ADM955+ +SAP+GRC+Access+Control+ +Installation

ADM955SAP GRC Access Control InstallationSAP NetWeaver

Date Training Center Instructors

Education Website

Instructor HandbookCourse Version: 62 Course Duration: 4 Day(s) Material Number: 50086970 Owner: Brenda Oumlil (I811059)

An SAP Compass course - use it to learn, reference it for work

CopyrightCopyright 2008 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Trademarks Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX, S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation. ORACLE is a registered trademark of ORACLE Corporation. INFORMIX-OnLine for SAP and INFORMIX Dynamic ServerTM are registered trademarks of Informix Software Incorporated. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.

DisclaimerTHESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.

g200893042634

About This HandbookThis handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The following typographic conventions are also used. Type Style Example text Description Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal (in this documentation) and external (in other locations, such as SAPNet). Example text Emphasized words or phrases in body text, titles of graphics, and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program. Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

EXAMPLE TEXT

Example text

Example text

2007

2008 SAP AG. All rights reserved.

iii

About This Handbook

ADM955

Icons in Body TextThe following icons are used in this handbook. Icon Meaning For more information, tips, or background

Note or further explanation of previous point Exception or caution

Procedures

Indicates that the item is displayed in the instructors presentation.

iv


2007

ContentsCourse Overview ......... ............... ............... ............... ... viiCourse Goals ...........................................................vii Course Objectives ..................................................... ix

Unit 1: Introduction...... ............... ............... ............... ..... 1Introduction ..............................................................2

Unit 2: Pre-Installation Requirements............. ............... ..... 9Hardware and Software Requirements ............................ 11 Software and Service Pack Downloads............................ 25 RTA Installation........................................................ 29 SLD Configuration .................................................... 36 IGS Configuration ..................................................... 44

Unit 3: Access Control Installation . ............... ............... ... 53Access Control Installation .......................................... 54

Unit 4: Post-Installation ............... ............... ............... ... 69Creating JCo Connections to the Backend Systems ............. 71 Importing Pre-Defined Roles ........................................ 84 Creating an Administrator Role and Assigning it to a User ID .. 92 Compliant User Provisioning Post-Installation Tasks ...........102 Enterprise Role Management Post-Installation Tasks ..........108

Unit 5: Risk Anlayisis and Remediation .......... ............... .. 115Risk Anlayisis and Remediation Product Tour ................... 117 Risk Anlayisis and Remediation Configuration...................132 Virsa Risk Terminator Configuration ...............................150

Unit 6: Superuser Priviledge Management ...... ............... .. 159Superuser Priviledge Management Features & Benefits .......160 Superuser Priviledge Management Configuration ...............172

Unit 7: Compliant User Provisioning .............. ............... .. 183Access Enforcer Features & Benefits .............................185 Connector Integration ...............................................196 System Setup Part I ...............................................209 System Setup Part II ..............................................230 Workflow Configuration .............................................259

2007


v

Contents

ADM955

Unit 8: Enterprise Role Management....... ............... ......... 291Enterprise Role Management Features & Benefits..............293 Enterprise Role Management Configuration .....................299

Unit 9: Access Control Workflow Integration ........... ......... 335What is Workflow Integration? .....................................337 Upload Append Files ................................................342 Identify Web Services URLs........................................348 Create Custom Approver Determinators..........................354 Create Workflows ....................................................360 Activate Workflows in each Component ..........................365

Unit 10: Troubleshooting....... ............... ............... ......... 369Troubleshooting ......................................................370

Appendix 1: Downloading Access Control Appendix 2: Solution Manager

........... ......... 377

............ ............... ......... 385 ........ ............... ......... 389

Appendix 3: Installation Example

vi


2007

Course OverviewTarget AudienceThis course is intended for the following audiences: SAP GRC Security Consultants and System Administrators

Course PrerequisitesRequired Knowledge SAP Security practices SOX Compliance Enterprise software implementation

Course Duration DetailsUnit 1: Introduction Introduction Exercise 1: Introduction Unit 2: Pre-Installation Requirements Hardware and Software Requirements Exercise 2: Hardware Software Requirements Software and Service Pack Downloads RTA Installation Exercise 3: Exercise for RTA Installation SLD Configuration Exercise 4: SLD Configuration IGS Configuration Exercise 5: IGS Configuration Unit 3: Access Control Installation Access Control Installation Exercise 6: Access Control Installation Unit 4: Post-Installation Creating JCo Connections to the Backend Systems Exercise 7: Creating JCO Connections to backend system Importing Pre-Defined Roles Exercise 8: Importing Predefined Roles 10 Minutes 5 Minutes 15 Minutes 5 Minutes 15 Minutes 15 Minutes 5 Minutes 20 Minutes 5 Minutes 20 Minutes 10 Minutes 60 Minutes 20 Minutes 30 Minutes 10 Minutes 20 Minutes 5 Minutes

2007


vii

Course Overview

ADM955

Creating an Administrator Role and Assigning it to a User ID Exercise 9: Creating an Administrator Role and Assigning it to a User ID Compliant User Provisioning Post-Installation Tasks Exercise 10: Compliant User Provisioning Post-Installation Tasks Enterprise Role Management Post-Installation Tasks Exercise 11: Enterprise Role Management Post-Installation Tasks Unit 5: Risk Anlayisis and Remediation Risk Anlayisis and Remediation Product Tour Exercise 12: Risk Anlayisis and Remediation Product Tour Risk Anlayisis and Remediation Configuration Virsa Risk Terminator Configuration Exercise 13: Virsa Risk Terminator Configuration Unit 6: Superuser Priviledge Management Superuser Priviledge Management Features & Benefits Exercise 14: Superuser Priviledge Management Features & Benefits Superuser Priviledge Management Configuration Exercise 15: Superuser Priviledge Management Configuration Unit 7: Compliant User Provisioning Access Enforcer Features & Benefits Exercise 16: Access Enforcer Features & Benefits Connector Integration System Setup Part I Exercise 17: System Setup Part I System Setup Part II Workflow Configuration Exercise 18: Workflow Configuration Unit 8: Enterprise Role Management Enterprise Role Management Features & Benefits Enterprise Role Management Configuration Exercise 19: Enterprise Role Management Configuration Unit 9: Access Control Workflow Integration What is Workflow Integration? Exercise 20: What is Workflow Integration? Upload Append Files

20 Minutes 5 Minutes 15 Minutes 5 Minutes 15 Minutes Minutes 30 Minutes 15 45 15 10 Minutes Minutes Minutes Minutes

15 Minutes 10 Minutes 45 Minutes 5 Minutes 25 Minutes 5 Minutes 25 Minutes 45 Minutes 5 Minutes 60 Minutes 45 Minutes 5 Minutes 15 Minutes 60 Minutes 5 Minutes 15 Minutes Minutes 15 Minutes

viii


2007

ADM955

Course Overview

Exercise 21: Upload Append Files Identify Web Services URLs Exercise 22: Identify Web Services URLs Create Custom Approver Determinators Exercise 23: Create Custom Approver Determinators Create Workflows Activate Workflows in each Component Unit 10: Troubleshooting Troubleshooting

5 Minutes 15 Minutes 5 Minutes 15 Minutes 5 Minutes 15 Minutes 15 Minutes 15 Minutes

Course GoalsThis course will prepare you to: Identify the pre-installation requirements for SAP GRC Access Control Install SAP GRC Access Control Perform post-installation tasks Configure SAP GRC Access Control

Course ObjectivesAfter completing this course, you will be able to: Identify pre-installation requirements for Access Control Install each component of Access Control Perform post-installation tasks for each component of Access Control Configure Access Control

The system landscape consists of two parts. 1. 2. One copy of ERP 6.0 n NW 7.0 SP12 J2EEs n = number of course participant / 2 (e.g. 20 course participant need 10 NW 7.0 SP12 J2EEs) If this course runs without exercises and the trainer wants to demonstrate something, the following is required: One copy of ERP 6.0 One NW 7.0 SP12 J2EE Engine

There are no test or prep systems for the NW systems. User ID and password for the basis server:

2007


ix

Course Overview

ADM955

User ID OS-Level J2EE-Administrator SDM User ID and password for the ERP 6.0: install install

Password adm955 adm955 adm955

User ID: Training. The education department informs you about the actual password

TRAINING SYSTEM Your training system will be available and accessible on Sunday evening (CET time zone) in the week the training takes place. Do not use the system or prepare your course before that time. The system can still be in use by another course or in the refresh procedures of the IT preparation for your course! If you need a test/prep. system before your course takes place, see details under Training System -> Test/Prep. System.

TEST-/PREP. SYSTEM For this course doesnt exist a test/prep system, but testing or preparation is essential, let the education department order/book a system at least one week before the training via CSS ticket. Make clear that test/prep. systems should not be used in a training by participants without the permission of KPS. An access violation fee might be charged.

TRAINING WTS FARM Nearly all SAP courses are designed to be taught via SAP Training Window Terminal Service Server Farms (=WTS-Farms) to enable also trainings on customer site (so called Onsite-Training). If restrictions of the course dont mention another WTS Farm or the usage of the local PC front end, always use the Common Training WTS farm for your training. Use SAP software on local PC front end only in SAP owned training centers with good network bandwidth connections. The usage of SAP software on local PC front end restricts the training support to the local IT support. The global training support can only support trainings via Training WTS farms. Training at SAP training centers/Internal SAP training The internal connectivity to the training WTS farms can only be used inside of SAP network infrastructure. To connect to the training WTS farm use http://wts.wdf.sap.corp:1080 . Choose your home region (US, EMEA or APJ). Select the Training-Zone menu. Connect to Common Training, if no other WTS farm is named for the training. Customer Onsite training / Third party training center Customer Onsite training can only connect to SAP training WTS farm via

x


2007

ADM955

Course Overview

the SAP Citrix Secure Gateway (SAP CSG). Therefore you need a CSG-User ID. The User ID has to be already created by the education department for the time of the training. The data (User ID and password) are delivered to you by the education department. Trainer and participants using the same dedicated CSG-User-ID and password for the training. To connect to the training WTS farm use http://mywts.sap.com. Enter the CSG-User ID and password. Choose your home region (US, EMEA or APJ). Select the Training icon. Connect to Common Training, if no other WTS farm is named for the training. USER ID AND PASSWORDS FOR THE COURSE Training with Reference User IDs: To create the participants users and your trainer user, please log into the system with user Training. The monthly changed password should be delivered you by your education department in the training information email/documentation. The standard format for User IDs is the Course ID, followed by the group number. The initial password is INIT. Use transaction ZUSR to copy these User Ids from the reference User ID. Training with existing User IDs in the master system: The User IDs usually have the format Course ID followed by the two digit group number. The trainer user is the user with the group number 00. - . -

2007


xi

Course Overview

ADM955

xii


2007

Unit 11

Introduction

Unit OverviewContents: Introduction to SAP GRC Access Control SAP GRC Access Control Components

Unit ObjectivesAfter completing this unit, you will be able to: Discuss the major features and benefits of SAP GRC Access Control Identify product components

Unit ContentsLesson: Introduction ...............................................................2 Exercise 1: Introduction ......................................................5

2007


1

Unit 1: Introduction

ADM955

Lesson:2

IntroductionLesson Duration: 10 Minutes

Lesson OverviewContents: Introduction to SAP GRC Access Control SAP GRC Access Control Components

Lesson ObjectivesAfter completing this lesson, you will be able to: Discuss the major features and benefits of SAP GRC Access Control Identify product components

Business Example

Access Control Components SAP Access Control consists of four solution components designed to help companies comply with Sarbanes-Oxley and other regulatory mandates Risk Anlayisis and Remediation Superuser Priviledge Management Compliant User Provisioning Enterprise Role Management

2


2007

ADM955

Lesson: Introduction

Access Control Features and Benefits Application for monitoring, testing, and enforcing access and authorization controls Rapidly identifies and removes access and authorization risk from IT systems Embeds preventive controls into business processes to stop future Segregation of Duties violations from occurring End-to-end automation for detecting, remediating, mitigating, and preventing access and authorization risks across the enterprise Results in proper segregation of duties, lower costs, reduced risk, and better business performance

Reduction in the time, risk, and cost associated with compliance. Companies can address regulatory and business-related risks at a lower cost.

Figure 1: Access Control Suite

Baseline of Enterprise Business Rules for SoD and Sensitive Access Solving Access Control Challenges

2007


3


ADM955

The access control solutions in the SAP for GRC solutions work together to support your end-to-end compliance, from risk identification and remediation to sustainable and ongoing prevention. This diagram shows how SAP GRC access control products support and map to the compliance process. The first step is to deploy the Risk Anlayisis and Remediation application for SAP for risk identification and remediation. Next, many customers find they have issues and problems with roles, so they deploy the Enterprise Role Management application for SAP to bring role definition and management under control which leverages Risk Anlayisis and Remediation. Virtually every customer also has issues with super user access, so they deploy the Virsa Firefighter application for SAP to get those issues under control. Once they are through the sprint phase, they deploy the Compliant User Provisioning application for SAP to sustain compliance through automated, compliant provisioning of user access and authorizations.

4


2007

ADM955


5

Exercise 1: IntroductionExercise Duration: 5 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:

Business Example

Task:

1.

Mention any two features of Access Control

2007


5


ADM955

Solution 1: IntroductionTask:1. Mention any two features of Access Control Answer: 1. 2. Application for monitoring, testing, and enforcing access and authorization controls Rapidly identifies and removes access and authorization risk from IT systems

6


2007

ADM955


Lesson SummaryYou should now be able to: Discuss the major features and benefits of SAP GRC Access Control Identify product components

2007


7

Unit Summary

ADM955

Unit SummaryYou should now be able to: Discuss the major features and benefits of SAP GRC Access Control Identify product components

8


2007

Unit 29

Pre-Installation Requirements

Unit OverviewContents: Hardware and Software Requirements for Access Control Installation Software and Service Pack Download Information RTA Installation System Landscape Directory Configuration Internet Graphics Server Configuration

Unit ObjectivesAfter completing this unit, you will be able to: Identify system requirements for the Access Control suite Obtain installation software and files Obtain maintenance packages Install the required Real Time Agents Configure the System Landscape Directory Configure the Internet Graphics Server

Unit ContentsLesson: Hardware and Software Requirements ............................. 11 Exercise 2: Hardware Software Requirements .......................... 21 Lesson: Software and Service Pack Downloads ............................ 25 Lesson: RTA Installation ........................................................ 29 Exercise 3: Exercise for RTA Installation................................. 33

2007


9

Unit 2: Pre-Installation Requirements

ADM955

Lesson: SLD Configuration ..................................................... 36 Exercise 4: SLD Configuration............................................. 41 Lesson: IGS Configuration ..................................................... 44 Exercise 5: IGS Configuration ............................................. 49

10


2007

ADM955

Lesson: Hardware and Software Requirements

Lesson:10

Hardware and Software RequirementsLesson Duration: 15 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Identify system requirements for the Access Control suite

Business Example

Figure 2: Access Control System Requirements

System setup with full SAP GRC Access Control Suite options

2007


11


ADM955

All hardware requirements are recommended system minimums. Additional hardware may be required. System sizing is dependant upon capacity needs. Must understand that this is NetWeaver. Access Enforcer does not need a dedicated server for compliant provisioning. It can be installed on an existing NW system. 120 GB is built-in for future growth and for installation of the entire suite. Operating system compatibility is NW in general, not compliant provisioning specific. The same is true for database compatibility. Supported Operating Systems All operating system currently supported by SAP NetWeaver, for example: Windows Unix Solaris Linux

Supported Databases All databases currently supported by SAP NetWeaver, for example: MS SQL Server 2000, 2003 and 2005 DB2

12


2007

ADM955


Additional Compliance Calibrator and Firefighter Requirements Firefighter SAP IGS ver. 640 and above

Compliance Calibrator SAP IGS ver. 640 and above Verify that SLD is configured and running Recommend using separate dedicated hosts for CC and NetWeaver SAP BASIS with recommended Support Package: 46C - SAPKB46C53 46D - SAPKB46D44 610 - SAPKB61048 620 - SAPKB62061 640 - SAPKB64019 700 - SAPKB70010 At least one Virsa Real Time Agent (RTA) provided with installation software J2EE must be configured as described in SAP Notes 716604 and 723909. (For instructions to configure J2EE server memory for SAP, refer to SAP note 693662.)

Figure 3: Compliance Calibrator Technical Architecture

2007


13


ADM955

Figure 4: Integrating Access Enforcer with Access Control Suite 4.0 (ABAP)

Access Control Suite 4.0 is the ABAP version; Access Control 5.x is the NetWeaver version. Assume here that each system requires risk analysis. This may not be the case; the client may not need to include a QA box in their analysis. As well, provisioning is possible to non SAP systems. Access Enforcer requires an ABAP component installed on each system that Access Enforcer talks to; these are known as RTAs Real Time Agents

14


2007

ADM955


Figure 5: Integrating Access Enforcer with Access Control Suite 5.x (NetWeaver)

If a customer has Access Enforcer and CC5x on WAS Java Stack, then RTAs are only needed in the backend, if CC5x is not in JavaStack then CC4.0 is needed in the backend systems. Access Enforcer requires different BAPI/RTA sets for HR versus non-HR systems. If a customer has an SAP HR system installed, even if they are not using it, they must use the HR compatible RTAs

For every backend system, RTAs must be installed on every system Access Enforcer interfaces with If customers have a CUA system, they still need to install RTAs on all systems; not just the CUA. Access Enforcer needs the RTAs on all systems so that it can talk to child for information. Modified System Memory Settings To ensure that Access Control installation does not encounter an out of memory condition on NetWeaver, memory settings must be modified as described in SAP note 723909 Memory settings are modified through the ConfigTool installed with NetWeaver

2007


15


ADM955

For additional details on memory settings, refer to the SAP Note 723909. Note: Before adding the parameter -Xms1024m, make sure you check your systems Max Heap size. Do not change the Max Heap size or java parameter. SAP Connectors Every SAP System that needs to be connected must: Have either RTAs or CC4 SP2 Be defined in SLD technical landscape Have Logon groups defined (Transaction SMLG) Have entry in Service file of the J2EE Server requires server restart for windows after this entry

System Landscape It is recommended that a minimum of two system landscapes be installed: One system for Development, QA, and Training A second system for Production use

Figure 6: SAP GRC Access Control System Landscape

16


2007

ADM955


It is recommended that a minimum of two system landscapes be installed: One system for Development, QA, and Training A second system for Production use

Support for Clustered Environments Access Control supports clustered environments Clustering: Two or more servers interconnected Access common storage Enables load balancing, distributing processes across servers

If one server fails, the application uses the other server Increases performance and scalability Recommend clustered environments for: Systems with a high number of users All Access Control products installed on the same server

For more information about clustered environments, please see the GRC Sizing Guide.

Figure 7: System and User Administration

2007


17


ADM955

Authorizations Enforced in the User Management Engine (UME) Required for the following: UME One role and user ID is provided with the software for UME administrative tasks Web Dynpro Compliance Calibrator v5x

Figure 8: User Management Engine

Verify a Default Logon Group Exists in the Backend System You will need this default logon group later when you are configuring the JCo Destination connector 1. 2. 3. 4. 5. Logon to the SAP server Execute transaction code smlg The SAP Maintain Logon Groups window appears Verify that there is a default logon group specified If you do not already have a group that includes all SAP users, create one and name it PUBLIC

18


2007

ADM955


Figure 9: Activity

2007


19


ADM955

20


2007

ADM955


19

Exercise 2: Hardware Software RequirementsExercise Duration: 5 Minutes


Business Example

Task:

1.

RTA Stands forFill in the blanks to complete the sentence.

2.

UME Stands forFill in the blanks to complete the sentence.

.

3.

CC stands forFill in the blanks to complete the sentence.

.

4.

AE stands forFill in the blanks to complete the sentence.

.

5.

Access Enforcer need a dedicated server for compliant provisioning.Determine whether this statement is true or false.

True False

6.

Is J2EE installation required for configuring Compliance Calibrator?Determine whether this statement is true or false.

2007

True False

Continued on next page


21


ADM955

7.

What is the parameter name for max heap size of java?

8.

What is the minimum recommended value of max heap size for Java parameter?

22


2007

ADM955


Solution 2: Hardware Software RequirementsTask:1. RTA Stands for Real Time Agents Answer: Real Time Agents 2. UME Stands for User Management Engine. Answer: User Management Engine 3. CC stands for Compliance Calibrator. Answer: Compliance Calibrator 4. AE stands for Access Enforcer. Answer: Access Enforcer 5. Access Enforcer need a dedicated server for compliant provisioning. Answer: False Access Enforcer does not need a dedicated server for compliant provisioning. 6. Is J2EE installation required for configuring Compliance Calibrator? Answer: True J2EE must be configured for Compliance Calibrator. 7. What is the parameter name for max heap size of java? Answer: -Xms 8. What is the minimum recommended value of max heap size for Java parameter? Answer: Minimum recommended value is 1024 MB and it is specified in parameter -Xms1024m.

2007


23


ADM955

Lesson SummaryYou should now be able to: Identify system requirements for the Access Control suite

24


2007

ADM955

Lesson: Software and Service Pack Downloads

Lesson:23

Software and Service Pack DownloadsLesson Duration: 15 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Obtain installation software and files Obtain maintenance packages

Business ExampleSoftware Installation Downloads 1. 2. 3. 4. 5. 6. 7. 8. SAP support provides instructions for downloading software from SAP Service Marketplace SAP provides software installation guides for each application Installation guides are available using the Software Deployment Manager (SDM) Each guide provides detailed information on which files to download Navigate to Service Marketplace: http://www.service.sap.com Click the Software Download link under the SAP Support Portal Expand the Download and then the Installations & Upgrades menu Choose Entry by Application Group Click SAP Solutions for Governance, Risk, and Compliance Click the SAP GRC Access Control link Click the Access Control component you wish to install (CC, AE, FF, RE) Add the files to the Download Basket

For additional information and detailed steps for downloading the Access Control software, please see the Appendix in this guide.

2007


25


ADM955

Solution Manager SAP Solution Manager Maintenance Optimizer is required to obtain corrective software packages for SAP NetWeaver 2004s and SAP Business Suite 2005 delivered after April 2, 2007. and other updates for Access Control. Note that support package stacks, support packages and patches for Java instances, kernel patches do not require Maintenance Optimizer

Figure 10: Maintenance Optimizer

For additional information and detailed steps for downloading support packs, please see the Appendix in this guide.

26


2007

ADM955

Lesson: Software and Service Pack Downloads

Facilitated Discussion

Discussion QuestionsUse the following questions to engage the participants in the discussion. Feel free to use your own additional questions.

2007


27


ADM955

Lesson SummaryYou should now be able to: Obtain installation software and files Obtain maintenance packages

28


2007

ADM955

Lesson: RTA Installation

Lesson:26

RTA InstallationLesson Duration: 15 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Install the required Real Time Agents

Business Example

Compliance Calibrator: Real Time Agents (RTAs) Access Control requires the ABAP Add-on Component VIRSANH for any Basis system and VIRSAHR for the SAP R/3 systems. Available for the following: SAP 4.6B and above Non-SAP systems Custom RTAs Can be built by the customer For each Add-on component, you must also install the latest corresponding support packs

Please see the ABAP Component Installation guides for additional information and detailed installation steps.

2007


29


ADM955

Installing the RTAs To install the add-on package VIRSANH: 1. 2. 3. 4. 5. Extract the CAR file K-520COINVIRSANH.CAR Copy the corresponding PAT file Q5X0020190772000000.PAT into the EPS/in folder of the SAP system In the SAP backend, log into Client 000 using a user account with Administration privileges In the SAP Easy Access panel, execute transaction SAINT All PAT files stored in the indicated path location are listed. Verify that the PAT file SAPK-520COINVIRSANH is uploaded successfully, then click the Back icon to return to the Add-On Installation panel In the Add-On Installation panel, click Start Select the installation package VIRSANH and click Start.

6. 7.

Installing the RTAs A pop-up window appears indicating that the VIRSANH component will now be installed. You can: Click OK to continue installing the package; or Select a Start Option such as Start in background immediately Start in dialog immediately Start in background later Click OK, then confirm the selection. The add-on package installation begins. To see the stages of the installation in progress, click the Refresh icon. Once the installation is complete, click the Confirm icon to confirm the installation process If you are using systems that have SAP_HR components, repeat this process for the CAR file K-520COINVIRSAHR.CAR to create the PAT file Q5X00201907720000001.PAT for the VIRSAHR add-on component

30


2007

ADM955


Installing RTAs: Activating BC Sets Execute transaction SCPR20 in the client where you are going to use Access Control and activate the appropriate BC set: For Compliance Calibrator: /VIRSA/CCTAB_52 Firefighter: /VIRSA/FFTAB_52 Access Enforcer: /VIRSA/AETAB_52 Role Expert: /VIRSA/RETAB_52 After activating the BC set, execute transaction PFCG in the client and check whether the default role(s) have been generated If the default roles have not been generated, then you need to generate them

2007


31


ADM955

32


2007

ADM955


29

Exercise 3: Exercise for RTA InstallationExercise Duration: 5 Minutes


Business Example

Task:

1.

Access Control requires the ABAP Add-on Component for any Basis system and for the SAP R/3 systems.Fill in the blanks to complete the sentence.

2.

Which transaction is used to activate BC sets?

2007


33


ADM955

Solution 3: Exercise for RTA InstallationTask:1. Access Control requires the ABAP Add-on ComponentVIRSANH for any Basis system and VIRSAHR for the SAP R/3 systems. Answer: VIRSANH, VIRSAHR 2. Which transaction is used to activate BC sets? Answer: Execute transaction SCPR20 in the client where you are going to use Access Control and activate the appropriate BC set.

34


2007

ADM955


Lesson SummaryYou should now be able to: Install the required Real Time Agents

2007


35


ADM955

Lesson:32

SLD ConfigurationLesson Duration: 20 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Configure the System Landscape Directory

Business ExampleSystem Landscape Directory (SLD) Access Control requires configuration of the SLD for connection to SAP Backend systems ABAP stack SLD comes as part of Standard NetWeaver installation Compliance Calibrator can talk to any existing Centralized SLD SLD can also be installed in the same J2EE Server as Compliance Calibrator

Using the Visual Administrator Tool to Configure an SLD Data Supplier 1. Execute the Visual Administrator tool script or batch file Operating Environment UNIX with Java only Directory Path /usr/sap//JC/J2ee/admin Example /usr/sap/sap_system1/JC00/J2ee/admin/ File Name Go.sh

36


2007

ADM955

Lesson: SLD Configuration

UNIX with Java and ABAP add-on

/usr/sap//DVEBMGS/J2ee/admin Example /usr/sap/sap_system1/DVEBMGS00/J2ee/admin/

Go.sh

Windows with Java only

c:\usr\sap\\JC\j2ee\admin Example c:\usr\sap\sap_system1/JC00/j2ee/admin/

Go.bat

Windows with Java and ABAP add-on

c:\usr\sap\\DVEBMGS\J2ee\admin Example c:\usr\sap\sap_system1/DVEBMGS00/J2ee/admin/

Go.bat

In the preceding table: SAP_SID is the system ID for your SAP server instance is the instance ID of your J2EE engine

Using the Visual Administrator Tool to Configure an SLD Data Supplier 2. 3. 4. 5. 6. 7. Select an SAP J2EE Engine from the Connection screen and click Connect Enter the password for the J2EE Administrator Expand the navigation menu under your J2EE server name and expand the Services list item Click SLD Data Supplier Click the HTTP Settings tab Enter the host name and port number, then enter the user name and password for your system connection Note: Do not enter the Fully Qualified Domain Name for the SLD server. Enter the host name only and make sure the host is registered in the Domain Name Service (DNS). The SLD uses port 500 where xx is the J2Ee engine instance. For example, if the J2EE instance were 35, then the SLD message port assignment would be 53500.

2007


37


ADM955

Figure 11: Using the Visual Administrator Tool to Configure an SLD Data Supplier

Using the Visual Administrator Tool to Configure an SLD Data Supplier 8. 9. 10. 11. 12. Click Save Click the CIM client Generation Settings tab Enter the same host, port, and user account information entered in Step 7 Click Save Click the supplier (data transfer) icon at the top of the pane to transfer the information you entered to the SLD server. A pop-up window displays the message Trigger SLD data transfer? Click Yes. A pop-up window informs you that the data has been transferred successfully

13.

38


2007

ADM955


Figure 12: Activity

2007


39


ADM955

40


2007

ADM955


37

Exercise 4: SLD ConfigurationExercise Duration: 5 Minutes


Business Example

Task:

1.

Give the name of visual administrator batch file.

2.

Give the directory path of batch file required to start visual administrator in windows environment.

2007


41


ADM955

Solution 4: SLD ConfigurationTask:1. Give the name of visual administrator batch file. Answer: Go.sh for UNIX and Go.bat for windows environment. 2. Give the directory path of batch file required to start visual administrator in windows environment. Answer: drive_name:\usr\sap\SAP_SID\JC_instance\j2ee\admin

42


2007

ADM955


Lesson SummaryYou should now be able to: Configure the System Landscape Directory

2007


43


ADM955

Lesson:40

IGS ConfigurationLesson Duration: 20 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Configure the Internet Graphics Server

Business ExampleConfigure the Internet Graphics Server The Internet Graphics Server (IGS) is included with the NetWeaver software Configure the IGS using the Visual Administrator tool

Configure the Internet Graphics Server 1. Execute the Visual Administrator tool script or batch file Operating Environment UNIX with Java only Directory Path /usr/sap//JC/J2ee/admin Example /usr/sap/sap_system1/JC00/J2ee/admin/ UNIX with Java and ABAP add-on /usr/sap//DVEBMGS/J2ee/admin Example /usr/sap/sap_system1/DVEBMGS00/J2ee/admin/ Go.sh File Name Go.sh

44


2007

ADM955

Lesson: IGS Configuration

Windows with Java only

c:\usr\sap\\JC\j2ee\admin Example c:\usr\sap\sap_system1/JC00/j2ee/admin/

Go.bat

Windows with Java and ABAP add-on

c:\usr\sap\\DVEBMGS\J2ee\admin Example c:\usr\sap\sap_system1/DVEBMGS00/J2ee/admin/

Go.bat

In the preceding table: SAP_SID is the system ID for your SAP server instance is the instance ID of your J2EE engine

Figure 13: Configure the Internet Graphics Server

2007


45


ADM955

Configure the Internet Graphics Server 3. Under the Display Configuration tab, expand the webdynpro navigation list item Expand sap.com Expand tc-wd~disprwda Above the navigation list, click the Edit Mode (pencil) icon

A pop-up window warns that you are about to enter Edit Mode, and requests you to confirm that you want to proceed. 4. Click Yes


46


2007

ADM955



Configure the Internet Graphics Server 7. In the Custom field, enter the IGS server name and port number, using the following format:

: Where 8. 9. server_name is the name of the IGS server port is the IGS server port, in the format 480 xx is the instance ID of the J2EE engine The default port assignment is 40080 Click Apply custom, then click OK Exit the Visual Administrator tool

2007


47


ADM955

Figure 16: SAP Internet Graphics Server

Figure 17: Activity

48


2007

ADM955


45

Exercise 5: IGS ConfigurationExercise Duration: 10 Minutes


Business Example

Task:

1.

Give the path to change URL for IGS in Visual Administrator?

2.

What is the name of the parameter for changing the URL for IGS.

3.

Format of IGS server port number is .Fill in the blanks to complete the sentence.

2007


49


ADM955

Solution 5: IGS ConfigurationTask:1. Give the path to change URL for IGS in Visual Administrator? Answer: After logging in visual administrator traverse to cluster server services configuration adapter Display Configuration tab sap.com tc-wd~disprwda Propertysheet default 2. What is the name of the parameter for changing the URL for IGS. Answer: Name of the java parameter is IGSUrl. 3. Format of IGS server port number is 4xx80 (xx is instance ID of J2EE engine). Answer: 4xx80 (xx is instance ID of J2EE engine)

50


2007

ADM955


Lesson SummaryYou should now be able to: Configure the Internet Graphics Server

2007


51

Unit Summary

ADM955

Unit SummaryYou should now be able to: Identify system requirements for the Access Control suite Obtain installation software and files Obtain maintenance packages Install the required Real Time Agents Configure the System Landscape Directory Configure the Internet Graphics Server

52


2007

Unit 349

Access Control Installation

Unit OverviewContents: Unpacking Access Control installation files Connecting to the server via SDM Installing the files for Compliance Calibrator, Firefighter, Access Enforcer, and Role Expert Restarting the J2EE engine

Unit ObjectivesAfter completing this unit, you will be able to: Unpack the Access Control installation files Connect to the server via SDM Install CC, FF, AE, and RE Restart the J2EE engine

Unit ContentsLesson: Access Control Installation ........................................... 54 Exercise 6: Access Control Installation................................... 65

2007


53

Unit 3: Access Control Installation

ADM955

Lesson:50

Access Control InstallationLesson Duration: 60 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Unpack the Access Control installation files Connect to the server via SDM Install CC, FF, AE, and RE Restart the J2EE engine

Business Example

Figure 18: Risk Anlayisis and Remediation: Installation (1)

SAPCAR is a DOS command utility used to unpack the installation files Enter the file path and name

54


2007

ADM955

Lesson: Access Control Installation

The standard rule set is included in the packaged file, plus all necessary deployment files



2007


55


ADM955


Installation: Compliance Calibrator Installation Files The installation files MUST be deployed in the following order: Virsa~ccxsysdb.sda Database Virsaalib.sda Virsa J2EE Library Sap.com~ccume.sda UME Actions and Permissions Virsa~ccxsysbe.ear BAPI models: non-HR Virsa~ccxsysbehr.ear BAPI models: HR Virsa~ccappcomp.ear User interface Virsa~ccxsysbgear.ear Background daemon Virsa~ccxsysws.ear Access Enforcer, Role Expert, and Process Control interface Optional Virsa~ccxsysactionws.ear RE interface Optional

When installing over a previous Compliance Calibrator release, you may see deployment files already in the Deployment list. If you see the file virsa~ccwsproxy.ear, make sure you undeploy that file, or your installation will not function properly.

56


2007

ADM955



Risk Anlayisis and Remediation: Installation Select the radio button to Update deployed SDAs/SCAs that have any version, then click the Next button. Click Next again. Click Start. The deployment file information will be added to the database. Click the Confirm button. Continue this process until you have deployed all of the Compliance Calibrator installation files. Click the SDM Repository tab and expand J2EE Engine menu item. Here you will see all the files that have been deployed. To exit SDM, click Repository in the top menu, then click Exit.

2007


57


ADM955

Risk Anlayisis and Remediation: Installation Select the radio button to update deployed SDAs/SCAs that have any version, then click the next button. Click next again. Click start. The deployment file information will be added to the database. Click the confirm button Continue this process until you have deployed all of the Compliance Calibrator installation files. Click the SDM Repository tab and expand J2EE Engine menu item. Here you will see all the files that have been deployed. To exit SDM, click Repository in the top menu, then click Exit.


Note that this process can take several minutes to complete.

58


2007

ADM955



Verifying installation using the Web Dynpro Content Administrator Open a Web browser and enter the following address: http://.wdf.sap.corp:/index.htm Click the Web Dynpro link Click Content Administrator Click Check SLD Connection Click Virsa Click Virsa/ccappcomp Click Applications Click Compliance Calibrator Click Run You should see the Compliance Calibrator login screen

2007


59


ADM955

Figure 25: Activity

Installation: Superuser Priviledge Management The installation files MUST be deployed in the following order: Sapgrc~ffdb.sda Firefighter Data Dictionary Firefighterlib.sda Firefighter Libraries Sapgrc~ffume.sda Firefighter Actions Sapgrc~ffappcomp.ear Firefighter Executables

Figure 26: Installation: Superuser Priviledge Management

60


2007

ADM955


Figure 27: Activity

Installation: Compliant User Provisioning Select the first Access Enforcer deployment file, then click the Choose button. The installation files MUST be deployed in the following order: AEDictionary.sda Access Enforcer Data Dictionary AEUME.sda Actions required by Access Enforcer AEEAR.ear Access Enforcer Executables AEWorkFlowSEAR.ear Access Enforcer Web Services for Role Expert Integration AEEAR4WS.ear Web Services for Sun IDM Integration

Installation: Compliant User Provisioning Verify that Access Enforcer is in your system. Open a Web browser Enter the following address: http://.wdf.sap.corp:/AE/index.jsp You should see the Access Enforcer login screen

2007


61


ADM955

Figure 28: Activity

Installation: Enterprise Role Management Select the first Role Expert deployment file, then click the Choose button. Role Expert installation files MUST be deployed in the following order: REDictionary.sda Role Expert Data Dictionary REUME.sda Actions required by Role Expert REEAR.ear Role Expert Executables AEWFCADApproverServerceWS_5_2.ear Data required to send approver information to Access Enforcer for role approval AEWFExitServiceWS_5_2.ear Data required to return role approval or rejection information from Access Enforcer to Role Expert

Installation: Enterprise Role Management Verify that Role Expert is in your system. Open a Web browser Enter the following address: http://.wdf.sap.corp:/RE/index.jsp You should see the Role Expert login screen

62


2007

ADM955


Figure 29: Activity

2007


63


ADM955

64


2007

ADM955


61

Exercise 6: Access Control InstallationExercise Duration: 20 Minutes


Business Example

Task:

1.

What is the full form of SDA and SCA?

2.

It is important to follow a proper order/sequence while deploying access control installation files.Determine whether this statement is true or false.

True False

3.

What is the method to unpack (uncar) access control installation files?

2007


65


ADM955

Solution 6: Access Control InstallationTask:1. What is the full form of SDA and SCA? Answer: SDA stands for Software deployment archive and SCA stands for Software component archive. 2. It is important to follow a proper order/sequence while deploying access control installation files. Answer: True The installation files MUST be deployed in the order recommended by SAP. 3. What is the method to unpack (uncar) access control installation files? Answer: Access control installation files are .car files. Sapcar command is used to unpack these files. 1. 1. 1. Open command prompt. Go to the directory where you want to decompress via the cd command. SAPCAR -xvf (your-SAR-file) or car -xvf (your-SAR-file) On AS/400: SAPCAR -xvf (your-SAR-file) Then all files and directories, that are stored in this archive, become decompressed

66


2007

ADM955


Lesson SummaryYou should now be able to: Unpack the Access Control installation files Connect to the server via SDM Install CC, FF, AE, and RE Restart the J2EE engine

2007


67

Unit Summary

ADM955

Unit SummaryYou should now be able to: Unpack the Access Control installation files Connect to the server via SDM Install CC, FF, AE, and RE Restart the J2EE engine

68


2007

Unit 465

Post-Installation

Unit OverviewContents: Creating JCo connections to the backend systems Importing Pre-Defined Roles Creating an Administrator Role and assigning it to a User ID Importing Initial Configuration Data for Access Enforcer and Role Expert

Unit ObjectivesAfter completing this unit, you will be able to: Create JCo connections to the backend systems Import roles for Access Control component. Assign Role to user. Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data Identify Pre-Defined Role Expert roles Import initial Role Expert system data

Unit ContentsLesson: Creating JCo Connections to the Backend Systems ............. 71 Exercise 7: Creating JCO Connections to backend system ........... 81 Lesson: Importing Pre-Defined Roles ......................................... 84

2007


69

Unit 4: Post-Installation

ADM955

Exercise 8: Importing Predefined Roles .................................. 89 Lesson: Creating an Administrator Role and Assigning it to a User ID ... 92 Exercise 9: Creating an Administrator Role and Assigning it to a User ID .............................................................................. 99 Lesson: Compliant User Provisioning Post-Installation Tasks ............102 Exercise 10: Compliant User Provisioning Post-Installation Tasks ..105 Lesson: Enterprise Role Management Post-Installation Tasks ...........108 Exercise 11: Enterprise Role Management Post-Installation Tasks . 111

70


2007

ADM955

Lesson: Creating JCo Connections to the Backend Systems

Lesson:67

Creating JCo Connections to the Backend SystemsLesson Duration: 30 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Create JCo connections to the backend systems

Business Example

Figure 30: Create System Connectors

You can connect to as many as: 15 RTAs for HR-only or Non-HR SAP systems 3 additional HR-only RTAs for SAP R3 systems

2007


71


ADM955

For each back end SAP server you connect to your installation, you need to install an RTA and to establish a JCo destination with model data and metadata For a list of JCo connections and instructions, please refer to the Risk Anlayisis and Remediation Installation Guide. Create System Connectors Before you create model data and metadata, verify that each SAP server with a Risk Anlayisis and Remediation RTA: Is configured in the System Landscape Directory (SLD) Has a default logon group defined Can be accessed by the NetWeaver server Services file Includes an RFC user account for the Risk Anlayisis and Remediation connection that includes the required permissions These permissions are described in the RFC Authorizations chapter of the Risk Anlayisis and Remediation Security Guide

Note: Whenever you establish or modify a JCo destination, you must restart your Java engine in order to load the updated connection information to the NetWeaver server. Creating JCo Connections You must establish at least one JCo connection between the Compliance Calibrator Java component (installed on a NetWeaver server) and a Compliance Calibrator ABAP component (the RTA installed on an SAP server) Import model data and metadata for each JCo destination you want to create Use the SAP NetWeaver Content Administrator in the Web Dynpro tools Connector model data and metadata files are included in the CC installation package

JCo Connections You can connect to as many as: Fifteen RTAs for HR-only for Non-HR systems Three additional HR-only RTAs for SAP R3 systems

Note: For each backend SAP server you connect to your installation, you must install an RTA and establish a JCo destination with model data and metadata.

72


2007

ADM955


JCo Connector Files for Compliance Calibrator Systems The first set of files are used when you are doing Cross-Application Analysis, i.e., when you are analyzing across SAP and Non-SAP systems. To Connect... An HR or a Non-HR ABAP component (RTA) to the front-end Java component. Connection limit: Fifteen (15) systems Use These JCo Destinations: VIRSAXSR3_01_MODEL & VIRSAXSR3_01_METADATA VIRSAXSR3_02_MODEL & VIRSAXSR3_02_METADATA .... VIRSAXSR3_15_MODEL & VIRSAXSR3_15_METADATA

An HR or a VIRSAR3_01_MODEL & VIRSAR3_01_METADATA Non-HR ABAP VIRSAR3_02_MODEL & VIRSAR3_02_METADATA component (RTA) to the VIRSAR3_03_MODEL & VIRSAR3_03_METADATA front-end Java component. Connection limit: Three systems An HR-only ABAP component (RTA) to the front-end Java Connection limit: Three HR-only systems VIRSAHR_MODEL & VIRSAHR_METADATA VIRSAHR_01_MODEL & VIRSAHR_01_METADATA VIRSAHR_02_MODEL & VIRSAHR_02_METADATA

2007


73


ADM955

Importing Connector Data Before creating model data and metadata, verify that each SAP server with a Risk Anlayisis and Remediation RTA: Is configured in the SLD Has a default logon group defined Can be accessed by the NetWeaver server Services file Includes an RFC user account for the Risk Anlayisis and Remediation connection that includes the required permissions Note: An administrative user account is required to import connector data. If you do not have one on your system, create one, such as WF_BATCH, before you begin. Importing Connector Data 1. 2. 3. 4. 5. Open an internet browser and enter the following address: http://:50000/index.html The SAP NetWeaver home page appears. Click Web Dynpro, then in the Web Dynpro Tool Applications, click Content Administrator Enter your user ID and password in the UME logon window The WebDynpro Content Administrator window opens

74


2007

ADM955


Figure 31: Importing Connector Data


2007


75


ADM955



76


2007

ADM955




2007


77


ADM955



78


2007

ADM955



If the test is unsuccessful, click the Log Viewer tab to view information about where the connection problem occurs. Importing Connector Data Now that you have created a JCo destination for the METADATA file, locate the MODEL DATA file for the system you are installing and create a JCo destination for it, using the same steps you used for the METADATA file. Remember to choose the correct Data type: For METADATA files, select the Dictionary Meta Data option For MODEL DATA files, select the Application Data option

Caution: Whenever you establish or modify a JCo destination, you need to restart your Java engine in order to load the updated connection information to the NetWeaver server.

2007


79


ADM955

Figure 40: Activity

80


2007

ADM955


77

Exercise 7: Creating JCO Connections to backend systemExercise Duration: 10 Minutes


Business Example

Task:

1.

What are the prerequisites to be checked for creating model data and metadata, in each SAP server with a Risk Anlayisis and Remediation RTA ?

2007


81


ADM955

Solution 7: Creating JCO Connections to backend systemTask:1. What are the prerequisites to be checked for creating model data and metadata, in each SAP server with a Risk Anlayisis and Remediation RTA ? Answer: Following are the prerequisites: 1. 2. 3. 4. Is configured in the System Landscape Directory (SLD) Has a default logon group defined Could be accessed by the NetWeaver server Services file Includes an RFC user account for the Risk Anlayisis and Remediation connection that includes the required permission

82


2007

ADM955


Lesson SummaryYou should now be able to: Create JCo connections to the backend systems

2007


83


ADM955

Lesson:80

Importing Pre-Defined RolesLesson Duration: 20 Minutes

Lesson Overview[Enter a brief overview of the lesson.]

Lesson ObjectivesAfter completing this lesson, you will be able to: Import roles for Access Control component. Assign Role to user.

[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]

Business Example[Enter a business example that helps the learner understand the practical business use of this lesson.] Administration Roles Roles can either be creted or imported Access Control components are delievered with pre-defined role files: UMERoles_CC52.txt ae_ume_roles.txt re_ume_roles.txt Firefighter roles are not pre-defined and must be created Delivered roles include: Compliance Calibrator virsa_CC_Administrator Access Enforcer Role AEAdmin AEApprover AESecurity Expert REAdmin

84


2007

ADM955

Lesson: Importing Pre-Defined Roles

Figure 41: Importing Predefined Roles

*UME Role Files by Product: Compliance Calibrator UMERoles_CC52.txt Access Enforcer ae_ume_roles.txt Role Expert re_ume_roles.txt

These role files can be found in the root directory of the expanded installation archive.

Figure 42: Importing Pre-Defined Roles

2007


85


ADM955

Figure 43: Create a User

Figure 44: Assign the Administration Role to a User

Note: If you imported the predefined Compliance Calibrator roles, search for and assign the built-in Administrator role VIRSA_CC_ADMINISTRATOR.

86


2007

ADM955


Figure 45: Assign the Administrator Role to a User

2007


87


ADM955

88


2007

ADM955


85

Exercise 8: Importing Predefined RolesExercise Duration: 5 Minutes


Business Example

Task:

1. built-in administrator role for Compliance Calibrator.Fill in the blanks to complete the sentence.

is the

2007


89


ADM955

Solution 8: Importing Predefined RolesTask:1. VIRSA_CC_ADMINISTRATOR is the built-in administrator role for Compliance Calibrator. Answer: VIRSA_CC_ADMINISTRATOR

90


2007

ADM955


Lesson SummaryYou should now be able to: Import roles for Access Control component. Assign Role to user.

2007


91


ADM955

Lesson:88

Creating an Administrator Role and Assigning it to a User IDLesson Duration: 20 Minutes


Lesson ObjectivesAfter completing this lesson, you will be able to: Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data


Business Example[Enter a business example that helps the learner understand the practical business use of this lesson.] Create an Administration Role Instead of using pre-defined roles, you can create an Administrator role and assign it to a User ID. Use the User Management Engine (UME) to create a custom administrative role Firefighter does not include a pre-defined Administrator role; one must be created

In the following example, a Compliance Calibrator Administration role is created. Note: Compliance Calibrator includes several predefined roles that you can import. You do not need to create a Compliance Calibrator Administration role, unless your business needs require you to create this role with customized permissions

92


2007

ADM955

Lesson: Creating an Administrator Role and Assigning it to a User ID

Create an Administration Role Open an internet browser and enter the following address: http://:500/index.html Server_name is the name of your J2EE system Instance is the instance of your J2ee engine Click User Management On the Index page of the UME, click Create Role In the Details section, enter a name and a description for the Compliance Calibrator Administration role, then click Save

Figure 46: Create an Administration Role (1)

2007


93


ADM955



94


2007

ADM955


Figure 49: Activity

Figure 50: Create a Firefighter Administrator Role (1)

2007


95


ADM955



96


2007

ADM955


Figure 53: Activity

2007


97


ADM955

98


2007

ADM955


95

Exercise 9: Creating an Administrator Role and Assigning it to a User IDExercise Duration: 5 Minutes


Business Example

Task:

1.

Administrator roles for CC and AE are predefined.Determine whether this statement is true or false.

True False

2007


99


ADM955

Solution 9: Creating an Administrator Role and Assigning it to a User IDTask:1. Administrator roles for CC and AE are predefined. Answer: False Administrator roles for CC and AE are NOT predefined. They are created using actions.

100


2007

ADM955


Lesson SummaryYou should now be able to: Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data

2007


101


ADM955

Lesson:98

Compliant User Provisioning Post-Installation TasksLesson Duration: 15 Minutes


Lesson ObjectivesAfter completing this lesson, you will be able to: Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data


Business Example[Enter a business example that helps the learner understand the practical business use of this lesson.] Compliant User Provisioning Post-Installation Tasks UME in Relation to Compliant User Provisioning Centralized user management Can be configured to work with user management data from multiple data sources (i.e. LDAP) Role-based identity management

Authorizations assigned to users based on job function Protects access to Access Enforcer (type of security) Authorizations enforced using permissions, actions, and roles Assigning roles to users define the users authorizations Provides both authentication and authorization for Access Enforcer Administrators and Approvers All Approvers and Access Enforcer Admins must be in UME UME may be synched with LDAP or other data sources

102


2007

ADM955

Lesson: Compliant User Provisioning Post-Installation Tasks

Compliant User Provisioning Post-Installation Tasks Pre-delivered Access Enforcer UME Roles Initial installation files include a text file containing basic roles and permissions that are used with workflows AEAdmin Responsible for system configuration and workflow management AEApprover Responsible for approving or denying requests AESecurity Responsible for security related request approval or rejection

Default roles may be modified and new roles created as dictated by the customers user and role permission requirements. It is recommended that you assign the AEAdmin role to at least two users. Note: The pre-delivered UME roles are suggestions that may be changed for the permissions a customer wishes to configure for their users and roles.

Refer to the Access Enforcer Installation Guide for more information about this process.

Figure 54: Compliant User Provisioning Post-Installation Tasks

The last post-installation task is to upload the initial configuration data

2007


103


ADM955

Figure 55: Activity

104


2007

ADM955


101

Exercise 10: Compliant User Provisioning Post-Installation TasksExercise Duration: 5 Minutes


Business Example

Task:

1.

Mention the names of basic roles and files which are delivered with initial installation?

2007


105


ADM955

Solution 10: Compliant User Provisioning Post-Installation TasksTask:1. Mention the names of basic roles and files which are delivered with initial installation? Answer: AEAdmin AEApprover AESecurity

106


2007

ADM955


Lesson SummaryYou should now be able to: Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data

2007


107


ADM955

Lesson:104

Enterprise Role Management Post-Installation TasksLesson Duration: 15 Minutes


Lesson ObjectivesAfter completing this lesson, you will be able to: Identify Pre-Defined Role Expert roles Import initial Role Expert system data


Business Example[Enter a business example that helps the learner understand the practical business use of this lesson.] Enterprise Role Management Post Installation Tasks: Load Initial Data Initial system data must be imported before you can configure Role Expert Data file is included with installation package Import files include: RE_init_clean_and_insert_data.xml RE_init_append_data.xml RE_init_methodolgy_data.xml

Data is imported from within Role Expert

108


2007

ADM955

Lesson: Enterprise Role Management Post-Installation Tasks

Figure 56: Enterprise Role Management Post Installation Tasks: Load Initial Data

The last post-installation task is to upload the initial configuration data

Figure 57: Activity

2007


109


ADM955

110


2007

ADM955


107

Exercise 11: Enterprise Role Management Post-Installation TasksExercise Duration: Minutes


Business Example

Task:

1.

What are the three files required for Data import in Role expert?

2007


111


ADM955

Solution 11: Enterprise Role Management Post-Installation TasksTask:1. What are the three files required for Data import in Role expert? Answer: Three file names are 1. 2. 3. RE_init_clean_and_insert_data.xml RE_init_append_data.xml RE_init_methodolgy_data.xml

112


2007

ADM955


Lesson SummaryYou should now be able to: Identify Pre-Defined Role Expert roles Import initial Role Expert system data

2007


113

Unit Summary

ADM955

Unit SummaryYou should now be able to: Create JCo connections to the backend systems Import roles for Access Control component. Assign Role to user. Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data Identify Access Enforcer pre-defined workflow roles Import initial Access Enforcer configuration data Identify Pre-Defined Role Expert roles Import initial Role Expert system data

114


2007

Unit 5111

Risk Anlayisis and Remediation

Unit OverviewContents: Features and Benefits of Compliance Calibrator Configuration of Risk Anlayisis and Remediation Configuration of Risk Terminator

Unit ObjectivesAfter completing this unit, you will be able to: Describe the features and benefits of Risk Anlayisis and Remediation Configure System Connectors Define Master User Source Upload Static Text Upload Authorization Objects (SU24 Objects) Create Rules Using Rule Upload Complete Configuration Parameters Schedule Background Jobs Front End Configuration Back End Configuration

Unit ContentsLesson: Risk Anlayisis and Remediation Product Tour .................... 117 Exercise 12: Risk Anlayisis and Remediation Product Tour ..........129 Lesson: Risk Anlayisis and Remediation Configuration ...................132

2007


115

Unit 5: Risk Anlayisis and Remediation

ADM955

Lesson: Virsa Risk Terminator Configuration ...............................150 Exercise 13: Virsa Risk Terminator Configuration......................155

116


2007

ADM955

Lesson: Risk Anlayisis and Remediation Product Tour

Lesson:112

Risk Anlayisis and Remediation Product TourLesson Duration: 30 Minutes

Lesson Overview

Lesson ObjectivesAfter completing this lesson, you will be able to: Describe the features and benefits of Risk Anlayisis and Remediation

Business Example

What is Compliance Calibrator? Risk Anlayisis and Remediation provides comprehensive capabilities for: Testing and enforcing Segregation of Duties (SoD) Controls Monitoring critical actions across enterprise applications

Clustering Environment Compliance Calibrator has the ability to support a clustering environment. Clustering is a technique in which two or more servers are interconnected and access a common database. Clustering enables load balancing, which is the distribution of processes across servers. If one server fails, then the application can use the other server. Clustering is recommended for a high number of users and when all Access Control products are installed on the same server.

2007


117


ADM955

Features and Benefits Compliance Calibrator features and benefits include : Cross-Enterprise Risk Analysis Simulation and Remediation Mitigation Controls Preventive as well as detective Audit trail of rule updates Mass maintenance functionality Summary and drill down reports End-to-End Automation

Figure 58: Cross-Enterprise Analysis

When permissions are defined for non-SAP systems, they can be mapped in any hierarchy, and both actions and permissions can be system independent. More about Cross-Enterprise Analysis One time definition of authorization concept One time configuration mapping with target application Adapter integration, extraction method One time addition of activities and permissions to already existing business functions One time mapping of users (if cross enterprise)

118


2007

ADM955


Figure 59: Centralized Web Architecture

Having a centralized web architecture provides many great benefits: Provides centralized cross-enterprise compliance visibility Leverages SAP Netweaver application server Does not impact the production server Features a single compliance dashboard Role dependent views utilizing SAP User Management Engine (UME) Login to SAP client is not required to access Compliance Calibrator

2007


119


ADM955

Figure 60: Compliance Calibrator - Informer Tab

Here you can see tabs for the main sections of Compliance Calibrator. The Informer tab is highlighted in red. From this tab, you can perform tasks to analyze risk and run various reports. Provided Functionality Includes: Risk Reporting Simulation Functionality

The Informer tab is used for reporting. In the main area of the screen is a management view of existing risk violations.

120


2007

ADM955


Figure 61: Compliance Calibrator - Rule Architect Tab

Rule Architect From the Rule Architect tab, you can create and search for Risks, Rules, and Business Processes. You can also perform many other Search and Create actions.

Rule Architect provides rule building functionality. This is where rule changes are done.

2007


121


ADM955

Figure 62: Compliance Calibrator - Mitigation Tab

Mitigation From the Mitigation tab, you can create and search for mitigating controls. Mitigating controls are alternate ways to manage risk. Use these controls to monitor potentially risky activities that exist for legitimate business reasons. Here you see the Management View of the Controls Library, which displays controls by risk level.

122


2007

ADM955


Figure 63: Compliance Calibrator - Alert Monitor Tab

Alert Monitor From the Alert Monitor tab, you can search for various alerts. Alerts are raised by Compliance Calibrator when conflicting or critical actions are used. Designated monitors can receive or review these alerts. Alerts are also used to monitor mitigations.

2007


123


ADM955

Figure 64: Compliance Calibrator - Configuration Tab

Configuration From the Configuration tab you can choose your preferred default settings, such as whether to include mitigated risks when running reports or doing analysis. Risk Terminator A fully integrated feature of Compliance Calibrator that provides real-time reporting during role management and user assignment Integrated with Compliance Calibrator

Uses action and permission rules to determine if a SoD is being introduced to roles or users Activated through Compliance Calibrator

About Risk Terminator: Whenever a new role is created in PFCG or assigned to user in SU01, risk terminator verifies whether this role will produce SOD or not Risk terminator does the analysis on object level and transaction level and provide the facility to mitigate existing risks.

124


2007

ADM955


Using Risk Terminator Risk Terminator is activated when one of the four tasks is performed When transactions are added to a role and the role is generated using PFCG When users are assigned to a role using PFCG When a role or profile is assigned to a user using SU01 When a role or profile is assigned to users using SU10

When activated, a Risk Analysis report is displayed with warning messages, including any SoD risks that may exist This means that the configuration setting to Stop generation if violation exists is set to NO. If this configuration setting is set to YES, then the tasks listed above would stop.

Figure 65: Considerations for Non-SAP and Legacy Systems

Transverse Enterprise Process Here you see an IT landscape comprised of SAP, Non-SAP, custom, and legacy systems. Compliance Calibrator can analyze across all of these systems if you take some extra steps during Phase One of the SOD Risk Management Process. Transverse Enterprise Process means that you are working across the entire enterprise.

2007


125


ADM955

Figure 66: SOD Risk Management Best Practices for Legacy Systems

Figure 67: Example: Mapping File for Legacy Systems

126


2007

ADM955


Figure 68: SOD Risk Management Best Practices for Legacy Systems: Process Flow Chart

2007


127


ADM955

128


2007

ADM955


123

Exercise 12: Risk Anlayisis and Remediation Product TourExercise Duration: 15 Minutes


Business Example

Task:

1.

Mention any 3 features and benefits of Compliance Calibrator?

2.

What are the advantages of having centralized web architecture?

3.

What are the tasks by which Risk Terminator is activated?

2007


129


ADM955

Solution 12: Risk Anlayisis and Remediation Product TourTask:1. Mention any 3 features and benefits of Compliance Calibrator? Answer: 1. 2. 3. 2. Cross-Enterprise Risk Analysis Simulation and Remediation Mitigation Controls

Documents

ADM955+ +SAP+GRC+Access+Control+ +Installation