Day14-Day15

ENHANCED INTEGRATION Access Control 12.0 integrates with Cloud IAG, the Risk Analysis and User Provisioning processes can be catered for across SAP On- Premise and Cloud applications natively, as well as access analysis for the following: • SAP Fiori Apps in SAP S/4HANA on-premise • Emergency Access Management for SAP HANA database • SAP Identity Management for centralized provisioning and business role management • SAP SuccessFactors Employee Central Payroll SAP has also introduced a new risk ruleset library for SAP Access Control for S/4. S/4 HANA has changed the authorisation model making transactions.



FIORI APPS for GRC 12.0 • We can also develop custom Fiori apps for GRC 12.0 by finding the Web Dynpro application for the screen in GRC. • Configure the Web Dynpro app for GRC 12.0 • How to find the Web Dynpro application from GRC Screen:  Right Click on the Screen  Click on the technical Help  Web Dynpro application details will be displayed. Reference Link: Fh0tt4p5s8:/')//fiWor2ia7ppslibrary.hana.ondemand.com/sap/fix/externalViewer/#/detail/Apps(' HANA RULE SET: hs-trtipsks:-/a/nbalolygssis.s/ap.com/2019/08/27/grc-10.112.0-integration-with-hana-db-for-acces



• Simplified Access Request Simplified Access Request is one more excellent feature that will give benefits to requester who does the following frequent    1. Assign role to user    2. Remove role from user    3. Extend the validity of existing role

SAP GRC Access Control 12.0 https://grcadvisory.com/en/news/new-features-functionalities-with-sap-grc-12-0/#:~:text=A%20new%20set%20of%20rules,rules%20effectively%20addresses%20this %20change&text=Integration%20with%20cloud%20applications%20thanks,Access%20Management%20for%20WebApps%20component • New look, based on the Fiori interface - thanks to the new interface it is possible to access the SAP GRC AC 12.0 function using Launchpad Fiori, which increases the package's availability for users throughout the organization. Of course, the existing interface is available without the Fiori application • Refreshed interface for NWBC transactions - the standard look available from the NWBC transaction level has also been adapted to the latest changes in appearance by offering the new SAP Belize theme • A new set of rules for SAP S4 / HANA - S4 / HANA changes the current authorization model, so the new set of rules effectively addresses this change • Extension of the EAM module with support for the HANA database • Simplified mechanisms for managing controllers and FF ID owners • Optimization of synchronization tasks - the new version optimizes the operation of some demanding synchronization tasks, which take up a lot of time due to the amount of data processed. Improved incl. synchronization of repository objects, dedicated tasks associated with generating applications for periodic review (UAR module - User Access Review) or LDAP synchronization • Integration with cloud applications thanks to the SAP Cloud Identity Access Governance (IAG) / Emergency Access Management for WebApps component • Integration with SAP Identity Management • Integration with SAP Success Factors (also available in version 10.1)

BC Sets – SPR20 Kindly note before this step, SICF services need to activated. • Specific to Workflows GRAC_MSMP_CONFIGURATION* • Specific to Superuser Management GRAC_SPM* • Specific to Business Role Management GRAC_ROLE_MGMT* • Specific to Access Request Management GRAC_ACCESS_REQUEST* • Specific to Access Risk Analysis GRAC_RA_RULESET*

GRC 10.0 Support Pack

GRC 10.1 Support Pack

Object Level Security Object level Security give us the ability to limit access for end users.







WORKFLOWS Process Type is a structure for Process ID ( GRFNMW_CONFIGURE)

Access Control Security Objects





Configuration Settings

Basic Settings Common Component Settings-> Integration Framework

Maintain Connector Settings • Connectors are RFC connection between one system to external system. RFC  Connection to ABAP System • Go To Transaction : SM59 • Create RFC Destination to target system, let suppose we have below systems: GRC System: EC5 200 Business System: EC5 800 • RFC will be created in GRC system which going to point to business system (GRC_SELF_RFC) • In Login & Security – We will map the user id: BUSS_RFC in EC5 800 which should have below authorizations 1. USER Administration 2. Role Administration 3. Synchronization jobs 4. RFC Authorization

• Subsequent Connectors  This connector is linked with another connector and it is called when data has to be fetch from one system to another system. • Connector groups contain the group of connectors so that we can make do mass changes in one go by applying it to the group.

Maintain Connector & Connection Type • Target Connector  This is the connector which point to the ECC system or Business System ( GRC_SELF_RFC) • Source Connector  This is the connector which point back from ECC system to GRC ( GRC_BUS_RFC) • Logical Port  This is the logical address for the target system, same as target connector.

Connector Groups • Connector groups can be of different types: Logical group & cross system. • Logical group – When we apply any rule set or SOD for particular system then this type of group will be consideration. • Cross System – When we have different system and want to fetch the data from different systems depend upon the rule set or SOD but not sure that it is present in that system or not then this group is consider.

Integration Framework

Integration Framework – Scenario Link • Integration Framework ( AUTH, PROV, ROLMG, SUPMG) are linked to ABAP class which help them to execute the particular task in GRC. • Integration Framework class / interface will different for different type of connection type.

ACCESS CONTROL SETTINGS • Maintain the connector: GRC_SELF_RFC in the SPRO Execute SPRO 1. Navigate to Governance Risk & Compliance 2. Access Control 3. Maintain Mapping for Actions and Connector Group

• When we maintain the connectors, we need to select below parameter as well: 1. Maintain the target connector 2. Maintain the application type 3. Environment ( This factor used in BRM for roles) 4. Path ID 5. PSS ( Password Self Service)

• Assigning Attributes to connector settings (Attributes are basically used in LDAP connection where User id / Data need to be mapped

Maintain Mapping for Actions & Connector Group

Access Control Settings Governance Risk & Compliance  Access Control S.NO Shared Settings 1. Maintain Configuration Settings 2. Maintain Connection Settings 3. Maintain Mapping for Actions and connector groups 4. Maintain Plug in Settings 5. Maintain Risk Levels 6. Maintain Business Processes and subprocesses 7. Maintain AC applications and BRFplus Funtion Mapping 8. Maintain Data Source Configuration 9. Maintain Custom User Group 10. Maintain Master User ID Mapping

Step 4 https://wiki.scn.sap.com/wiki/display/GRC/How+to+call+Non-GRC+PlugIn+and+Activate+or+In-activate+standard+GRCPI

Step 7 https://blogs.sap.com/2016/08/14/grc-multiple-rule-set-functionality/

Step 8

Maintain Master User ID Mapping SAP NOTE: 1849262 ( it is used for risk analysis not for provisioning) • According to SAP Note: 2615341 - How User Level Risk analysis works with Master User ID mapping • Master User ID mapping scenario is used when a company's system landscape includes multiple back end systems with a different user ID for each system.  For example, one back end system may have Employee Number as the user ID, and another backend system may have Last Name as the user ID. In that case we can define one system as the main (or master) user ID system • Let’s understand the whole scenario with a detailed example: • Suppose we have 3 target/backend systems named A, B and C User1 exist in System A User2 exist in System B User3 exist in System C • Note: The table GRACUSERCONN will contain only one entry for User1 with System A • Now Go to NWBC and open User Level Risk analysis screen. • Execute the Risk Analysis with System -> BLANK and User ID -> User1 The Risk analysis results should show Risks for User1 for systems A, B and C • The entries for User2 for connector B and User3 for connector C will be replaced with User1 with connector B and connector C







Tables for • To check the request for user Access provisioning – GRACREQ Request • To check the instance for request no – GRFNMWRTINST & GRFNMWRTDATLG • Line Item retrieved for request – GRACREQPROVITEM











Synchronizing There are various kinds of data which are Objects into synchronized from client systems within the GRC the Repository instance using various transactions: • PFCG Authorization Data • Profiles Master Data • Role Master Data • User Master Data • Action Usage • Role Usage

Repository Job Order 1. PFCG Authorization Sync 2. Repository Object Sync ( Profile, Role, User) 3. Action Usage Sync 4. Role Usage Sync

Synchronization 1. Incremental Sync Mode  Update's role Mode master data that has been maintained since the last execution of the program. 2. Full Sync Mode  Synchronizes data using a beginning date. The start date is always the current date.

PROGRAM TRANSACTION DESCRIPTION GRAC_PFCG_AUTHORIZATION_SYNC GRAC_AUTH_SYNC PFCG Master data from the business system GRAC_REPOSITORY_OBJECT_SYNC GRAC_REP_OBJ_SYNC Synchronize Role, Profile & User Master Data GRAC_ROLEREP_PROFILE_SYNC GRAC_PROFILE_SYNC Synchronize Profile Master Data GRAC_ROLEREP_ROLE_SYNC GRAC_ROLE_SYNC Synchronize Role Master Data GRAC_ROLEREP_USER_SYNC GRAC_USER_SYNC Synchronize User Master Data GRAC_ACTION_USAGE_SYNC GRAC_ACT_USAGE_SYNC Synchronize User Transaction Usage GRAC_ROLE_USAGE_SYNC GRAC_ROLE_USAGE_SYNC Synchronize role usage

Synchronization Tables Synchronization Jobs Plug in System GRC Systems GRAC_ROLEREP_PROFILE_SYNC USR10 : User master authorization GRACPROFILE   : Master table profiles. GRACPROFILET : Language specific USR11 : User Master Texts for Profiles table. GRAC_ROLEREP_ROLE_SYNC AGR_DEFINE   :Master table. GRACRLCONN       :  Master Table AGR_TEXTS   :File Structure for Hierarch GRACRLCONNT     :  Description Table AGR_AGRS    :Composite role GRACRLCOMPRL    : Composite Role relation table. Table GRACROLEORG      : Role org  level relation table. GRAC_ROLEREP_USER_SYNC USR02: Master Table GRACUSER             : User table.      GRACUSERCONN   : Table to store connector specific user. USER PROFILE   USR04 : User Master Authorization GARCUSERPROFILE  : User Profile USER ROLE RELATION AGR_USERS  : Assignment of roles to assignment table. users GRACUSERROLE : User Role Assignment Table

SAP Business Workflow

Shared Maintain Organization Views