Hello everyone.

Welcome to next session of SAP GRC Access Control Training.

In this particular session, we are going to discuss about the shared configuration within SAP GRC
Access

Control, meaning the configuration which is relevant for all the different four applications which

we have seen, as well as we will also see and enable the BC sets, which is delivered by SAP.

First let us see how to activate BC sets which is delivered by SAP.

For that you need to understand what is BC.

BC sets are provided by SAP.

In general, this is a set of baseline customizing which is delivered by SAP means that SAP does many

of the configuration and it will deliver to customer.

So we can use this BC sets to have the initial baseline configuration Now you may think, do we really

need that?

You can also configure the system without this BC set.

But you know many of the baseline configuration is already done.

You can make the changes which are required on top of this basis sets which is delivered by SAP.

The detail of this BC sets are available in SAP Access Control Administration Guide.

This guide is available in SAP website.

You can download it as a PDF which has all the details.

The transaction code to activate BC sets is SCPR 20.

This is the transaction code and these are all the BC sets which we need for your SAP access control

activation.

If you want to see all the BC sets delivered for access control, then you go to a SAPR20 and just

say GRAC*.

Then you will get all the list of access control BC sets.

Similarly, there are basis sets available for process control and risk management.

We will be using only the access control BC sets for our system.

So let us go to the system and see how we can enable the BC sets.

Let us go to the transaction SCPR20.

So this is the transaction code.

As I said, if I go to GRAC* then.

You can see these are all the list of BC sets which is available for GRAC.

There are many BC set which is not related to us like SRM and APO.

So if we are not using these things then we do not need it.

These are all the rule sets.

Basically, as we discussed before SAP delivers the standard rule sets for your systems, which can

be used for your Sod configuration.

So these are all the rule sets.

Let's say you are not using Oracle or PeopleSoft.

Then we can simply ignore this.

Now let us see how to activate the BC sets.

So the first BC set which we are going to take.

This one request application mapping.

To activate this go to activate BC set.

Okay this is the TR.

This BC sets also collection of configurations.

So which also need to be saved in a TR.

Then you can move it to your quality as well as to the productive system.

This is the activation screen.

Here you need to select the expert mode.

Keep it to overwrite all data.

So if there is an existing data, then it will overwrite.

Let's execute.

We can see activation ended with additional information.

If you want to see the detail you select the activation log.

And you can see the activation log.

This is the latest activation which we have done.

As.

You can see the activation is done successfully.

Okay.

If there is any warning we can generally ignore it.

And if there is an error of course we need to see what is actually the problem.
Like this.

Let us activate all the BC sets one by one.

Now we are activating the rule sets.

Basically, these rule sets I have selected the rule set which is required for us.

And I have eliminated many of the rule set which is not required.

We will not be using in our training.

You can see this particular activations ended with warning.

The warnings we will simply ignore it.

And the next BC set

Now, if you see we have completed all the business set activation, we could also recheck whether
this

business sets are activated in our SPRO setting.

Basically, some of the customizing setting, which is delivered by SAP, supposed to be there in the

Spro setting after the activation.

We can also recheck that.

So let's go to Spro.

Let's go to Spro sap.

Reference img.

And one thing you can see here also you will see existing BC sets.

It means that some of the BC sets has the SAP delivered configuration.

We don't know which of these configuration are delivered by SAP right.

So in that case if you say existing BC set, you can see there is something called additional information

which is came up.

Then if you go to governance risk and compliance and uh, let's go to All Access management or just

bring anything okay The role management when I open the role management you can see here
additional

informations BC sets were activated.

Okay.

So basically these configurations are activated by BC sets.

We could also see this configuration which is delivered by SAP.

Let's say go to role management.

Let's say take this define sensitivity.

You can see these are all the sensitivity which is delivered by SAP.

Basically we need to configure this instead you know to reduce the efforts SAP pre delivered these
configurations.

This is all about BC set activation.

Let's go back to our presentation.

Now let us discuss about mapping for Action and Connection group.

Here we maintain the connection group.

Basically we are going to map the events of BRM 0 to 4.

These are all different events in BRM.

We will see that when we are configuring.

And five is basically for HR trigger.

HR trigger is required for the HR events.

Let us say if you are integrating your GRC system with the HR system.

So whenever a employee is created, then you can automatically trigger the event from the HR system

to create a access request in the GRC system for the respective system, depending on the position
which

you are assigned.

Similarly, we can also map the BRM event in this particular customizing activity.

If you see here these are all the options available in this particular customizing activity.

The first one is maintain connector group status.

Here.

What we can do is we can maintain the status of the particular group active or inactive.

Second one is assign default connector to connector group.

Here we can assign the connector to the connector group the default connector to the connected
group.

Then here assign group field mapping.

Here if you see map AC field to connected system field.

Here we can map the fields within the GRC system which is connected to the different external
system.

And the fourth one is for the IDM integration.

Basically when you are using IDM, IDM use Spml standard, there you can map which field is equal to

which field in GRC Both of these configurations, basically we are doing a field mapping only.
If you use any external system then you will.

We may need this, otherwise we will not be doing this.

Okay.

Let us go to the system and see how to do this.

Then it will be more clear to you.

We are in our GRP system.

Let us go to spro SAP.

Reference img.

Governance, risk and compliance.

We go to access control.

Then you go to maintain mapping for action and connector group.

Select this.

Here we simply select new entry.

Let us select the connector group.

This is our connector group which we have created.

SAP, R3 LG and specify this is active and the application type is SAP

Now save the changes.

Now you come to assign default connector.

Here we select new entry connector group.

This is our connector group.

Then we need to assign the actions.

This is the actions we are discussing about.

First one is 001.

This is role generation.

The target connector.

So we have only one system.

So this is the target connector EH8 CLNT 800.

Okay.

Let's select this as a default.

You can have more than one system or more than one action.

However you can define which one is default.

Okay let's select the next action.

We need to map all the actions

Okay.

These are the four actions which is related to BRM which is required for us.

Okay.

Let's also configure the chart here.

005.

let's save the changes.

As I said, if you select one of these and go to the field mapping you can create the field mapping.

Okay.

Access control field.

Then the field name and the table name and the subtype.

So like this we can assign each field for the specific action.

In our case, we are not going to do that.

I will simply leave it like that.

Let's go back to our presentation.

Next one is about maintain connection setting.

Here we can maintain the connection setting for the system that are connected to access control
application.

Okay let's go to the system.

Go to spro SAP.

Reference img GRC access control.

You can see maintain connector setting.

Select this.

Here we create a new entry.

Let's say the target system.

This is our target system.

Application is SAP.

And here we need to specify what is the environment.

This is quite important.

We can specify whether it is development or production or test.

Our case, I will mark it as production because we have only one system.

So if you have development quality and production then you can specify each system and or let us
say

each target connector, whether it is development or quality or production.

Okay I will save these changes.

Let's go back.

Let's go back to our presentation.

The next one is Plugin settings.

As you know we are using a PFCG system that is in the EH8 system is a PFCG system.

If we want to skip the PFCG system and go to a non PFCG system, then we can use this customizing
activity

to skip the PFCG system and go to a non PFCG system.

Of course when you go to the non PFCG system then you need to have additional programs to be
created which

will fulfill the requirement.

Maybe we can quickly go through the img configuration just to show you where is this available.

Go to GRC Access control.

You see plugin setting.

Okay we have non GRC systems which you can define it here.

Let's say create a connector here and say it is inactivate.

Then you need to activate the non PFCG systems accordingly.

So let's go back to our presentation.

Next let us see some more customizing activities like maintain critical level for emergency access
management.

Distribute the jobs for parallel processing.

This is basically when you are doing any background jobs?

So how many parallel processing needs to be done?

We will also see maintaining the access risk level.

Basically when you run a sod risk.

So this sod risk you will classify at high medium low and critical.

And each of them we can also define a color code for that.

Okay.
So this is the configuration for that.

This is already delivered pre-delivered by SAP.

But we will just simply go through it.

If it is required to change you can still change it.

Let's go to.

Emergency access management.

This is maintained critical level for emergency access management.

You can see this is delivered by SAP through BC sets.

We have four critical levels very high high medium and low.

Okay.

This is for the emergency access management.

Then we will see the distribution of jobs for parallel processing.

That is.

Here.

Distribute job for parallel processing.

This is required.

Let's say if you have high number of parallel processing in your SAP GRC then you can configure this.

Otherwise we may not require that.

So basically you need to provide which application what server and the log on server group, the
number

of tasks which you can run and the work process which you can occupy.

Then let us see the maintain access risk level.

This also Pre-delivered okay.

And you can see the color code.

So this is Pre-delivered color code if you'd like to change.

You can also change it or you can also create additional risk level if it is required.

So let's go back to our presentation.

Next one is maintaining business process and subprocess.

This is one important topic we need to create the list of available business process and subprocess

in your GRC system.

That means all the business process and subprocess which is available in your ERP or your SRM
systems,
need to be created in the GRC system.

Okay.

However, the SAP also delivered the standard business processes.

Please remember we also need to have subprocess in all the business process.

Okay.

If you don't have any subprocess we need to create one subprocess in the same name means that
every

business process should have a sub process.

So let us see how to create the sub process.

For example, the business processes like.

If it is finance then you have sub process like account receivable account payable.

Like this.

We have different sub process here.

Let us see how to create a sub process.

Then we will understand this more clear.

So let us go to maintain process and sub process.

We will create one sub process for basis.

See here we need to create the sub process.

Let us say new entry.

I will say BS01 and name.

Let us say security then BS02.

Let's say GRC.

Okay.

These are two different subprocesses under basis.

Okay.

Yeah.

You have lot of other activity.

I just created one for security.

One for GRC.

Similarly we need to create sub process for each of these business processes.

Okay.
For the interest of the time, I will be doing this and I will come back to you.

I have created sub process for all the business process.

Maybe I can show you some of the sub process like for M, I created purchase order and purchase
approval

and some of the sub process I don't know.

Then I simply created one sub process as it is with the same name, so that every business process
have

a sub process

So let's go back to our presentation.

Next one is BRF plus function mapping.

We have a separate topic we will be discussing about BRF plus how to create BRF plus functions and

so on.

So once we complete that then this will become quite clear to you the configuration perspective I
don't

want to skip this.

So in this particular configuration what we will be doing is we will maintain the BRF plus application

mapping.

Okay.

So let's say you have application like service level.

Then this will be BRF plus function ID which will be in turn assigned to one MSMP process.

We will also see what is MSMP in the later sessions.

Then this will become more clear to you.

Some of the MSMP process.

We can directly assign the BRF plus functiona ID in the MSMP itself, and some of them we need to

assign it here because like HR here, if you have a BRF functiona ID, then we have to assign it

here.

Okay.

So for that we are using this functionality.

Basically, if you create a new function in BRF plus, then you need to maintain the mapping for

the application.

Otherwise we don't need to do that.

Don't get confused.

We have a separate session for BRF plus as well as MSMP.

Then topics will become more clear to you.

So let's go back and let's go to maintain access application and BRF plus function mapping.

So here you can see this is a default delivered by SAP.

If you have new functions then you can select what application then BRF plus function.

Or if it is a MSMP process then we can specify the MSMP process id okay.

At the moment we are not going to assign anything So we will skip this.

I will not save the changes.

This is only for your information.

Next one is maintain data source configuration.

Basically here we can maintain the connection information which is required for access control to
retrieve

the user authentication information from the external data source.

Okay.

Let's say you are authenticating using Ldap or some other sources.

Then you can use this functionality where we have different configuration like uh, search your uh,

user detail from which location or which connection, or retrieve the user detail from which
connections.

Verify the requester identity from which source, or let's say end user logon and so on.

Okay.

So basically we are retrieving the users and authentication information from other data source by
using

this configuration.

Let's say if you are integrating with other data source, then you can use this.

The SAP, GRC can use any other data source like Ldap or any other data sources, to retrieve
informations

or to identify the requester.

We can use any other data sources for that.

We can use this configuration.

So let's go to maintain data source.

Here we can define the data source.

Let's say specify the connector.

Of course we have only one SAP connector in our previous sessions.

If you should have noticed that we had Ldap.

So if you create a connection for Ldap then you can specify the connection here and specify the data

source.

Then you can retrieve the user information from that data source.

Meaning in our case we will be using manually entering the system.

Otherwise you can pull the user information like your first name, last name, email ID these are all

does not need to be filled in manually since these information available in the Ldap for example.

Then you can retrieve it from there.

For that you can use this configuration.

So at the moment we are not going to use any Ldap.

So we will leave this configuration as it is.

The next one is maintain customer user group.

If you want to run a risk analysis based on some custom user group, then we can create the user
group

here.

Maintain custom user group.

Here you can specify the user group which you want to run the risk analysis.

Basically, if you have some user group which is quite critical, you want to automate the Sod analysis

for this user group in a periodic basis, then you can create this.

Otherwise still you can run the SOD analysis for user group.

But this is basically you are configuring in the system itself as a configuration so that you know it

will stay as it is.

Okay.

That's the difference.

Then let's go back to our presentation.

The next customizing activity is maintain master user ID mapping.

In general, if you see many of the system you should have already faced not recent days.

Maybe in the older systems you will have a user in one SAP system with a specific user ID, the same

user will have an user in other SAP system with a different user ID.

This used to happen in the older days.

However, the latest landscapes.

You will not find this because most of the companies use a unique identifier for each users However,

if at all this problem happens, then you can map one system as a master user ID.

If at all this happens, you can configure this specific user ID is equal to.

What is the master user?

Okay, this is for that reason.

With this configuration let us quickly go through this one.

You can see here maintain master user ID mapping.

Then create a new entry and select the connector.

The user id is equal to.

What is the master user ID.

That is the simple use of this.

So let us go back to our presentation.

The next configuration is basically to monitor the batch risk analysis.

Basically you can execute batch risk analysis from the Spro.

And you can also monitor the batch risk analysis from Spro.

Okay this is a little bit traditional way of doing it.

Even though you can do this in the NWBC.

If you would like to do it in the SPRO, this function is available.

Just want you to aware of this.

Let's go here.

Let's go to.

Access risk analysis.

If you see batch risk analysis you can maintain and execute the object for bachelor risk analysis.

And you can execute the batch risk analysis.

You can also monitor the batch risk analysis.

Okay.

So if in case if you want to explore in this direction you can use this functionality.

Next one is maintain configuration setting.

This is very important topic.

You may wonder like how do we configure or how do we configure in the GRC system how the
system should

behave.

There are many configurations where we can change the behavior of the GRC system or let's say GRC
access

control system.

For that, we have something called configuration setting.

This configuration setting have parameter group okay.

Different parameter groups.

And it has parameters for each group.

And you can set the parameter value.

So we will go through this.

We will not go through each and every parameters here.

Because there are quite a lot.

We will go through some of the main important things which is required during the course.

So you will get familiar with this one in general.

Now we need to understand there is something called configuration setting where we can configure
some

of the behavior of your GRC system.

Let us go to the system.

Then we will understand this more clear.

We are in our SAP system.

Let's go to IMG governance risk and compliance.

Go to access control.

You can see here maintain configuration setting.

Select this.

Now we don't have any entries here.

Of course SAP cannot deliver you the configuration settings because it may vary depending on your
requirement.

So let's have a quick look.

We can see here the parameter group.

For example let's say you have a risk analysis.

Okay.

So inside risk analysis we have different configuration parameter ID.

Let's say if when you run a risk analysis do you want to include your expired users.

Again this is depending on the customer requirement.

Some customer says expired user need to be included for risk analysis because they do not delete
the

roles once the user is expired.

Okay, there is still a risk if somebody is adding a role to this user.

So you wanted to include or don't want to include, you want to include the logged user or not.

Okay.

So like this we can configure it, let's select this.

Let's say you can say yes or no.

So once we do this then whenever you run a risk analysis it will include all the expired user like this.

We have different parameters.

We also have let's say uh.

Access request default role okay.

So if you want to define a default role whenever you create an access request, you want to assign a

default role to the user without adding into the access request.

Then you can specify a default role here okay.

Then it will automatically assign the default role like this.

We have all the possible parameters are already available here means this parameters.

If you compare with the older versions, these parameters are increased a lot.

There is new parameter group also included here.

Okay, so most of the requirements you may require for your implementation is already here.

We are not going to go through this one by one because this parameter groups are quite big.

So we will not be able to go through this one by one.

We will add some parameters during the course.

Then you will be more clear about what is going on here.

Okay.

For the time being, what we will do.

Let's go to authorization.
Then let's select enable authorization logging.

Let's see.

Yes.

Enable authorization logging.

Then I will also add workflow Maybe then in workflow we have the.

Access control email sender.

Let's say you wanted to send the email from a specific email address.

Then you can mention it here.

Okay.

Let's say.

Default at SAP buddy.com.

Okay.

At the moment this system is not configured to send out email.

But just giving you an example that we can do.

Like this.

Okay.

And let's also do one for risk analysis.

And let's see

This is default report view for risk analysis.

Select this.

Here we can select.

You wanted to use technical view or business view or remediation view.

Let me say the technical view.

So whenever you run a risk analysis it will give you the output in the technical format.

There are many views.

We will see that later.

So this basically by default the view for risk analysis will be technical, which means it will have

the transaction code and objects and so on.

So it will give you the technical view by default.

Once you configure this then you will save, create a TR.

And you can accordingly transfer it.

With this we are coming to the end of this particular session.

Thank you very much for listening.

I will see you in the next session.

Bye bye.