AC 10.0 Pre-Implementation

AC 10.0 Pre-Implementation

From Post-Installation to First Risk Analysis

Customer Solution Adoption

April 11th 2011

Version 1.0

Purpose of this document

This document allows implementation consultants and administrators to

setup the required functionality for running a user level risk analysis after

the post-installation has been finished. This is by no means a

comprehensive guide for setting up the Access Risk Analysis component,

rather it allows testing the application is working properly by setting up a

basic test case.

© 2011 SAP AG. All rights reserved. 3

Disclaimer

This presentation outlines our general product direction and should not be relied on

in making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any

course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy

and possible future developments are subject to change and may be changed by

SAP at any time for any reason without notice. This document is provided without a

warranty of any kind, either express or implied, including but not limited to, the

implied warranties of merchantability, fitness for a particular purpose, or non-

infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly

negligent.


Agenda

Requirementso Verifying default configuration parameters

o Adding connector to AUTH scenario

Ruleso Setting up rule sets

o Generating rules

Jobso Synchronizing authorizations

o Synchronizing repository

Running the first risk analysis

Additional Taskso Creating a Root Org entry

o Setting up Batch Risk Analysis

o Setting up Action Usage

o Transporting rules

Requirements Verifying default configuration parameters

Adding connector to AUTH scenario


Verifying default configuration parameters

Please check the configuration and make sure you have at least these parameters

configured. The rest can be set according to your needs:


Adding connector to AUTH scenario

To perform risk analysis it is required to have the AUTH scenario linked to the

connector, this is done via IMG:

Rules Introduction

Enabling the right rule set

Assigning connectors to the rule sets

Generating rules


Setting up rule setsIntroduction

Rule sets are enabled using BC sets via transaction code SCPR20

It is required beforehand to enable GRAC_RA_RULESET_COMMON as shown in

the post-installation deck

This only applies if you want to use the rule set(s) provided by SAP


Setting up rule setsEnabling the right rule sets

The following rule sets are available via SCPR20. Notice that each rule set is

activated and linked into a separate logical group (technical name in brackets):

GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)

GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG)

GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis

(SAP_NHR_LG)

GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG)

GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG)

GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG)

GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG)

GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG)

GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)

GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG)

GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG)


Setting up rule setsAssigning connectors to the rule sets

In order to use the enabled rule set, connectors need to be assigned to the

respective logical group in IMG in the following path:


Setting up rule setsAssigning connectors to the logical groups

Then select a logical group and go to “Assign Connectors to Connector Groups” to

link a system


Generating Rules

Then generate the rules by going to IMG under Governance, Risk and Compliance

Access Risk Analysis SoD Rules Generate SoD Rules

Jobs Synchronizing authorizations

Synchronizing repository


JobsSynchronizing authorizations

In IMG go to Access Control Synchronization Jobs and run Authorization Sync

(program GRAC_PFCG_AUTHORIZATION_SYNC), it is recommended you do it in

background. This program contains three jobs: Org. Value sync, Transaction Sync

and Objects sync.

Note: you need to specify the language(s) for your profiles you wish to synchronize


JobsSynchronizing repository

In the same path now go to Repository Object Sync (program

GRAC_REPOSITORY_OBJECT_SYNC), it is recommended you run it in

background.

Note: you need to specify the language(s) you wish to synchronize. First run

should be done in Full Sync mode, then Incremental Sync can be scheduled


Running the first risk analysis

Now you should be able to run a risk analysis. Go to Access Management

Workcenter and run a User Level Risk Risk Analysis on a specific user.

Additional Tasks Creating Root Org entry

Setting up Batch Risk Analysis

Setting up Action Usage

Transporting rules


Additional TasksCreating Root Org entry

Before creating mitigating controls you need to create a Root Org entry, this replaces

the Business Units in previous AC versions. Navigate to the IMG under Shared

Master Data Settings and create a Root Org as shown below:


Additional TasksSetting up Batch Risk Analysis

Batch Risk Analysis can be scheduled using transaction GRAC_BATCH_RA (or

program GRAC_BATCH_RISK_ANALYSIS). The option available are the same as in

AC 5.3

Note: You can monitor the batch risk

analysis job with transaction

GRACRABATCH_MONITOR

Please apply SAP Note 1551230

before using this transaction


Additional TasksSetting up Action Usage

It is possible to view the action usage in different reports in AC 10.0. To show this

information it is required to go to IMG Access Control Synchronization and run

Action Usage Sync (program GRAC_ACTION_USAGE_SYNC)


Additional TasksTransporting Rules

Rules can be transported via transaction GRAC_RULE_TRANSPORT, this will

trigger a transport request to the systems configured in TMS.

Documents

AC 10.0 Pre-Implementation