You are on page 1of 23

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.

0
Applies to:
SAP BusinessObjects Access Control 10.0, SAP BusinessObjects Process Control 10.0

Summary
SAP BusinessObjects Access Control (AC) is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certification. AC delivers immediate visibility of the current risk situation with real-time data. SAP BusinessObjects Process Control (PC) is an enterprise software solution for compliance and policy management. The compliance management capabilities enable organizations to manage and monitor their internal control environment. This provides the ability to proactively remediate any identified issues, and then certify and report on the overall state of the corresponding compliance activities. The policy management capabilities support the management of the overall policy lifecycle, including the distribution and attestation of policies by target groups. These combined capabilities help reduce the cost of compliance and improve management transparency and confidence in overall compliance management processes. With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution, both at the data layer and at the user interface layer. This new unified platform enables increased harmonization of key master data. Organization, process and control structures can now be shared across components of Access Control and Process Control, which supports a more integrated approach to governance, risk, and compliance. Access risks identified in Access Control can be mitigated using controls managed by Process Control, as an example. This document details methods for harmonizing data across Access Control and Process Control.

Authors: Created on: Version:

Ankur Baishya, SAP Customer Solution Adoption GRC Solution Management 31 August, 2011 3.0

2011 SAP AG

Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Description Caution Note or Important Example Recommendation or Tip

Example text

Example text

<Example text>

EXAMPLE TEXT

2011 SAP AG

Table of Contents Applies to: ....................................................................................................................................... 1 Summary ......................................................................................................................................... 1 1. 2. 3. Management Overview ........................................................................................................ 9 Technical Prerequisites .................................................................................................... 10 Enable PC Controls for AC Assignment ......................................................................... 10 3.1 3.2 3.3 3.4 3.5 3.6 3.7 4. Shared Data ................................................................................................................ 10 Maintain Owners ......................................................................................................... 11 Maintain Organization Unit ......................................................................................... 12 Assign Owners to Org Unit ......................................................................................... 13 Select Organization Unit Subprocess / Control .......................................................... 14 Edit Local Control for Assignment in Access Control ................................................. 14 Assign Local Control to Access Risk .......................................................................... 16

Manage AC Created Controls in Process Controls ........................................................ 18 4.1 4.2 4.3 4.4 4.5 Identify Business Processes in Process Control to be shared with Access Control .. 18 Create Access Control Business Processes .............................................................. 19 Map AC Business Processes to PC Processes ......................................................... 21 Create AC Mitigating Control ...................................................................................... 24 Maintain the Mitigating Control in Process Control .................................................... 26

5. 6.

Related Content ................................................................................................................. 28 Feedback ............................................................................................................................ 28

2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

1.

Management Overview
Enabling local controls in Process Control for assignment in Access Control Managing Access Control mitigating controls in Process Control

Two main scenarios are described in this document:

The GRC 10.0 platform provides the option of sharing master data across capabilities. Specifically, organizations, processes, subprocesses, and controls can be shared between Access Control and Process Control. Organization data can be shared or segmented based on a companies internal policies. Access to data is controlled by user authorization. Integration provides various benefits across different application uses, including: Unified Master Data decreases the total cost of ownership and provides more consistent data across the system landscapes Shared Application Roles no redundancy in control and risk owners Full cycle remediation process end-to-end compliance across GRC processes

Integration is also available by creating a PC SOD Control, which offers automated access risk analysis from an automated control in Process Control.

Page 9 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

2.

Technical Prerequisites

In previous releases, AC and PC integration used web services. However, with the harmonized GRC10.0 platform, the use of web services is no longer required. NOTE This guide discusses only AC and PC Integration scenarios and associated process steps. Prior knowledge of AC and PC concepts is recommended. The prerequisites include the following: Install the GRCFND_A software component and activate AC and PC on the same client. Complete the post-installation steps for AC and PC listed in the SAP BusinessObjects Access Control 10.0 / Process Control 10.0 / Risk Management 10.0 Installation Guide at http://service.sap.com/instguides. For new deployments, the Organization, Control, Business Process, and Subprocess data shared between AC and PC must be identified and maintained in the platform. For customers upgrading to the 10.0 release, Organization, Control, Business Process and Subprocess data shared between AC and PC must go through data transformation before migration and upgrade. See the SAP BusinessObjects Access Control 10.0 Migration Guide (http://service.sap.com/instguides) for details. You must configure Access Risk Analysis in AC. Create the connector to your ERP system, either upload or activate the rule set, generate the rules, and perform synchronization in the following order: o o o o PFCG Role Profile User

3. Enable PC Controls for AC Assignment


Data is shared between Access Control and Process Control. This data includes Organizations, Business Processes, Subprocesses, and Controls. How this data is exposed and shared to your users depends on how your business utilizes AC and PC. This chapter describes the steps to assign local controls in Process Control for use as mitigating controls in Access Control. This option allows customers with both products to leverage a single set of controls. The option also enables Access Control customers to measure the effectiveness of their mitigating controls via Process Controls automated and semi automated testing.

3.1 Shared Data


GRC 10.0 is a harmonized platform. Although maintenance of data within AC and PC is similar in 10.0 as it was in previous releases, there are some key differences. The following master data is shared between AC and PC for the release 10.0 integration scenario.

Page 10 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

Organizations Business Processes Business Subprocesses Controls

This diagram provides an overview of the steps required to enable local PC controls for assignment as mitigating controls in Access Control:

Assign Owners as Monitors & Approvers (AC Owners)

Select Compliance Org Unit (Organizations)

Select Process / Subprocess (Org Unit)

Select PC Local Control (Org Unit)

Assign Monitor & Approver (Org Unit)

Assign Mitigating Control ID

Assign Access Risks

Assign Approver & Monitor

3.2 Maintain Owners


Go to Access Owners Access Control Owners Create On this screen, identify the users or user groups who should be Mitigation Monitors and Approvers.

Page 11 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

3.3 Maintain Organization Unit


Go to Master Data Organizations Navigate to the appropriate Organization Unit and click Open.

Navigate to all tabs associated with the Organization Unit.

Page 12 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

3.4 Assign Owners to Org Unit


Organization Unit Owners Tab. Assign the appropriate owners to the Organization Unit by using the Add Row button. The list of owners available is based on the owners identified in step 3.2.

Page 13 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

3.5 Select Organization Unit Subprocess / Control


Organization Unit Subprocess Tab. Select the subprocess and control which will be assigned to an access risk. Click Open to view/edit the local control.

3.6 Edit Local Control for Assignment in Access Control


Local Control General Tab. Update the Mitigating Control ID field. Note: Once saved, the mitigating Control ID cannot be changed.

Page 14 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

Local Control Access Risks Tab. Assign the Access Risks that the Control will be available to mitigate in Access Control.

Local Control Owners Tab. Assign a Mitigation Approver and Mitigation Monitor to the Control; one of each is required. The list of available owners is based on the owners assigned to the organization unit in step 3.4. Save changes to the control.

Page 15 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

3.7 Assign Local Control to Access Risk


Access Risk Analysis User Level Risk Analysis. Define and run an access risk analysis.

Access Risk Analysis Risk Analysis Results. In the risk analysis results, select the access risks you assigned to the control in Step 3.6. Click the Mitigate Risk button.

Page 16 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

Access Risk Analysis Assign Mitigation Controls. In the Assign Mitigation Control window you see the mitigating Control ID assigned to the access risks along with the Monitor ID. If you do not see the correct Control ID, search for it in the Control ID column. You can also view details of the control by highlighting a row and clicking View Details /Control ID. Click Save to save the mitigation control assignment.

Page 17 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

4. Manage AC Created Controls in Process Controls


This section discusses how to maintain Mitigating Controls (created in Access Control) in Process Control. This option allows users familiar with Access Control to continue maintaining Mitigating Controls in the same user interface they used before. However, the control they maintain will also display and be available from Process Control. The benefit of this option is there is little impact on existing Access Control users. Yet the mitigating controls can be measured for effectiveness via Process Controls automated and semi-automated testing.

Create Process & Subprocess (IMG)

Assign Owners as Monitors & Approvers (AC Owners)

Select Compliance Org Unit (Organizations)

Create Control (Access Risk)

Map PC Process & Subprocess (PC Process)

Assign Monitor & Approver (Org Unit)

Assign Mitigating Control ID

Assign Access Risks

Assign Approver & Monitor

4.1 Identify Business Processes in Process Control to be shared with Access Control
Master Data Activities and Processes Business Processes. Identify the Process and Subprocess that will be shared between Access Control and Process Control.

Page 18 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

4.2 Create Access Control Business Processes


Access Control Business Processes are maintained in the backend IMG. SPRO SAP IMG Reference Governance, Risk and Compliance Access Control Maintain Business Processes and Subprocesses Create Business Processes and Subprocesses which map to the Business and Subprocesses in Process Control identified in 4.1.

Page 19 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

Enter the Business Process, save it and select the green arrow to go back.

Select the process you created and double click Business Subprocess

Enter the Subprocesses, save it and select the green arrow to navigate back

Page 20 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

4.3 Map AC Business Processes to PC Processes


Master Data Activities and Processes Business Processes. In this step you map the processes created in the AC IMG to the Processes in PC. This step allows controls created in AC to be assigned in PC.

Page 21 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0 Select the Process and click Open.

In the Process, map the Process you created in Step 4.2. These display in the Business Process drop down.

Next, choose a subprocess to map and click Open.

Page 22 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

In the Subprocess, map the Subprocess you created in Step 4.2. These display in the Business Subprocess dropdown.

Page 23 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

4.4 Create AC Mitigating Control


The Mitigating Control screen is used by Access Control for creating mitigating controls that are assigned to access risks. Although this screen is not needed to create mitigating controls (as described in Chapter 3), customers may continue creating mitigating controls using this interface. It is important to have completed the mapping steps described in section 4.3 before creating controls using this interface.

In the Mitigating Controls list, click the Create button to create a new mitigating control

Page 24 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0 Enter the Mitigating Control information. Select the correct Organization Unit to assign the mitigating control. Select the Process and Subprocess. These display based on the entries done in Step 4.2

Assign the Access Risks that this mitigating control is valid for.

Assign an Approver and Monitor Owner to the mitigating control. One of each is required. Review Chapter 3 for more information on assigning owners.

Page 25 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

4.5 Maintain the Mitigating Control in Process Control


The Mitigating Control created in Step 4.4 can now be maintained using the Process Control maintenance screens. Go to Master Data Organization. Find the Organization Unit you assigned the mitigating control, and click Open

On the Organization Screen, select the Subprocess tab. On this tab you will find the Subprocess and Control assigned to Organization Unit. Select the control and click Open

The control information entered on the mitigating control screen is available. The control can now be updated with testing plans and other effectiveness testing details. The Access Risks and Owners tabs are also available and contain the details of the access risks and owner assignments made from the mitigating control screen.

Page 26 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

The Access Risks Screen.

The Owners Screen.

Page 27 2011 SAP AG

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

5. Related Content
On the Web go to: http://help.sap.com Business User Governance, Risk and Compliance www.sdn.sap.com/irj/bpx/grc

6. Feedback
Your feedback regarding this document is important to us. Send comments to GRC_RIG@sap.com Copyright/Trademark

7. copyrigth
Copyright 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Oracle Corporation. JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Page 28 2011 SAP AG