36
SAP Governance, Risk & SAP Governance, Risk & Compliance Compliance Access Control 5.3 Access Control 5.3 GRC Overview

SAP GRC 99411GRCAC_Installations

Embed Size (px)

Citation preview

Page 1: SAP GRC 99411GRCAC_Installations

SAP Governance, Risk & SAP Governance, Risk & ComplianceCompliance

Access Control 5.3Access Control 5.3

GRC Overview

Page 2: SAP GRC 99411GRCAC_Installations

Why GRC? Why GRC? We need audit teams to know user access and

authorization controls. Request for emergency access (with all admin rights) is

unexpected, cant be monitored and controlled. Detection of violations (improper authorizations) for users

is difficult. Whether user authorizations are fallows standard rules.

Approval for access from manager takes time, access requests and approvals monitoring is difficult.

User life cycle and authorization management process is manual , so it is error prone.

Page 3: SAP GRC 99411GRCAC_Installations

What is GRC? What is GRC? SAP Governance, Risk, and Compliance solutions help

companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.

Page 4: SAP GRC 99411GRCAC_Installations

What is GRC? What is GRC? SAP Governance, Risk, and Compliance solutions help

companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.

Page 5: SAP GRC 99411GRCAC_Installations

SAP GRC ComponentsSAP GRC Components SAP GRC Access Control SAP GLOBAL TRADE SERVICES SAP PROCESS CONTROL SAP RISK MANAGEMENT

Page 6: SAP GRC 99411GRCAC_Installations

What is GRC Access Control ? What is GRC Access Control ? SAP GRC Access Control is an application that provides end-to-end

automation for detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance.

Page 7: SAP GRC 99411GRCAC_Installations

What is GRC Access Control Versions What is GRC Access Control Versions SAP GRC Access Control 4.0 / 5.1 SAP GRC Access Control 5.1 SAP GRC Access Control 5.2 SAP GRC Access Control 5.3

Page 8: SAP GRC 99411GRCAC_Installations

Product architecture (For 5.1 above versions)Product architecture (For 5.1 above versions)

Each Access Control product requires the following two components:

A common ABAP-based component that resides on your SAP ERP server.  This component is called a “Real-Time Agent,” or RTA.  The RTA accesses data from your SAP system and communicates with the front-end Java component, to allow you to see and make changes to that data.

A Java-based component that resides on your web application server.  This component provides the user interface you use to make changes in your SAP database.  The Java component sends data queries and revised data to the ABAP component, which connects directly to the SAP database.

While each Java-based component provides a unique user interface for each Access Control product, the ABAP-based RTA component is not unique for each Access Control product.

Page 9: SAP GRC 99411GRCAC_Installations

SAP GRC Access Control 5.3 suite featuresSAP GRC Access Control 5.3 suite features Risk Analysis and Remediation (formerly known as

Virsa Compliance Calibrator), which supports real-time compliance to detect, remove, and prevent access and authorization risk by controlling violations before they occur.

Compliant User Provisioning(formerly known as Virsa Access Enforcer), which automates provisioning, tests for Segregation of Duties issues, and streamlines approvals to unburden IT staff.

Enterprise Role Management (formerly known as Virsa Role Expert), which standardizes and centralizes role creation and maintenance.

Super user Privileged Management (formerly known as Virsa Firefighter), which enables users to perform emergency activities outside their roles as a “privileged user” in a controlled and auditable environment.

Page 10: SAP GRC 99411GRCAC_Installations

PrerequisitesPrerequisites In order to install Access Control 5.3 on your system, verify the

following components are installed on your server: SAP Net Weaver 7.0 (2004s) SP12 SAP Internet Graphics Service (SAP IGS) for the graphs to be

displayed on Management Reports.

For ERP systems that will install Access Control Real Time Agents (RTA) the following prerequisites must be met:

For SAP ERP System 4.6C, the system must be at level Support Pack Stack 55

For ERP 4.70 system, the system must be at Support Pack Stack level 63

For ERP 04 system, the system must be at Support Pack Stack level 21

For ERP 6.0 system, the system must be at Support Pack Stack level 13

 

Page 11: SAP GRC 99411GRCAC_Installations

1.1. Down load & Down load & Installation Installation To download the Access Control v5.3 for installation, go to the SAP

Software Distribution Center on SAP Service Marketplace at http://service.sap.com/swdc  -> Download -> Installation and Upgrades -> Entry by Application Group -> SAP Solutions for Governance, Risk and Compliance -> SAP GRC ACCESS CONTROL 

Page 12: SAP GRC 99411GRCAC_Installations

1.1. Down load & Down load & Installation Installation The Access Control 5.3 installation package includes:  An ABAP software component that provides the Access Controls

Real-Time Agent (RTA). A Java software component that runs on Net Weaver 2004s on a

Web Application Server 700 The ZIP file contains all software components: Java SCA files and

Real Time Agents (RTA) for all available Backend release levels In the folder Adapter you‘ll the Greenlight Adapters for JDE, Oracle

and PeopleSoft.

Page 13: SAP GRC 99411GRCAC_Installations

Installation & user Guides Installation & user Guides You can find relevant documentation on SAP Service Marketplace at

http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for GRC -> SAP GRC Access Control -> Release 5.3

Page 14: SAP GRC 99411GRCAC_Installations

2.SAP NW AS Java: Check SP Level, Java2.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters For AC5.3 a SAP NW AS 7.0 SP12 or higher is required Here is were you find the Patch for SAP J2EE Engine Core 7.00: https://service.sap.com/swdc -Support Packages and Patches -SAP

Net Weaver – SAP NETWEAVER- SAP NETWEAVER 7.0 - Entry by Component - Application Server Java- SAP J2EE Engine Core. Patch 2 includes Patch 1.

JVM Memory / Performance Parameters 723909 - Java VM settings for J2EE 6.40/7.0 1044173 - Recommended Net Weaver Setting for Access Control 5.x 1121978 - Recommended settings to improve performance risk

analysis 1158625 - If you are using MS SQL Server

Page 15: SAP GRC 99411GRCAC_Installations

2.SAP NW AS Java: Check SP Level, Java2.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters

Page 16: SAP GRC 99411GRCAC_Installations

NotesNotesJVM Memory / Performance Parameters 723909 - Java VM settings for J2EE 6.40/7.0 1044173 - Recommended Net Weaver Setting for Access Control 5.x 1121978 - Recommended settings to improve performance risk

analysis 1158625 - If you are using MS SQL Server

Page 17: SAP GRC 99411GRCAC_Installations

3.SAP NW AS Java: Check SP Level, Java3.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters

Http://<server>:<port>

Page 18: SAP GRC 99411GRCAC_Installations

4.Check SLD Configuration4.Check SLD Configuration Ensure that the SLD is configured and running: Go to: http://<sld-server>:5<instancenumber>00/sld/index.html Remember that the SLD may be installed on a different server!

Page 19: SAP GRC 99411GRCAC_Installations

5. 5. Check Connection from Access ControlCheck Connection from Access ControlServer to SLDServer to SLD

Web dynpro-content administrator –check SLD Connection

Page 20: SAP GRC 99411GRCAC_Installations

5. Check Connection from Access Control5. Check Connection from Access ControlServer to SLDServer to SLD

Page 21: SAP GRC 99411GRCAC_Installations

6 .Check SAP Internet Graphics Server6 .Check SAP Internet Graphics Server Verify if the Internet Graphics Server (IGS) is configured

and running: Go to: http://<host_name>:4<instance number>80 A graphic screen should display If not successful check Installation Guide Appendix C. Use

Fully Qualified Host Name!

Page 22: SAP GRC 99411GRCAC_Installations

7 .Usage of JSPM for AC 5.3 Installation7 .Usage of JSPM for AC 5.3 Installation Copy the AC5.3 installation SCA files to /usr/sap/trans/EPS/in/ The JSPM is a tool that works similar to SDM and has to be started

from OS level of the server as user <SID>ADM from /usr/sap/<SID>/<CI>/j2ee/JSPM/go.bat

AC 5.3 comes with the following sca files: VIRCC00_0.SCA - Risk Analysis and Remediation VIRAE00_0.SCA - Compliant User Provisioning VIRRE00_0.SCA - Enterprise Role Manager VIRFF00_0.SCA – Super user Privilege Management VIRACLP00_0.SCA - Launch Pad VIREPRTA00_0.SCA - Enterprise Portal

Deploy the first 4 SCA files first, then deploy the 5th SCA file. The last SCA file contains the RTA for the Net weaver Portal EP7.0

SP12+. Deploy it to all your Net weaver Portal 7.0 servers in scope of your

implementation. For more Details check Appendix A and E in the installation Guide.

Page 23: SAP GRC 99411GRCAC_Installations

7 .Login JSPM7 .Login JSPM JSPM: Select „New Software“

Page 24: SAP GRC 99411GRCAC_Installations

7 .Login JSPM7 .Login JSPM JSPM: Select SCA Files Deploy CC, AE, FF, RE First, then

VIRACLP00_0.SCA - Launch Pad

Page 25: SAP GRC 99411GRCAC_Installations

8 . Check SP Levels of your SAP Backend8 . Check SP Levels of your SAP Backend Systems / Prepare RTA Installation Systems / Prepare RTA Installation

Check requires SP levels for software components SAP_BASIS, SAP_ABAP and SAP_HR in the table below.

1133161: Install SAP GRC Access Control 5.3 on SAP BASIS 46c Non-HR     1133163: Install SAP GRC Access Control 5.3 on SAP BASIS 620 Non-HR 1133165: Install SAP GRC Access Control 5.3 on SAP BASIS 640 Non-HR 1133167: Install SAP GRC Access Control 5.3 on SAP BASIS 700 Non-HR 

1133162: Install SAP GRC Access Control 5.3 on SAP BASIS 46C HR       1133164: Install SAP GRC Access Control 5.3 on SAP BASIS 620 HR 1133166: Install SAP GRC Access Control 5.3 on SAP BASIS 640 HR 1133168: Install SAP GRC Access Control 5.3 on SAP BASIS 700 HR

Page 26: SAP GRC 99411GRCAC_Installations

9 . Plan Your System Landscape9 . Plan Your System Landscape Discuss with your basis team your system landscape for Access Control Do you plan for 2-tier or 3-tier Landscape for SAP GRC Access Control? How do you plan to connect your AC5.3 instances to your multi-tier

backend landscape? Customer System Landscape -Please Enter All SIDs, SP-Levels etc

Page 27: SAP GRC 99411GRCAC_Installations

Integration of a Two-Tier GRC Access ControlIntegration of a Two-Tier GRC Access ControlLandscapeLandscape

Logical Systems: Grouping of physical systems sharing the same risk rules Two-tier Access Control Landscape can connect to N-tier back end

Page 28: SAP GRC 99411GRCAC_Installations

Always apply latest Support Packages for Always apply latest Support Packages for Access ControlAccess Control

Always apply latest support packages for Access Control 5.3 during Ramp-Up There are two types of AC 5.3 Support Packages: For the AC 5.3 application on NW AS Java 7.00 itself (cumulative) For the NH and HR RTAs in the backend (incremental) Content of all RTA Support Packages (Backend) is listed in the following notes: RAR: 1168120 – CUP: 1168508 – ERM: 1168183 – SPM: 1168121

Page 29: SAP GRC 99411GRCAC_Installations

To upload UME Roles and Create AC Administer UserTo upload UME Roles and Create AC Administer User

https://ip:54501/index.html Logon to UME and click on Import

Page 30: SAP GRC 99411GRCAC_Installations

Check Background Job DaemonCheck Background Job Daemon

It is possible that the background job daemon is engaged in any other thread for another background job. It is possible to confirm the job status from the URL:

Call the URL http://<server>:<port>/sap/CCBgStatus.jsp - it should come up with status running“

Page 31: SAP GRC 99411GRCAC_Installations

Check Analysis Engine Daemon ManagerCheck Analysis Engine Daemon Manager

Call the URL http://<server>:<port>/sap/CCADStatus.jsp - it should come up with status running“

If the analysis daemon threads and web services are stopped the threads may be restarted from URL:

Page 32: SAP GRC 99411GRCAC_Installations

Check connectors using the following link and try to Check connectors using the following link and try to search for userssearch for users

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger

 

Page 33: SAP GRC 99411GRCAC_Installations

Check connectors using the following link and try to search Check connectors using the following link and try to search for usersfor users

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger 

Page 34: SAP GRC 99411GRCAC_Installations

Troubleshooting background Jobs in GRC Access Troubleshooting background Jobs in GRC Access ControlControl https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/

grc~ccappcomp/CCDebugger  Step 1) Check the entries in virsa_cc_config table

Page 35: SAP GRC 99411GRCAC_Installations

Troubleshooting background Jobs in GRC Access Troubleshooting background Jobs in GRC Access ControlControl https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/

grc~ccappcomp/CCDebugger Step 1) Check the entries in virsa_cc_config table . Step 2) If the entries for 105, 106, 107 are missing please update the table

virsa_cc_config with following records.

Page 36: SAP GRC 99411GRCAC_Installations

GRC Initial ScreenGRC Initial Screen