Quick Reference Guide

Governance, Risk, and Compliance
Quick Reference Guide

Access Control SAP v5.2
GRC Applications Integration Documentation

Purpose: Integration Points:
1. RE integrates with AE for: o approval workflow for role update approval. o risk analysis o retrieving authorization data via CC function o transaction usage function o mitigation control 2. CC integrates with AE for: o approval workflow for risk updates o approval workflow for mitigation control updates o approval workflow for mitigated users, roles, profiles updates 3. The applications are integrated via web services using a centralized web user ID and password with proper authorization in the UME. This web user needs to have administrative roles for AE, CC, and RE. Installation of Access Control has been completed. The purpose of this Quick Reference Guide is to provide best practice and instructions on how to integrate Access Enforcer (AE), Compliance Calibrator (CC) and Role Expert (RE).
Prerequisite:
Security and Master Data Configuration

Ensure the following master data are configured with consistent data across the applications. The data marked Required are not recommended but required for the integration to work. All others are best practice recommendation to ensure seamless integration for the user interfacing the data. 1. Connectors Create the same connector Name, User ID, and password for all systems. Use the same connector User ID and password for web user creation.
Page 1 of 33
August 14, 2007


2. Web User This user is used to communicate between the GRC applications via web services configured in each application(s). Use the same User ID and password information from the connector; create a common web user in the UME for all applications. This user will be used for all web service configuration across the GRC applications. (Required) Example from UME
Example from RE configuration
3. Remote Function Call (RFC) User This user is used to communicate between the front end Java application(s) and backend target system(s). o Create the RFC user with User Type as Communications Data in the target system(s) and assign administrative authorizations for all application(s). o Assign appropriate RFC authorization.
4. The following Role Attributes Master Data must be defined and named the same across the GRC applications (Required) o Functional Area (Functional Area ID field in RE must exactly match the Functional Area Name field in AE) o Business process (Business Process ID field in RE must exactly match the Business Process Name field in AE) o Sub Process (Sub Process ID field in RE must exactly match the Sub Process Name field in AE) GRC Applications Integration Documentation Page 2 of 33 August 14, 2007


o o Role owner and make them AE approvers All other key fields are not used by the applications as key integration fields to synch data but it is recommended to create them with consistent descriptions to avoid confusion for the business users i.e. business process description field, etc.
AE Integration Configuration
Integrating CC with AE provides the ability to workflow approvals of mitigation control changes. When a user creates and/or updates a mitigation control in CC, the request is sent to AE for the appropriate mitigation control owners approval based on workflow configuration.
1. Upload Append File

Note: Ignore this step if the xml files are already loaded. You can verify this by reviewing the Request Type and Priority screen in Request Configuration and ensure the objects below exist for RE and CC) a. The append file for AE is provided with the CC or RE installation or can be found in SAP Marketplace. Copy files: i. AE_init_append_data_cc.xml ii. AE_init_append_data_re.xml Note: The append file is not build dependent. b. Log in to Access Enforcer with administrator privileges c. Go to Configuration > Initial System Data. d. Enter append file and select the Append option. Click Import.
Page 3 of 33
August 14, 2007


The append file loads the following information in Access Enforcer: o CC and RE Workflow Types (Configuration > Miscellaneous) o CC Workflow Types: Mitigation Control (MITICTRL) Mitigation Object (MITIOBJ) Risk (RISK) o RE Workflow Type: Role Expert (RE) o CC and RE Request Configuration Request Types and Priorities o CC Request Types: o o Delete, Create, and Update Mitigation Control Delete, Create, and Update Mitigation Object
Delete, Create, and Update Risk RE Request Type: RE Role Approval (RE_ROLE_APPROVAL) CC Priorities: MC_HIGH Mitigation Control MO_HIGH Mitigation Object
RS_HIGH Risk RE Priority: RE_HIGH Role Expert
2. Configure Request Types for CC and RE integration

Select and make active the request types you wish to use.
Page 4 of 33


Delete Mitigation Control
Create Mitigation Control
Update Mitigation Control
Page 5 of 33


Delete Mitigation Object
Create Mitigation Object
Update Mitigation Object
Page 6 of 33


Role Approval in RE
Delete Risk
Create Risk
Page 7 of 33


Update Risk
3. Configure Request Priority

Enter or modify Priority description as appropriate
4. Retrieve URI for Risk Analysis web service configuration in Step 5.

a. Enter the URL below to get to Web Services Navigator http://<server>:<port> /index.html Example: http://iwdfvm2363:51000/index.html where server = iwdvm2363 and port = 51000.
Page 8 of 33


b. Scroll down the screen; click on + next to VirsaCCRiskAnalysisService. Click on Document.
c. Right Click on WSDL http: address and Select Copy Shortcut
5. Configure Risk Analysis integration with Compliance Calibrator

a. Select 5.2 Web Service from drop down b. Enter the Risk Analysis URI WSDL shortcut obtained from Step 6 above: http://<server>:<port>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/VirsaCCRiskAnalysisService/Config1?wsdl&style=document
6. Configure Mitigation integration with Compliance Calibrator
Page 9 of 33

a. Repeat Step 4 above to get Mitigation URI http:// <server>:<port>/VirsaCCMitigation5_0Service/Config1?wsdl&style=document Example : http://iwdfvm2363:51000/VirsaCCMitigation5_0Service/Config1?wsdl&style=document
b. Repeat Step 4 above to get Risk Search URI http:// <server>:<port>/VirsaCCRisk5_0Service/Config1?wsdl&style=document Example : http://iwdfvm2363:51000/VirsaCCRisk5_0Service/Config1?wsdl&style=document
Page 10 of 33

c. Repeat Step 4 above to get Org Rule Search URI http:// <server>:<port>/VirsaCCOrgRules5_3Service/Config1?wsdl&style=document Example : http://iwdfvm2363:51000/VirsaCCOrgRules5_3Service/Config1?wsdl&style=document
Page 11 of 33


7. Configure Request Attributes
Enable the appropriate request attributes you wish to use.
8. Custom Fields for Workflow Integration

The following custom fields are pre-delivered with AE for workflow integration with CC risk and mitigation.
Page 12 of 33


9. Configure Workflow Initiators
For Role Expert workflow a. RE INITIATOR Initiator for Role Expert approval workflow integration with AE. Requests for role create/update approval from RE is sent to AE via web service to trigger this initiator.
For Compliance Calibrator workflow b. For CC Users/Roles/Profiles mitigation changes CC_MITIGATION_CHANGE. Requests for mitigated users, roles, or profiles update approval from CC is sent to AE via web service to trigger this initiator.
Page 13 of 33

c.
For CC Mitigating Control changes CC_MITIGATION_INITIATOR. Requests for mitigating control create/update approval from CC is sent to AE via web service to trigger this initiator.
Page 14 of 33

d. For CC Risk changes CC_RISK CHANGE. Requests for risk create/update approval from CC is sent to AE via web service to trigger this initiator.
10. Configure Custom Approver Determinator (CAD)

Access Enforcer does not need a CAD for AE workflow within AE. For RE, and CC, a CAD must be created for each workflow integration.
Page 15 of 33

For Role Expert Workflow The Custom Approver Deteminator determines approver for role approval initiated from RE. Create RE CAD with: o CAD Type = Web Service o Workflow Type = RE o URI This URI can be retrieve from repeating Step 6 above. Choose
URI: http://<server>:<port>/AEWFCADApproversServiceWS_5_2/Config1?wsdl&style=docum ent
Page 16 of 33


For Compliance Calibrator Workflow 1. For CC Users/Roles/Profiles mitigation change approver o Create CAD with CAD Type = Attribute o Workflow Type = Mitigation Object
Select appropriate attributes for approver determination. In this example, Request Type is the only attribute selected to determine approvers. You can also select additional attributes such as Business Process to differentiate approvers for different processes, etc. Assign approvers for each Request Type
2. For CC Mitigating Control changes approver o Create CAD with CAD Type = Attribute o Workflow Type = Mitigation Control
Page 17 of 33

Page 18 of 33


3. For CC Risk changes o Create CAD with CAD Type = Attribute o Workflow Type = Risk
Page 19 of 33


11. Configure Workflow Stages
For Compliance Calibrator Workflow 1. Create CC Users/Roles/Profiles Mitigation Workflow Stage

Configure Stage Details
Page 20 of 33

Page 21 of 33


2. Create CC Mitigating Control Workflow Stage
Page 22 of 33

3. Create CC Risk Change Workflow Stage
Page 23 of 33

Page 24 of 33

12. Configure Workflow Paths

Workflow paths must configured for all RE and CC workflows. These are the approval paths which will be trigger via the integration initiators configured above.
For Role Expert Approval Workflow
For Compliance Calibrator Workflows
Page 25 of 33


1. Create CC Risk Change Workflow Path
2. Create CC Mitigation Change Workflow Path
3. Create CC Mitigating Control Change Workflow Path
Page 26 of 33

13. Configure Role Attributes

There is an option to set Role Expert as the system for role source.
14. Miscellaneous Configuration Workflow Types Configure Exit URI for all integration workflow types. All workflow Exit URIs are the same. For CC MITCTRL, MITOBJ, RISK Enter this Exit URI http://<server>:<port>/VirsaCCWFExitService5_2Service/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/VirsaCCWFExitService5_2Service/Config1?wsdl&style=document For RE Enter this Exit URI http://<server>:<port>/AEWFExitServiceWS_5_2/Config1?wsdl&style=document
Example : http://iwdfvm2363:51000/AEWFExitServiceWS_5_2/Config1?wsdl&style=document
Page 27 of 33

Scroll to right hand side of screen and enter the correct User Name and Password (maintained in UME) for the Exit URI. Ensure all workflow types are Active.
CC Integration Configuration
1. Configure Workflow Options
The workflow options are set to yes to enable workflow integration with AE to provide approval workflow for risk, mitigating control, and mitigation maintenance. Workflow Service URL: http://<server>:<port>/AEWFRequestSubmissionService_5_2/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/AEWFRequestSubmissionService_5_2/Config1?wsdl&style=document
Page 28 of 33

Page 29 of 33


RE Integration Configuration
1. Configure Workflow Approval Criteria
This configuration provides the role approvers for role approval in AE. Enter the Group Name Select appropriate attribute to determine approvers. For example, if you select Business Process and Sub Process only. Your approvers will be determined by the combination of these 2 attributes.
Example Assigning the approver(s) for FINANCE group name. Assigning Cyrus Perkins as the approver for Procure to Pay business process and Vendor Maintenance sub process.
Enter FINANCE for Group Name. Click on + sign to add attributes Business Process and Sub Process.
Page 30 of 33

Click on Assign Approvers Click on + sign to add value Procure to Pay for Business Process and Vendor Maintenance for Sub Process. Click on +sign to add (via search icon) Cyrus Perkins as Approver and Alternate Approver
Page 31 of 33


2. Miscellaneous Configuration
Configure Web Services integration for Risk Analysis, Transaction Usage, Mitigation, CC Function, and AE workflow. The web service calls from RE to CC to perform risk analysis, mitigation, retrieving functions for authorization data, and also transaction usage analysis. The web service from RE to AE is for role update approval. Web service for Risk Analysis integration with CC http://<server>:<port>/VirsaCCRiskAnalysisService/Config1?wsdl&style=document Web service for Transaction Usage integration with CC http://<server>:<port>/VirsaCCActionUsageService/Config1?wsdl&style=document Web service for Mitigation integration with CC http://<server>:<port>/VirsaCCMitigation5_0Service/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/VirsaCCRiskAnalysisService/Config1?wsdl&style=document Web service for transaction usage integration with CC http://iwdfvm2363:51000/VirsaCCActionUsageService/Config1?wsdl&style=document Web service for mitigation integration with CC http://iwdfvm2363:51000/VirsaCCMitigation5_0Service/Config1?wsdl&style=document
Web service for CC Function integration http://<server>:<port>/VirsaCCFunction5_0Service/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/VirsaCCFunction5_0Service/Config1?wsdl&style=document Web service for AE role approval workflow integration http://<server>:<port>/AEWFRequestSubmissionService_5_2/Config1?wsdl&style=document Example: http://iwdfvm2363:51000/AEWFRequestSubmissionService_5_2/Config1?wsdl&style=document Page 32 of 33

You have completed workflow integration configuration for Access Control 5.2.
Page 33 of 33

Quick Reference Guide - Access Control SAP v5.2 - GRC Applications Integration Documentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quick Reference Guide - Access Control SAP v5.2 - GRC Applications Integration Documentation

Uploaded by

Copyright:

Available Formats

Governance, Risk, and Compliance

GRC Applications Integration Documentation

Security and Master Data Configuration

GRC Applications Integration Documentation

August 14, 2007

Governance, Risk, and Compliance