Documentos de Académico
Documentos de Profesional
Documentos de Cultura
www.keylabstraining.com
www.keylabstraining.com
Front end:
The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal The Adobe flash player 10 is used for displaying dashboards e.g. RM heat mapOverview of SAP BusinessObjects Access Control 10.0 SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10 The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.
www.keylabstraining.com
Portal:
The NetWeaver Portal 7.02 can be used optionally The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite The Portals AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance ERP and Non SAP Business Applications: The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA) PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA) GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP Non-SAP ERP systems can also be connected via adapters from an SAP Partner company
www.keylabstraining.com
BI Content:
NetWeaver BW can be used for reporting via the GRC BI Content The GRC BI Content is part of BI Content 7.06 NetWeaver BW 7.02 is used for the GRC BI Content. Identity Management: AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysis NetWeaver IdM7.2 is required for integrating with AC 10.0 Adobe Document Services: An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms . Although it is technically optional, it is highly recommended for generating PDF reports These ADS can be an existing instance and can also be shared with other applications The Portals AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Separation of duties
Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Segregation of Duties and Critical Actions: In a Sarbanes Oxley Act regulated environment, business need to define their access controls based on segregation of duties (SoD). In some cases, it is challenging to define SoDs because in many cases, processes are shared among business areas. Below are examples of risks in non-segregated duties
www.keylabstraining.com
Rule Building and Validation : After risk recognition, the second step in Phase One of the SoD Risk Management process is Rule Building and Validation.
www.keylabstraining.com
www.keylabstraining.com
Rule Building Process: Rules include risks, functions, and business processes. The main components of the rule building process are shown below. Access Control automatically generates the rules as permutations of the different actions and permissions derived from the combined functions.
www.keylabstraining.com
Functions: Functions include specific actions commonly used for a job role or set of tasks, for example Maintain General Ledger Master Records or Post Journal Entry. Authorization to perform certain combinations of functions results in a risk.
www.keylabstraining.com
Rule Structure: Actions and permissions combine to form functions. Functions in certain combinations result in a risk. Risks are associated with business processes and all the components come together to form rules. Rules are collected in a rule set.
www.keylabstraining.com
www.keylabstraining.com
Phase 2 Figure
www.keylabstraining.com
www.keylabstraining.com
Mitigation Controls
www.keylabstraining.com
Continuous Compliance
www.keylabstraining.com
www.keylabstraining.com
GRC Components
ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or higher. The installation components are broken out as follows: Access Control, Process Control, and Risk Management are contained in one ABAP add-on GRCFND_A Global Trade Services resides in a separate add-on SLL-LEG Nota Fiscal Eletronica has its own add-on SLL-NFE Content Lifecycle Management (CLM) contains functions for transporting GRC business data, for example, Access Control rules or Process Control controls. CLM has the same version requirements as the GRC 10.0 solution and is installed during the GRC installation. CLM can be disabled if not required. GRC customizing is transported using the standard ABAP transport system.
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Workflow
Reports and Dashboards
www.keylabstraining.com
NetWeaver Components
Access Control uses ABAP Web Dynpro as the user interface or UI technology.
The GRC solution can be presented to end users by using either NWBC (NetWeaver Business Client) or through the use of SAP Portal. Configuration for Access Control is executed using the SAP IMG via the SAP GUI, which is common across the GRC suite. Access Control connects to SAP and non-SAP systems with adapter or IdM systems using the integration framework. The ABAP database is the common repository for all Access Control data.
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Authorizations To configure the IMG, you need: PFCG role(s) relative to specific components to be configured PFCG role(s) sufficient to configure SAP workflow and other non-GRC technologies PFCG role(s) on GRC and non-GRC systems to set up Continuous Monitoring To access GRC 10.0 solutions, you must have at least the following: Portal authorization or NWBC authorization Applicable PFCG base roles
www.keylabstraining.com
PFCG role(s) relative to specific components (AC, PC, RM) to be used Using Access Control with GRC Solutions If you use Access Control with other GRC solutions, you can leverage this functionality to: Manage PFCG roles used with GRC Create GRC users Assign GRC PFCG roles to users Perform SoD analysis for PFCG role authorizations
Assignment of entity-level authorization (via application role assignment) and ticket-based authorization (via substitution or transfer) must be done in the respective component.
www.keylabstraining.com
Installation
Installation Prerequisites Server NetWeaver AS ABAP 7.02 SP6 or higher Installation Prerequisites Back-end For ERP systems that will install Access Control Plug-In the following prerequisites must be met: For SAP ERP system 4.6C, the system must be at SAP_BASIS Support Pack 55 For SAP ERP 4.70 system, the system must be at SAP_BASIS Support Pack 63 For ERP 2004 system, the system must be at SAP BasisSupport Pack 18 For ERP 6.0 system, the system must be at SAP_BASIS Support Pack 13 For NetWeaver systems that will install Access Control Plug-In the following prerequisites must be met: For SAP Basis 4.6C, the system must be at SAP_BASIS Support Pack 55 For NW 6.20 system, the system must be at SAP_BASIS Support Pack 63 For NW 6.40 system, the system must be at SAP_BASIS Support Pack 18 For NW 7.00 system, the system must be at SAP_BASIS Support Pack 13 For NW 7.01, the system must be at SAP_BASIS Support Pack 02 For NW 7.02, the system must be at SAP_BASIS Support Pack 01 For SAP Basis 710 system, the system must be at SAP_BASIS Support Pack 04
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Attention:The AC 10.0 plug-ins will upgrade any existing RTA from previous AC releases. This means that any AC instance on running 5.X will stop working after the plug-ins are installed.
www.keylabstraining.com
www.keylabstraining.com
Client Copy
T-code which starts from SCC*
1. Choose Administration --> System administration --> Administration >Client admin.>Client Copy-->Local Copy.
2. 3. Select a copy profile. Enter the source client.
click the tick mark it will take some time .... you can refer the link below
http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscco.pdf
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Activating BC Sets
Call transaction SPRO again Click SAP Reference IMG Click Existing BC Sets in the next screen
www.keylabstraining.com
Activating BC Sets
Select a BC Set Click BC Sets for Activity
www.keylabstraining.com
Activating BC Sets
From the menu choose Goto >Activation Transaction These BC sets can also be activated via transaction code SCPR20
www.keylabstraining.com
Activating BC Sets
Activate the corresponding BC sets. Proceed likewise for all required PC, RM, and/or AC BC sets For a complete list of BC Sets please refer to the PC/RM/AC install guide! NOTE:BELOW EXAMPLE IS FOR ACTIVATION ON TIME FRQUENCY FOR GRCPC:PROCESS CONTROL.
www.keylabstraining.com
Activating BC Sets
When activating always use Expert mode
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Activate Common Workflow Perform Automatic Workflow Customizing Maintain the Prefix Numbers to your needs or like shown
in the screenshot
www.keylabstraining.com
Note: if no folders are visible below the GRC folder please run report RS_APPL_REFRESH in SE38
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
www.keylabstraining.com
Configuration
Maintaining AC owners Assigning owners to firefighter IDs Assigning firefighter IDs and controllers to firefighters Creating reasons codes
www.keylabstraining.com
Maintaining AC owners
Go to NWBC Access Management GRC Role Assignments Access Control Owners and maintain the controllers and owners as shown below:
www.keylabstraining.com
www.keylabstraining.com
Note: Multiple firefighter users and controllers can be assigned to a multiple firefighter ID.
www.keylabstraining.com
www.keylabstraining.com
Login to the AC system using the firefighter user and launch transaction GRAC_SPM You will be able to connect to the target system using the firefighter IDs previously assigned
www.keylabstraining.com
Managing Logs
Running Log Collection Viewing the firefighter reports Running log collectionForeground mode The foreground job for log collection can be executed from the Update Firefighter Log Button which can be found in the following path: Reports And Analytics Super User Management Reports Consolidated Log Report
www.keylabstraining.com
www.keylabstraining.com