GRC AC 10 Step by Step Notes
GRC AC 10 Step by Step Notes
0 Configuration Steps:
Client activation
BC sets activation
Create connectors
Define groups
If you want you can select Access Control (AC) module only.
You need to activate AC in your system, if you want you can add 3 (AC,PC,RM)
Client 100 is front end system means GRC AC system and client 200 is back end system
Copy all data from client 000 to 100 as well as 000 to 200.
Note: with in the system no need to install plug-ins. If client is in some other system we need to
install plug-ins in that system. Plug-in name is GRCPINW (need to install)
Client Activation
Go to t-code SPRO
If no one are there or need to add one more click on New Entries button
You can select GRC-AC form drop down menu as shown below
Note: if you want GRC-PC and GRC-RM activation you can select
Scroll down You can see the default_host and sap connect
Now we need to Activate for that right click on default_host and select activate virtual host
Note: SAP Connect, if any domain we need to select this option we can use
Activate BC sets
Go to t-code SCPR20
You need to create customizing request. If you want to new request click on create button
GRAC_ACCESS_REQUEST_APPL_MAPPING
GRAC_ACCESS_REQUEST_EUP
GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ACCESS_REQUEST_REQ_TYPE
GRAC_RA_RULESET_COMMON
GRAC_RA_RULESET_JDE
GRAC_RA_RULESET_ORACLE
GRAC_RA_RULESET_PSOFT
GRAC_RA_RULESET_SAP_APO
GRAC_RA_RULESET_SAP_BASIS
GRAC_RA_RULESET_SAP_CRM
GRAC_RA_RULESET_SAP_ECCS
GRAC_RA_RULESET_SAP_HR
GRAC_RA_RULESET_SAP_NHR
GRAC_RA_RULESET_SAP_R3
GRAC_RA_RULESET_SAP_SRM
GRAC_ROLE_MGMT_LANDSCAPE
GRAC_ROLE_MGMT_METHODOLOGY
GRAC_ROLE_MGMT_PRE_REQ_TYPE
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_SENTIVITY
GRAC_SPM_CRITICALITY_LEVEL
In that,
Create connectors
Here source is client 100
For that create one user in client 200 with user ID RFC_USR
Go to T-code SPRO
Enter language as EN
Enter User
If you click on connection test you can see the below screen
If you click on remote logon you can see the below screen
Connection test and remote logon working successfully.
Note: while user creation we selected system user. But system user cannot go to with RFC. So
we need to choose user type as service user
You will get below screen, in that select SAP system as shown below
Now Double click on Define connectors from left side.
Now select target connector grcclnt200 and double click on define subsequent connector from
left side.
Note: if I have 10 clients then do same above process to no. of clients to support.
Define Groups
Select target connector as grcclnt200 and double click on subsequent connector folder
Double click on define connector groups you will get below screen
Note: now we selected logical group from the list, because within the system. If it is some other
system should be selected cross system group
If you click on work area browse, you can see 4 integration scenarios you can see.
AUTH for ARA means RAR
Now double click on scenario connection type link from left side.
Select target connector and connector type row and click on save.
Go to t-code SPRO
Select the connection group row and double click on assign default connector to connector
group from left side
Check all the check boxes like below screen
Here 4 check boxes means application type 001, 002, 003 and 004
Automatic/manual
Click on yes.
If you done above activity, In SU01 you can see the WR-BATCH user automatically created
Give password
Actually you can see the green button. But here it show red only because user has no roles.
Now go to SU01 and select role tab and give SAP_BC_BMT_WFM_SERV_USER role.
Click on create
Click on save
Go to t-code SA38
Execute RHSOBJCH
Click on execute
Select all
Execute button
Now go back click on execute. Then you can see the green button.
Expand workflow
You can see below screen with folders from left side
Go to t-code SA38
Enter RS_APPL_REFRESH
Click on execute
Now go back and see the GRC folder. Now you can see the subfolders under GRC folder.
And select Do not change linkage from dropdown menu as shown below
Click on save button
Important steps,
For GRC folder we have no TS (Assign agents) and WS (Activate event)
Go to t-code SWE2
Now go back to the GRC folder screen and do the same process (Assign agent and activate
event) to activate.
Important steps,
Go to t-code PFTC
In that screen go to menu bar select additional data ----- agent assignment -------- maintain
Next step,
You can see the graphical model on right side for that workflow.
Next step,
Go to t-code SPRO
If repository object synch is first time then select option Full sync mode as shown below
If you want direct click on execute button
Next step,
Go to t-code SPRO
Next step,
Go to t-code SPRO
Go to t-code SPRO
Online Risk Analysis--- Direct went to the Backend system every time while Risk analysis
Offline Risk Analysis---- While risk analysis data will be stored into either Data base (D) or File(F)
Whenever risk analysis Data fetch from D or F only based on configuration parameters.
Next step,
Go to T-code SPRO
Files are :
business process.txt
function action.txt
function permission.txt
functions.txt
risk disc.txt
risk.txt
rule set.txt
Next step,
Go to T-code SPRO
System: grcclent200
IMP NOTE: After execution of above step risk analysis report will generate and store into File (F)
Next Step,
To see these Reports
Click on /nwbc
And click on user level under Access Risk Analysis as shown below
You well get below screen
Select the system as shown below and click on ok button
Next Step,
Mitigation ID Creation. For that need to do some steps
Create Mitigation owner and controller in GRC system (in client 100)
Go to SU01
With roles
SAP_GRAC_CONTROL_MONITOR
SAP_GRAC_CONTROL_OWNER
Go to t-code SPRO
Under details
Next step,
Go to t-code NWBC
Under group details select user ID which we create earlier i.e, controller userID : MTG_CON
Under owner type, check the check box mitigation monitors
Same above process do again for MGT_OWN and check the check box mitigation approver
Click on save button
Go to t-code NWBC
Select owner, controller user IDs as shown below and click on ok button
Click on save button
Go to t-code NWBC
Then next screen select general tab and fill the required fields based on requirement as shown
below and enter notes (write something related to process)
Now select access risks tab and click on Add row button
Select the Risk ID and Enter the Rule ID (enter * in this field) as shown below
Now select owners tab
Go to t-code SPRO
Mitigation logs
Simulation process.
Next Topic:
This component allows temporary access for users when assigned with solving a problem,
giving them provisionally broad. But regulated access.
The log files can be distributed to the controllers, owners via workflow for additional approval.
Fire fighter needs to login into the same system which is assigned FFID access to the firefighter
user.
Fire fighter owner, controller and fire fighter should be exist in the same system
No need to assign any other common role except required emergency access role to FFID
GRC AC 10.0
Here user needs to login through central system (GRC) and remotely loged into backend system
through RFC or connectors
We need to assign a common role which we define or configured parameter called EAM=4010
Pre-requisites
Create users and assign required access roles
Role: SAP_GRAC_SUPER_USER_MGMT_OWNER
Login GRC system with client 100 and backend system client 200 (login user ID sap*)
Go to t-code SU01
Role: SAP_GRAC_SUPER_MGMT_USER
STEP1:
Go to t-code SPRO
If repository object synch is first time then select option Full sync mode as shown below
OR
Go to SA38
STEP2:
Go to t-code NWBC
Now under owner type, check the check box Fire Fighter ID controller
Next step,
Click on create
STEP3:
Go to t-code NWBC
Click on OK button
Click on OK button
Click on save button, then you will get screen like below
STEP4:
Go to t-code NWBC
Click on OK button
Click on ADD button (select Fire fighter tab)
Click on save.
Select FFC_BC
Click on save button, you can see the screen like below.
STEP5:
Go to t-code NWBC
Enter Description
Click on ok button
Click on save button. Then you can see the screen like below.
STEP6:
Log in to client 100 with user ID FF_USER
Reporting
1. Report types
2. Log collection
3. Log retrieval
Report types: The reports can be accessed using the NWBC the portal and are located under
reports and analytics
This Report provides information based on the following logs from the remote system.
Transaction log:
Capture change log from change document objects (table CSPOS and CDHDR)
System log:
This report gives the details of the entire user (FIREFIGHTER, CONTROLLER, OWNER, and
FIREFIGHTER ID) who are expired, locked or deleted. In the case of role based fire fighter, it
gives the details of whether the role has been generated or not.
It provides details of the session the fire fighter logged into the remote system using the
FFID for ID based FF application.
4) Reason code and activity report:
This report provides the details of information of reason and activity used by the fire
fighter.
5) SOD conflict report for fire fighter ID:
When the firefighter logs in to the remote system using the FFID into the remote
system and perform certain transactions which violations access risk rules.
LOG COLLECTION:
The details of the transaction executed by the fire fighter lies in the remote system in the
CDHDR, CDPOS, STAD, SM19, SM49 and debug and replace information.
The data from the remote system can be fetched using the log collector which can be executed
as a foreground or background job.
Go to t-code NWBC
In that, select report name from dropdown menu (transaction log, change log, auditlog ect..)
The background job for log collection can be scheduled from SM36. Which can be
scheduled on a periodic basis. The status of the background job can be checked from the SM37
transaction.
Go to t-code NWBC
Now select change log from dropdown menu list instated of transaction log
Go to NWBC
Go to t-code NWBC
Go to t-code NWBC