SAP Governance, Risk & Compliance Access Control 5.

GRC Overview

Why GRC?
y y y

y y

We need audit teams to know user access and authorization controls. Request for emergency access (with all admin rights) is unexpected, cant be monitored and controlled. Detection of violations (improper authorizations) for users is difficult. Whether user authorizations are fallows standard rules. Approval for access from manager takes time, access requests and approvals monitoring is difficult. User life cycle and authorization management process is manual , so it is error prone.

What is GRC?
y

SAP Governance, Risk, and Compliance solutions help companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.

What is GRC?
y

SAP Governance, Risk, and Compliance solutions help companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.

SAP GRC Components

y y y y

SAP SAP SAP SAP

GRC Access Control GLOBAL TRADE SERVICES PROCESS CONTROL RISK MANAGEMENT

What is GRC Access Control ?

y

SAP GRC Access Control is an application that provides end-toend automation for detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance.

What is GRC Access Control Versions

y y y y

SAP SAP SAP SAP

GRC GRC GRC GRC

Access Access Access Access

Control Control Control Control

4.0 / 5.1 5.1 5.2 5.3

Product architecture (For 5.1 above versions)

Each Access Control product requires the following two components: y A common ABAP-based component that resides on your SAP ERP server. This component is called a Real-Time Agent, or RTA. The RTA accesses data from your SAP system and communicates with the front-end Java component, to allow you to see and make changes to that data. y A Java-based component that resides on your web application server. This component provides the user interface you use to make changes in your SAP database. The Java component sends data queries and revised data to the ABAP component, which connects directly to the SAP database. y While each Java-based component provides a unique user interface for each Access Control product, the ABAP-based RTA component is not unique for each Access Control product.
y

SAP GRC Access Control 5.3 suite features

y

Risk Analysis and Remediation (formerly known as Virsa Compliance Calibrator), which supports real-time compliance to detect, remove, and prevent access and authorization risk by controlling violations before they occur. Compliant User Provisioning(formerly known as Virsa Access Enforcer), which automates provisioning, tests for Segregation of Duties issues, and streamlines approvals to unburden IT staff. Enterprise Role Management (formerly known as Virsa Role Expert), which standardizes and centralizes role creation and maintenance. Super user Privileged Management (formerly known as Virsa Firefighter), which enables users to perform emergency activities outside their roles as a privileged user in a controlled and auditable environment.

Prerequisites
y  

In order to install Access Control 5.3 on your system, verify the following components are installed on your server: SAP Net Weaver 7.0 (2004s) SP12 SAP Internet Graphics Service (SAP IGS) for the graphs to be displayed on Management Reports. For ERP systems that will install Access Control Real Time Agents (RTA) the following prerequisites must be met: For SAP ERP System 4.6C, the system must be at level Support Pack Stack 55 For ERP 4.70 system, the system must be at Support Pack Stack level 63 For ERP 04 system, the system must be at Support Pack Stack level 21 For ERP 6.0 system, the system must be at Support Pack Stack level 13

y    

1. Down load & Installation

y

To download the Access Control v5.3 for installation, go to the SAP Software Distribution Center on SAP Service Marketplace at http://service.sap.com/swdc -> Download -> Installation and Upgrades -> Entry by Application Group -> SAP Solutions for Governance, Risk and Compliance -> SAP GRC ACCESS CONTROL

1. Down load &

Installation

The Access Control 5.3 installation package includes: y An ABAP software component that provides the Access Controls Real-Time Agent (RTA). y A Java software component that runs on Net Weaver 2004s on a Web Application Server 700 y The ZIP file contains all software components: Java SCA files and Real Time Agents (RTA) for all available Backend release levels y In the folder Adapter youll the Greenlight Adapters for JDE, Oracle and PeopleSoft.

Installation & user Guides

y

You can find relevant documentation on SAP Service Marketplace at http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for GRC -> SAP GRC Access Control -> Release 5.3

2.SAP NW AS Java: Check SP Level, Java Version and JVM Performance Parameters
y y y

For AC5.3 a SAP NW AS 7.0 SP12 or higher is required Here is were you find the Patch for SAP J2EE Engine Core 7.00: https://service.sap.com/swdc -Support Packages and Patches -SAP Net Weaver SAP NETWEAVER- SAP NETWEAVER 7.0 - Entry by Component - Application Server Java- SAP J2EE Engine Core. Patch 2 includes Patch 1.

JVM Memory / Performance Parameters y 723909 - Java VM settings for J2EE 6.40/7.0 y 1044173 - Recommended Net Weaver Setting for Access Control 5.x y 1121978 - Recommended settings to improve performance risk analysis y 1158625 - If you are using MS SQL Server

2.SAP NW AS Java: Check SP Level, Java Version and JVM Performance Parameters

Notes
JVM Memory / Performance Parameters y 723909 - Java VM settings for J2EE 6.40/7.0 y 1044173 - Recommended Net Weaver Setting for Access Control 5.x y 1121978 - Recommended settings to improve performance risk analysis y 1158625 - If you are using MS SQL Server

3.SAP NW AS Java: Check SP Level, Java Version and JVM Performance Parameters
y

Http://<server>:<port>

4.Check SLD Configuration

y y y

Ensure that the SLD is configured and running: Go to: http://<sld-server>:5<instancenumber>00/sld/index.html Remember that the SLD may be installed on a different server!

5. Check Connection from Access Control

Server to SLD
Web dynpro-content administrator check SLD Connection

5. Check Connection from Access Control Server to SLD

6 .Check SAP Internet Graphics Server

y y y y

Verify if the Internet Graphics Server (IGS) is configured and running: Go to: http://<host_name>:4<instance number>80 A graphic screen should display If not successful check Installation Guide Appendix C. Use Fully Qualified Host Name!

7 .Usage of JSPM for AC 5.3 Installation

y y

Copy the AC5.3 installation SCA files to /usr/sap/trans/EPS/in/ The JSPM is a tool that works similar to SDM and has to be started from OS level of the server as user <SID>ADM from /usr/sap/<SID>/<CI>/j2ee/JSPM/go.bat AC 5.3 comes with the following sca files: VIRCC00_0.SCA - Risk Analysis and Remediation VIRAE00_0.SCA - Compliant User Provisioning VIRRE00_0.SCA - Enterprise Role Manager VIRFF00_0.SCA Super user Privilege Management VIRACLP00_0.SCA - Launch Pad VIREPRTA00_0.SCA - Enterprise Portal Deploy the first 4 SCA files first, then deploy the 5th SCA file. The last SCA file contains the RTA for the Net weaver Portal EP7.0 SP12+. Deploy it to all your Net weaver Portal 7.0 servers in scope of your implementation. For more Details check Appendix A and E in the installation Guide.

y y y y y y y y y y y

7 .Login JSPM
y

JSPM: Select New Software

7 .Login JSPM
y

JSPM: Select SCA Files Deploy CC, AE, FF, RE First, then VIRACLP00_0.SCA - Launch Pad

8 . Check SP Levels of your SAP Backend Systems / Prepare RTA Installation

y

Check requires SP levels for software components SAP_BASIS, SAP_ABAP and SAP_HR in the table below. 1133161: Install HR 1133163: Install 1133165: Install 1133167: Install 1133162: Install 1133164: Install 1133166: Install 1133168: Install SAP GRC Access Control 5.3 on SAP BASIS 46c NonSAP GRC Access Control 5.3 on SAP BASIS 620 Non-HR SAP GRC Access Control 5.3 on SAP BASIS 640 Non-HR SAP GRC Access Control 5.3 on SAP BASIS 700 Non-HR SAP SAP SAP SAP GRC GRC GRC GRC Access Access Access Access Control Control Control Control 5.3 5.3 5.3 5.3 on on on on SAP SAP SAP SAP BASIS BASIS BASIS BASIS 46C HR 620 HR 640 HR 700 HR

y y y y

y y y y

9 . Plan Your System Landscape

y y y y

Discuss with your basis team your system landscape for Access Control Do you plan for 2-tier or 3-tier Landscape for SAP GRC Access Control? How do you plan to connect your AC5.3 instances to your multi-tier backend landscape? Customer System Landscape -Please Enter All SIDs, SP-Levels etc

Integration of a Two-Tier GRC Access Control TwoLandscape

Logical Systems: y Grouping of physical systems sharing the same risk rules y Two-tier Access Control Landscape can connect to N-tier back end

Always apply latest Support Packages for Access Control

Always apply latest support packages for Access Control 5.3 during Ramp-Up y There are two types of AC 5.3 Support Packages: y For the AC 5.3 application on NW AS Java 7.00 itself (cumulative) y For the NH and HR RTAs in the backend (incremental) y Content of all RTA Support Packages (Backend) is listed in the following notes: y RAR: 1168120 CUP: 1168508 ERM: 1168183 SPM: 1168121

To upload UME Roles and Create AC Administer User

https://ip:54501/index.html Logon to UME and click on Import

Check Background Job Daemon

y

It is possible that the background job daemon is engaged in any other thread for another background job. It is possible to confirm the job status from the URL: Call the URL http://<server>:<port>/sap/CCBgStatus.jsp - it should come up with status running

Check Analysis Engine Daemon Manager

y y

Call the URL http://<server>:<port>/sap/CCADStatus.jsp - it should come up with status running If the analysis daemon threads and web services are stopped the threads may be restarted from URL:

Check connectors using the following link and try to search for users
y y

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/g rc~ccappcomp/CCDebugger

Check connectors using the following link and try to search for users
y

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/grc~c cappcomp/CCDebugger

Troubleshooting background Jobs in GRC Access Control

y y

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/g rc~ccappcomp/CCDebugger
Step 1) Check the entries in virsa_cc_config table

Troubleshooting background Jobs in GRC Access Control

y
y y

https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/g rc~ccappcomp/CCDebugger
Step 1) Check the entries in virsa_cc_config table . Step 2) If the entries for 105, 106, 107 are missing please update the table virsa_cc_config with following records.

GRC Initial Screen