO 2 POSAL_APPR
SAP_GRC_SPC_FDA_ SPR_OWNER SAP_GRC_SPC_FDA_ CAPA_EXEC_APPR SAP_GRC_SPC_FDA_ CAPA_PLAN_APPR SAP_GRC_SPC_FDA_ SPR_OWNER SAP_GRC_SPC_FDA_ SPR_OWNER SAP_GRC_SPC_FDA_ PRC_OWNER
G_AS G_CP G_CP G_TL Not applicable Not applicable
CE Not applicable Not applicable TE Not applicable Not applicable
If you want to implement a SOX initiative using the delivered BC Sets, active Global and Sox. If you want to implement an FDA initiative using the delivered BC Sets, active Global and FDA. If you want to implement both SOX and FDA initiatives using the delivered BC Sets, active Global, SOX, and FDA.
6.2 Business Events
You use the business events with the entity and subentities when customizing the workflow recipient rules. For more information, see Determining Workflow Recipient.
NOTE
Workflow recipient rules are processed either for all available groups, or just the first found group. This attribute is included for each business event. The processing attribute for almost all business events is first found group. The exceptions are Incident Validation (for risk management), and Master Data Change Notification (for process control), which is all available groups.
Business Events (Process Control) Business Event Description Rule Processing
1 2 3 4 5 6 7 8
0FN_MDCHG_APPR 0FN_MDCHG_NTFY 0FN_MDCHG_NTFY_L 0PC_PERF_ASSESSMENT 0PC_PERF_CRA 0PC_PERF_IELC_ASSESSM ENT 0PC_PERF_IELC_TESTING 0PC_PERF_RISK_ASSESS MENT
Master Data Change Approval Master Data Change Notification Master Data Change Notification Locally Perform Control Design Assessment Perform Control Risk Assessment Perform Indirect Entity-Level Control Assessment Perform Indirect Entity-Level Control Testing Perform Risk Assessment
First found group. All available groups. All available groups. First found group. First found group. First found group. First found group. First found group.
2011-03-10
PUBLIC
49/60
6 6.2
Appendix Business Events Business Event Description Rule Processing
9 10 11 12 13 14 15 16 17 18 19 20 21
0PC_PERF_TESTING 0PC_PERF_AOD 0PC_PERF_SIGNOFF 0PC_RECE_ISSUE 0PC_VALI_ASSESSMENT 0PC_VALI_CAPA_EXEC 0PC_VALI_CAPA_PLAN 0PC_VALI_CRA 0PC_VALI_IELC_ASSESSM ENT 0PC_VALI_IELC_TESTING 0PC_VALI_RISK_ASSESS MENT 0PC_VALI_TESTING 0PC_CONTROL_PROPOS AL_APPR
Perform Test of Control Effectiveness Perform Aggregation of Deficiencies Perform Sign-Off Receive Issues Review Assessment Review CAPA Execution Review CAPA Plan Review Control Risk Assessment Review Indirect Entity-Level Control Assessment Review Indirect Entity-Level Control Testing Review Risk Assessment Review Test of Control Effectiveness Get control proposal approver who has the change authority of the object
First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group.
Business Events (Risk Management) Business Event Description Rule Processing
1 2 3 4 5 6 7 8 9 10 11 12
0RM_ACTIVITY_ SURVEY 0RM_ACTIVITY_ VALIDATE 0RM_INCIDENT _VALIDATE 0RM_KRI_LIAISO N 0RM_KRI_NOTIF ICATION 0RM_KRI_SURV EY 0RM_OPP_ASSES SMENT 0RM_OPP_VALID ATE 0RM_RESPONSE _UPDATE 0RM_RISK_ASSE SSMENT 0RM_RISK_PROP OSE 0RM_RISK_SUR VEY
Activity Survey Activity Validation Incident Validation KRI Liaison KRI Notification Risk Indicator Survey Opportunity Assessment Opportunity Validation Response Validation Risk Assessment Risk Proposal Risk Survey
First found group. First found group. All available groups. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group. First found group.
50/60
PUBLIC
2011-03-10
6 6.3
Appendix Authorization Object Elements Business Event Description Rule Processing
13
0RM_RISK_VALI Risk Validation DATE
First found group.
6.3 Authorization Object Elements
The information in this section applies to both the process control application and risk management application. You configure the authorizations for application roles through maintaining the authorization object elements. The following tables list the descriptions of the authorization object elements. For information about the procedure, see Maintaining Application Roles.
6.3.1 Activity
The following activities are relevant for both process control and risk management applications. Activity controls the user behavior on the business object.
Activity Authorization Object
CHANGE CREATE DELETE DISPLAY ANALYZE PRINT DISPLAY TAKEOVER DISTRIBUTE
GRFN_API GRFN_API GRFN_API GRFN_API GRFN_REP GRFN_REP GRFN_USER GRFN_USER
6.3.2 Entities
The entity specifies the business object. Its values are all the business objects within the application. The following are the authorization relevant entities for the process control and risk management applications:
Entity Application Description Central
ACC_GROUP ACTIVITY AOD CACTIVITY CAGROUP COBJECTIVE COGROUP
Process Control Risk Management Process Control Risk Management Risk Management Process Control Risk Management
Account Group Activity AOD Activity Category Activity Category Group Control Objective Opportunity Category
X not applicable not applicable X X X X
2011-03-10
PUBLIC
51/60
6 6.3 Entity
Appendix Authorization Object Elements Application Description Central
CONTROL COPP CPROPOSAL CRGROUP CRISK ECGROUP ECONTROL EVENT EVENT_D EXEC G_AS G_CP G_IS G_PL G_TL INCIDENT JOBLOG JOBRESULT KRIIMPL KRIIMPLREQ KRIINST KRIRULE KRITMPL OBJECTIVE OLSP OPP ORGUNIT PLANNER PRISK PROCESS QSURVEY REGULATION REG_GROUP
Process Control Risk Management Risk Management Process Control Process Control Risk Management Process Control Risk Management Process Control Process Control Process Control Process Control Process Control Process Control Process Control Process Control Process Control Process Control Risk Management Process Control Process Control Risk Management Risk Management Risk Management Risk Management Risk Management Risk Management Process Control Risk Management Process Control Risk Management Process Control Risk Management Risk Management Process Control Risk Management Process Control Risk Management Process Control Risk Management
Control Central Opportunity Control Proposal Risk Category Central Risk Indirect Entity-Level Control Group Indirect Entity-Level Control Event Dispatched Event Scheduler Assessment CAPA Plan Issue Remediation plan Test Log Incident Job log from Scheduler Job Result KRI Implementation KRI Implementation Request KRI Instance KRI Business Rule KRI Template Objectives OLSP Opportunity Organization Planner Risk Proposal Process Question Survey Regulation/Policy Regulation/Policy Group
not applicable X not applicable X X not applicable not applicable X X X not applicable not applicable not applicable not applicable not applicable not applicable X X X X not applicable not applicable X X X not applicable not applicable not applicable not applicable not applicable X X X
52/60
PUBLIC
2011-03-10
6 6.3 Entity
Appendix Authorization Object Elements Application Description Central
REG_REQ RESPONSE RISK RULCR RULE SAPQUERY SCRIPT SIGNOFF SRV_QUESTION SUBPROCESS SURVEY TESTPLAN XCONTROL XECGROUP XECONTROL XPROCESS XSUBPROCESS
Process Control Risk Management Risk Management Process Control Risk Management Process Control Process Control Process Control Process Control Process Control Process Control Risk Management Process Control Process Control Risk Management Process Control Process Control Process Control Process Control Process Control Process Control
Regulation/Policy Requirement Response Risk Rule Criteria Rule SAP Query Rule Script Sign-Off Survey Question Subprocess Survey Template Testplan Central Control Central Indirect Entity-Level Control Group Central Indirect Entity-Level Control Central Process Central Subprocess
X not applicable not applicable X X X X not applicable X not applicable X X X X X X X
6.3.3 Subentities
The information in this section is relevant for both process control and risk management applications: Subentities are the subgroup of objects related to an entity. Not all entities have subentities. The table lists the subentities and related entities:
Entity Subentity Description
G_AS G_AS G_AS G_AS G_AS G_AS G_CP G_CP G_CP G_CP
CD CE CR MCOU PD RISK CE CO MO TE
Control Design Assessment Self Assessment Control Risk Assessment Indirect ELC Assessment Sub Process Assessment Risk Assessment CAPA plan for Self Assessment CAPA plan for Compliance Test CAPA plan for Monitoring Test CAPA plan for Manual Test
2011-03-10
PUBLIC
53/60
6 6.3 Entity
Appendix Authorization Object Elements Subentity Description
G_IS G_IS G_IS G_IS G_IS G_IS G_IS G_IS G_PL G_PL G_PL G_PL G_PL G_PL G_PL G_PL G_TL G_TL G_TL G_TL PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER PLANNER
CD CE CO MCOU MO MTOU PD TE CD CE CO MCOU MO MTOU PD TE CO MO MTOU TE PERF-AOD PERF-CDASS PERF-CEASS PERF-CRISK PERF-ETEST PERF-MCAOU PERF-PDASS PERF-RISK PERF-SOFOU PERF-TEST GRRM_ACT GRRM_ANAL GRRM_OPP GRRM_OPPVA GRRM_RESP GRRM_RISK GRRM_SACT GRRM_SKRI GRRM_SRISK
Control Design Assessment Issue Self Assessment Issue Compliance Test Issue Indirect ELC Assessment Issue Monitoring Test Issue Indirect ELC Test Issue Sub Process Assessment Issue Manual Test Issue Control Design Assessment Plan Self Assessment Plan Compliance Test Plan Indirect ELC Assessment Plan Monitoring Test Plan Indirect ELC Test Plan Sub Process Assessment Plan Manual Test Plan Compliance Test Test Log Monitoring Test Test Log Indirect ELC Test Test Log Manual Test Test Log Perform Aggregation of Deficiencies Perform Control Design Assessment Perform Self Assessment Perform Control Risk Assessment Perform Indirect ELC Test Perform Indirect ELC Assessment Perform Sub Process Assessment Perform Risk Asessment Perform Sign-Off Perform Test Perform Activity Validation Perform Risk Assessment Perform Opportunity Assessment Perform Opportunity Validation Perform Responsible Validation Perform Risk Validation Perform Activity Survey Perform Risk Indicator Survey Perform Risk Survey
54/60
PUBLIC
2011-03-10
6 6.3
Appendix Authorization Object Elements
6.3.4 Dataparts
The information in this section is relevant for both process control and risk management applications.
Entity Datapart Description Relevant Application
ACTIVITY ACTIVITY CONTROL CONTROL CONTROL CONTROL CONTROL ECONTROL ECONTROL INCIDENT INCIDENT INCIDENT KRITMPL KRITMPL OPP OPP ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT ORGUNIT RESPONSE RESPONSE RISK RISK
DATA VALIDATE CDATA DATA RISK RULE TDATA DATA TDATA DATA REWORK VALIDATE DATA LIAISON DATA VALIDATE DATA ECONTROL INSCOPE RISK_ASSESSMENT ROLES ROLES_PC ROLES_RM SIGNOFF SUBPROCESS DATA VALIDATE DATA VALIDATE
Activity Details Activity Validation Additional data of control Basic data of control Assignment of control to risk Assignment of control to rule Test attributes of control Basic data of indirect Entity-Level Control Test attributes of indirect EntityLevel Control Maintain Incident Draft Rework Incident (resubmit or refuse) Validate Incident (validate or send to rework) KRI Template Data KRI Liaison Opportunity Details Opportunity Validation Orgunit Data
Risk management Risk management Process control Process control Process control Process control Process control Process control Process control Risk management Risk management Risk management
Risk management Risk management Risk management Risk management Risk management Process control Assignment of Indirect Entity Level Process control Control Orgunit Scoping Information Process control Risk Assessment on Organizations Risk management Role Assignment on Organizations Risk management Process control Role Assignment on Processes, Process control Subprocesses, and Controls Role Assignment on Risks and Risk management Activities Sign-Off Process control Assignment of Subprocess Process control Response Data Part Risk management Response Validation Risk management Risk Details Process control Risk management Risk Validation Risk management
2011-03-10
PUBLIC
55/60
6 6.3 Entity
Appendix Authorization Object Elements Datapart Description Relevant Application
SUBPROCESS
COR_GLOB
SUBPROCESS
COR_ORG
SUBPROCESS SUBPROCESS XCONTROL XCONTROL XECONTROL XECONTROL
DATA INSCOPE DATA TDATA DATA TDATA
Assignment of global control to subprocess, control objective, and risk Assignment of referenced control to subprocess, control objective and risk Local subprocess attributes Subprocess Scoping Information Basic data of control Test attributes of control Basic data of indirect Entity-Level Control Test attributes of indirect EntityLevel Control
Process control
Process control
Process control Process control Process control Process control Process control Process control
56/60
PUBLIC
2011-03-10
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Disclaimer
Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
2011-03-10
PUBLIC
57/60
Documentation in the SAP Service Marketplace
You can find this document at the following address: http://service.sap.com/instguides
58/60
PUBLIC
2011-03-10
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
You might also like
- Security Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00No ratings yetSecurity Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00204 pages
- SAP Access Control™ 10.1 - Process Control™ 10.1 - Risk Management™ 10No ratings yetSAP Access Control™ 10.1 - Process Control™ 10.1 - Risk Management™ 1040 pages
- System Application Products in Data ProcessingNo ratings yetSystem Application Products in Data Processing53 pages
- XP Session 2022 S4HANA Authorizations FinalNo ratings yetXP Session 2022 S4HANA Authorizations Final70 pages
- Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1No ratings yetOperations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.140 pages
- BSR For S4HANA 1809 Customer Sample Report PDFNo ratings yetBSR For S4HANA 1809 Customer Sample Report PDF75 pages
- Qdoc - Tips Sap GRC Interview Questions and AnswerspdfNo ratings yetQdoc - Tips Sap GRC Interview Questions and Answerspdf8 pages
- 2.2 SAP FIORI - Concepts and Influence FactorsNo ratings yet2.2 SAP FIORI - Concepts and Influence Factors6 pages
- SAP CRM INTERVIEW QUESTIONS Hands On Tip PDFNo ratings yetSAP CRM INTERVIEW QUESTIONS Hands On Tip PDF55 pages
- SAP S4 HANA - CLients - Upgrades - Day 9No ratings yetSAP S4 HANA - CLients - Upgrades - Day 963 pages
- Unit 1: Persisting and Securing Messages: Week 2: Expand Your SkillsNo ratings yetUnit 1: Persisting and Securing Messages: Week 2: Expand Your Skills100 pages
- DEV101 - SAP HANA Cloud Platform Now and The Road Ahead: PublicNo ratings yetDEV101 - SAP HANA Cloud Platform Now and The Road Ahead: Public53 pages
- AZ-120 (Microsoft Azure For SAP Workloads) - Course OutlineNo ratings yetAZ-120 (Microsoft Azure For SAP Workloads) - Course Outline3 pages
- IAG Auth Policy Attribute Values For Value HelpNo ratings yetIAG Auth Policy Attribute Values For Value Help14 pages
- SAP BW/4HANA Technical Overview (L2) : Product Management, SAP Data Warehousing May 2020No ratings yetSAP BW/4HANA Technical Overview (L2) : Product Management, SAP Data Warehousing May 202086 pages
- R3P Audit - Sensitive Transaction CodesNo ratings yetR3P Audit - Sensitive Transaction Codes98 pages
- Checklists For SAP Administration Practical GuideNo ratings yetChecklists For SAP Administration Practical Guide17 pages
- 0 - SAP Solution Manager 7.1 PI Monitoring - One PagerNo ratings yet0 - SAP Solution Manager 7.1 PI Monitoring - One Pager1 page
- How To Transport Fiori Like Applications Using SAP Solution Managers Quality Gate Management - SAP BlogsNo ratings yetHow To Transport Fiori Like Applications Using SAP Solution Managers Quality Gate Management - SAP Blogs8 pages
- Chapter 18: Managing Mass Communications: Advertising, Sales Promotions, Events and Experiences, and Public RelationsNo ratings yetChapter 18: Managing Mass Communications: Advertising, Sales Promotions, Events and Experiences, and Public Relations5 pages
- Ashok Reddy Yaramala Associate Consultant - SAP Basis Mobile: +91-8106075052No ratings yetAshok Reddy Yaramala Associate Consultant - SAP Basis Mobile: +91-81060750523 pages
- SAP Business Objects Security Essentials (2010 ASUG SAP Business Objects User Conference)No ratings yetSAP Business Objects Security Essentials (2010 ASUG SAP Business Objects User Conference)40 pages
- Operations Management MBA 7061 Assignment (Individual Work)No ratings yetOperations Management MBA 7061 Assignment (Individual Work)21 pages
- Principles of Business For CSEC®: 2nd EditionNo ratings yetPrinciples of Business For CSEC®: 2nd Edition3 pages
- 5-Keseimbangan Barang Dan Analisis Perubahan KeseimbanganNo ratings yet5-Keseimbangan Barang Dan Analisis Perubahan Keseimbangan24 pages
- The Times 100 Business Case Studies: Nivea Developing A Marketing PlanNo ratings yetThe Times 100 Business Case Studies: Nivea Developing A Marketing Plan9 pages
- SWOT Analysis of Haier India - Case StudyNo ratings yetSWOT Analysis of Haier India - Case Study2 pages
