Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1

Operations Guide PUBLIC
13-07-25
Operations Guide for SAP Access Control 10.1, SAP

Process Control 10.1, and SAP Risk Management 10.1
Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Global Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
2 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Monitoring of the Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 CCMS Monitor Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.3 Alert Monitoring with CCMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Component Specific Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
3.4 Detailed Monitoring and Tools for Problem and Performance Analysis. . . . . . . . . . . . . . . . . . . . . . . . . 17
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Trace and Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Operating System Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Workload Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Other Important Problem Analysis and Monitoring Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Interface Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.5 Important Application Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4 Managing the Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.2 Starting and Stopping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3 Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
4.4 System Copy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.5 Periodic Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Scheduled Periodic Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.6 Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.7 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.8 Printing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5 High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6 Software Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Operations Guide for SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk
Management 10.1
2 PUBLIC Content
6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.2 Transport and Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.3 Development Requests and Development Release Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.4 Quality Management and Test Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.5 Support Packages and Patch Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
8 Configuring Remote Connection to SAP Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

8.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.2 Read Only Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
9 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.1 Categories of System Components for Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.2 Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Management 10.1
Content PUBLIC 3
1 Getting Started
1.1 Introduction
The Operations Guide provides administration information for Access Control, Process Control, and Risk
Management.
SAP Access Control is an enterprise software application that enables organizations to control access and
prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application
streamlines compliance processes, including access risk analysis and remediation, business role management,
access request management, emergency access maintenance, and periodic compliance certifications. It delivers
visibility of the current risk situation with real-time data.
SAP Process Control is an enterprise software solution for compliance and policy management. The compliance
management capabilities enable organizations to manage and monitor its internal control environment. This
provides the ability to remediate any identified issues, and then certify and report on the state of the
corresponding compliance activities. The policy management capabilities support the management of the overall
policy lifecycle, including the distribution and attestation of policies by target groups. These combined capabilities
help reduce the cost of compliance and improve management transparency and confidence in compliance
management processes.
SAP Risk Management enables organizations to balance business opportunities with financial, legal, and
operational risks to minimize the market penalties from high-impact events. The application allows customers to
identify these risks and monitor them on a continuous basis. Stakeholders and owners are provided with such
tools as analytic dashboards for visibility in mitigating risks in their areas of responsibility.
About this Guide
This guide provides a starting point for managing your SAP applications and maintaining and running them. It
contains information for tasks and lists the tools to implement them. This guide also provides references to the
documentation required for these tasks.
Note
The guide refers to the SAP NetWeaver Operations Guide as most production operation tasks are done at the
server level. The application tasks are in the Monitoring and Management sections.
Caution
This guide does not replace the daily operations handbook that we recommend customers create for their
production operations.
Target Groups
Management 10.1
4 PUBLIC Getting Started
The guide is written for the following audiences:
● Technical Consultants
● System Administrators
● Solution Consultants
● Business Process Owner
● Support Specialist
1.2 Global Definitions
SAP Application:
An SAP software solution that serves a specific business area like ERP, CRM, PLM, SRM, SCM.
Business Scenario:
From a microeconomic perspective, a business scenario is a cycle that consists of several different
interconnected logical processes in time. A business scenario includes several company departments and
business partners. From a technical point of view, a business scenario needs at least one SAP application (SAP
ERP, SAP SCM, or others) for each cycle and possibly other third-party systems. A business scenario is a unit that
can be implemented separately and reflects the customer’s prospective course of business.
Component:
The smallest individual unit considered within the Solution Development Lifecycle. Components are separately
produced, delivered, installed, and maintained.
1.3 Important SAP Notes
For a list of important SAP Notes for the applications, see the following:
● For Access Control, see the SAP Access Control 10.1 Master Guide at http://help.sap.com/grc-ac .
● For Process Control, see the SAP Process Control 10.1 Master Guide at http://help.sap.com/pc .
● For Risk Management, see the SAP Risk Management 10.1 Master Guide at http://help.sap.com/rm .
Management 10.1
Getting Started PUBLIC 5
2 Technical System Landscape
2.1 Introduction
For information about the technical system landscape and the software component matrix, see the application
master guides.
● SAP Access Control 10.1 Master Guide at http://help.sap.com/grc-ac .

● SAP Process Control 10.1 Master Guide at http://help.sap.com/pc
● SAP Risk Management 10.1 Master Guide at http://help.sap.com/rm .
Scroll down to the Installation information to find a link to the Master Guide.
2.2 Related Documentation
For more information about the technical system landscape, see the guides in the following table.
Table 1:
Topic Guide/Tool Link on SAP Service Marketplace
Application and industry specific compo Master Guide http://service.sap.com/instguides

nents such as SAP Financials and SAP
Retail
Technology Components such as SAP

NetWeaver Application Server
Technical Configuration
Sizing Quick Sizer Tool http://service.sap.com/sizing
Installation Installation Guide http://service.sap.com/instguides
Security Security Guide http://service.sap.com/security
Management 10.1
6 PUBLIC Technical System Landscape
3 Monitoring of the Application
3.1 Introduction
The information in this section applies to Access Control, Process Control, and Risk Management. Within the
management of SAP Technology, monitoring is an essential task. The Computing Center Management System
(CCMS) is a set of integrated tools for monitoring and administration of SAP system landscapes. The transaction
code is RZ20.
Recommendation
For more information about the underlying technology, see the Technical Operations for SAP NetWeaver at
http://help.sap.com/netweaver SAP NetWeaver Platform System Administration and Maintenance
Information
3.2 CCMS Monitor Templates
This section lists the CCMS monitor sets you can use to monitor the application components. The CCMS Monitor
Templates include the following:
● Background processing
● Performance overview
● Syslog
The SAP Web Service Monitor Template is Web Service Monitor.
Management 10.1
Monitoring of the Application PUBLIC 7
Figure 1: CCMS Monitor Template and Web Service Monitor
3.3 Alert Monitoring with CCMS
3.3.1 Introduction
Proactive, automated monitoring is the basis for ensuring reliable operations for your SAP system environment.
SAP provides you with the infrastructure needed to set up your alert monitoring to recognize situations for Access
Control, Process Control and Risk Management as quickly as possible.
Recommendation
To enable the auto-alert mechanism of CCMS, see SAP Note 617547 .
Management 10.1
8 PUBLIC Monitoring of the Application
3.3.2 Component Specific Monitoring
You monitor the following data in the SAP Standard CCMS tool for Access Control, Process Control and Risk
Management:
● Background job
● Performance Overview
● DB access time
● System log
● System errors
● Web Services Call
Background Jobs
You monitor the background job status for jobs that are aborted, canceled, or have been running for a long time.
Example
This is an example of background jobs with the status of Long Running Jobs and Aborted Jobs:
Figure 2: Background Jobs with status of Long Running Jobs and Aborted Jobs
Management 10.1
Example
The following graphic illustrates that BFC_001 through BFC_005 jobs have the status of Canceled:
Figure 3: Job Overview
You can check the details of canceled jobs by selecting a job and clicking Step. The following graphic is an example
of the details for a selected job.
Note
The Program name/command for the applications start with GRAC, GRPC, or GRFN. They should be alerted.
Management 10.1
Figure 4: Details of a Job
Performance Overview
In the Performance Overview CCMS Monitor Templates, look for processes with a high Response Time.
Note
● Access Control processes begin with GRAC.
● Process Control processes begin with GRPC.
● Risk Management processes begin with GRFN.
Example
The following figure illustrates that the GR4 system has a response time of 1448 milliseconds.
Management 10.1
Figure 5: System Response Time
Management 10.1
Example
The following graphic illustrates an example of Process Control process (GRPCRTA_PC):
Figure 6: Workload in System
System Logs
Monitor system logs for any errors.
Example
The following graphic illustrates that the R3Syslog displays a runtime error.
Management 10.1
Figure 7: Runtime error
You can review the System Log (Syslog): Local Analysis for errors.
Note
● Access Control transaction codes start with GRAC.
● Process Control transaction codes start with GRPC.
● Risk Management transaction codes start with GRFN.
Management 10.1
Example
The following graphic illustrates local analysis of Process Control transaction codes:
Figure 8: Local Analysis
Access the complete list of Access Control transaction codes with transaction code SE93. Search for GRAC*.
Some of the most used codes include:
Table 2: Access Control Transaction Codes
Transaction Code Description
NWBC Access the majority of the Access Control capabilities and

reports (role: SAP_GRC_NWBC)
GRAC_ALERT_GENERATE Alert generation
GRAC_BATCH_RA Risk Analysis in Batch Mode
GRAC_EAM Emergency Access Management (EAM) Launchpad Logon
GRAC_SPM_CLEANUP Cleanup EAM (SPM) Application Data
GRACRABATCH_MONITOR Batch Risk Analysis Monitor
Management 10.1
System Errors
You review the CCMS Monitor Templates (System Errors) for error messages.
Example
The following graphic illustrates system errors such as Aborted Batch Jobs and Update Errors:
Figure 9: System Errors
Web Services
You monitor the SAP Web Service Monitor Templates for errors.
Example
The following graphic illustrates the following monitors:
● Task Watcher
● Supervisor Destination
Management 10.1
● Web Services Reliable Messaging (WSRM) Event Handler
● Web Services (WS) Namespace for Inbound Destinations
● WS Service Destinations
Figure 10: Monitors
3.4 Detailed Monitoring and Tools for Problem and

Performance Analysis
3.4.1 Introduction
Process Control, Risk Management and Access Control are based on SAP NetWeaver Web Application Server
7.40.
Recommendation
For information about technical problem analysis (such as database, operating system, or workload analysis)
see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/netweaver SAP
NetWeaver Platform System Administration and Maintenance Information
Management 10.1
3.4.2 Trace and Log Files
The information in this section applies to Access Control, Process Control and Risk Management. Trace files and
log files are essential for analyzing problems. You can use SAP NetWeaver transactions, such as ST22 and SM2, to
monitor trace and log files.
Note
The archiving object for Access Control is GRAC_REQ.
Recommendation
For more information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information
Additionally, the GRC applications use the SAP NetWeaver application log to store application error warning and
success messages issued in critical processes. For example, the delivery interface between ERP and Process
Control, or in UI transactions stores the messages in the SAP NetWeaver application log. For UI transactions, the
application log must be explicitly saved by the user.
Recommendation
For more information about application logs, see http://help.sap.com/netweaver SAP NetWeaver 7.4
Application Help Function-oriented View (select language) Solution Life Cycle Management Application
Log (BC-SRV-BAL) .
Application Logs – The application logs can be monitored with transaction SLG1.
● The Access Control log object is GRAC.

● The Process Control log object is GRPC.
● The Risk Management log object is GRRM.
● The shared components log object is GRFN.
The following tables list the log subobjects:
Table 3: Access Control Log Subobjects
Log Object Log Subobjects Description
GRAC AUTH Authorization check
GRAC BATCH Batch risk analysis
GRAC HRTRIGGER HR trigger
GRAC SOD_RISK_ANALYSIS Segregation of Duties (SOD) Risk Analy

sis
GRAC SPM Emergency Access Management log
Management 10.1
GRAC UAR User Access Review (UAR)
Table 4: Process Control Log Subogjects
GRPC API GRPC Entity API Calls
GRPC AS_REORG GRPC AS REORG Log
GRPC ATTACHMENTS_CLONING Copy Documents During Carryforward
GRPC ATTACHMENTS_DOWNLOAD Documents download log
GRPC ATTACHMENTS_SERVICES Documents Log for Backend Services
GRPC AUTHORIZE Logging of Authorization Checks
GRPC CASE_INT Case Management Integration
GRPC EVENT Event-based Control Monitoring
GRPC NWBC Netweaver Business Client Integration
GRPC PLANNER Planner
GRPC REPLACEMENT Succession
GRPC SCHEDULER Scheduler log
GRPC SIGNOFF Sign off
GRPC SOD_CHECK Check of Function Separator
Table 5: Risk Management Log Subobjects
GRRM AGGR_RUN Aggregation Run
GRRM ANLS_AUTOMATION Analysis Automation
GRRM CLEANUP Cleanup report to delete transaction

data
GRRM CONTEXT Context Values
GRRM KRI KRI runtime
GRRM MIGRATION Migration
Management 10.1
GRRM RESPONSE_NOTIF Response Due Date Notification
GRRM RESP_AUTOMATION Response Automation
GRRM SURVEY Survey
Table 6: GRC Foundation (shared) Lob Subobjects
GRFN AC_PROV Access Control Provisioning Engine
GRFN AC_REP Access Control Repository
GRFN API GRC API logging
GRFN ASYNC_UPDATE Asynchronous Update Infrastructure
GRFN AUTH GRC authorization
GRFN CASE_INT Continuous monitoring case integration
GRFN FDS Continuous monitoring flexible data

store
GRFN HRMAINT Access to HR ORG maintenance
GRFN IO_EXPORT IO Export
GRFN IO_IMPORT IO Import
GRFN IO_META IO Metadata
GRFN JOB AMF Job Step Execution
GRFN JOB_DESIGN AMF Job Step Design Time
GRFN MDCHECK Master Data Consistency Check
GRFN MIGRATION GRC migration
GRFN MSMP_WF_CN Multi-Stage Multi-Path (MSMP) Work

flow – Configuration
GRFN MSMP_WF_NT Multi-Stage Multi-Path (MSMP) Work

flow – Notification
GRFN MSMP_WF_RT Multi-Stage Multi-Path (MSMP) Work

flow – Runtime
Management 10.1
GRFN OWP Offline Workflow Process
GRFN POLICY Policy Management
GRFN REPLACEMENT GRC replacement
GRFN REP_ENGINE Reporting engine
GRFN RISK_AGGR Risk Aggregation
GRFN RM_BANKING Operational Risk Management for Bank

ing Industry
GRFN SURVEY Survey planning
Job Logs – You can view job logs using transaction SM37.
Workflow Item Logs – You can view the workflow item logs using transaction SWI1.
Recommendation
For more information, see the SAP Library at http://help.sap.com and search for SAP Workflow
Administration.
Scheduler Logs – Process Control only. To view the scheduler logs, log on to the portal, select a regulation
workset and click Rule Setup Scheduling
For a description of the tasks containing data growth, see the Periodic Task [page 26] section in this guide.
3.4.3 Operating System Monitors
Process Control, Risk Management and Access Control use the standard tools for this function available in the
SAP NetWeaver Application Server 7.40 and do not require a component-specific tool.
Recommendation
For information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/netweaver
SAP NetWeaver Platform System Administration and Maintenance Information
3.4.4 Workload Monitors
Process Control, Risk Management and Access Control use the standard tools for this function available in the
Management 10.1
Recommendation
For more information, see the Technical Operations Manual for SAP NetWeaver in the SAP Library under SAP
NetWeaver.
Table 7: Components to Monitor
Component Monitor Relevant Application Description
Datamart GRFN_DATAMART_UP Process Control This is the reporting compo

LOAD_BTC nent.
Risk Management
Scheduler GRPC_SCHEDULER Process Control This sends jobs from the

Process Control job query to
the SAP standard job query
(SM36). It retrieves objects
from the HR info type, such as
control and organization In
formation.
KRI Runtime GRRM_KRI_RUNTIME Risk Management Periodic runtime of KRIs.
3.4.5 Other Important Problem Analysis and Monitoring Tools
Process Control, Risk Management, and Access Control use the standard tools for this function available in the
Recommendation
3.4.6 Interface Monitors
Interface monitors analyze problems with interfaces such as RFC, IDoc, and HTTP. Process Control, Risk
Management and Access Control use the standard tools available in the SAP NetWeaver Application Server 7.40
and do not require a component-specific tool.
Recommendation
Management 10.1
3.5 Important Application Objects
We recommend you monitor the following Process Control, Risk Management and Access Control objects:
Table 8: Objects to Monitor
Object Tools Description
Process Overview Transaction SM50 The monitor tracks the amount of time critical processes
such as dialog (DIA), update (UPD), or background (BGD)
have been running. Processes that have been running too
long are shown in red in the runtime column.
Ensure there are enough background work processes on

the GRC system. You can use operation mode to switch
work processes.
Background Process Transaction SM37 Select the jobs by job name, user name, status, and time
period to display a status overview of scheduled jobs. Look
for any canceled jobs.
Process Control and Risk Transaction GRFN_LOG_ENABLE Enable logging for the following subobjects if you need to
Management Application track errors in API or authorization check areas:
Logs
● API — GRC API Logging
● AUTH — GRC Authorization
For troubleshooting, enable logging for REP_ENGINE —

Reporting Engine.
For more information about objects and subobjects, see

Trace and Log Files.
Application Logs Transaction SLG1 Enable the GRPC application logs for potential risk areas,
such as API access and authorization. Using transaction
SPRO, select Governance, Risk and Compliance
Process Control Administration Programs
For more information, see Trace and Log Files.
CCMS Transaction RZ20 Monitor the following:
● SAP buffer configuration

● Database workload
● Operating system workload
● System logs for errors
● System errors for application dumps
● Workload analysis for any performance issues
For more information, see the Technical Operations Man

ual for SAP NetWeaver at help.sap.com/netweaver .
Management 10.1
Object Tools Description
Shared Objects Memory Transaction SHMM Transaction SHMM provides an overview of the area instan
ces in the shared objects memory of the current applica
tion server.
Workflow event queue SWEQADM Use the event queue to delay the starting of receivers re
acting to a triggering event. This spreads the system load
over a longer time period to combat the threat of system
overload. The system administrator sets the event queue.
SICF Transaction SICF Use this transaction to activate Internet services, Web
services, and Web Dynpro.
SIGS Transaction SIGS Use this transaction to view the status of IGS services and
the required parameters.
Management 10.1
4 Managing the Application
4.1 Introduction
The information in this section applies to Process Control, Risk Management and Access Control. SAP provides
you with an infrastructure to help your technical support consultants and system administrators manage all SAP
components and complete tasks related to administration and operation. The underlying technology of Process
Control, Risk Management and Access Control are based on SAP NetWeaver.
4.2 Starting and Stopping
Process Control, Risk Management, and Access Control are provided as add-on components for SAP NetWeaver.
You start and stop them with SAP NetWeaver Web Application Server.
Recommendation
For more information about STARTSAP/STOPSAP and SAPMMC, see the Technical Operations Manual for SAP
NetWeaver at http://help.sap.com/netweaver SAP NetWeaver Platform System Administration and
Maintenance Information
4.3 Backup and Restore
You need to back up your system landscape regularly to ensure that you can restore and recover it in case of
failure. All application data for the applications reside in the underlying database. No special backup and recovery
methods apply for this component.
The applications rely on the SAP NetWeaver ABAP standard capabilities for the technical operations. The
configuration data is stored in the Implementation Guide (IMG) database tables. These settings are established
during the Customizing activities during implementation (transaction SPRO).
Note
If you use a document management system (DMS) that stores data outside of the underlying database, refer to
the backup and restore recommendations for that DMS.
Management 10.1
Managing the Application PUBLIC 25
4.4 System Copy
For a system copy of Process Control, Risk Management or Access, the standard procedures of SAP NetWeaver
apply.
Recommendation
For more information, see the Technical Operations Manual for SAP NetWeaver in the SAP Library.
Heterogeneous system copies are performed on request and on a project basis. For more information, see
http://service.sap.com/osdbmigration .
Note
A client copy from one system into another system with a different operating system or database is not an
alternative to a complete heterogeneous migration. For example, client copies do not ensure that all repository
changes are taken over into the new system. Therefore, if you want to change your database or application
server platform, a heterogeneous system copy is the only procedure that ensures full data replication.
4.5 Periodic Tasks
4.5.1 Introduction
The information in this section applies to Process Control, Risk Management and Access Control. In addition to
the standard jobs mentioned in the Technical Operations Manual for SAP NetWeaver, Process Control, Risk
Management and Access Control specific jobs must be scheduled in your system. Run all jobs, unless otherwise
specified, at times of minimal system activity (so as not to affect performance or otherwise disrupt your daily
operations). All jobs can be restarted. There are no dependencies between the jobs.
4.5.2 Scheduled Periodic Tasks
This information applies to Access Control, Process Control and Risk Management (unless noted). This
information describes the tasks required to keep the application running smoothly. You can configure the tasks to
automatically run. It is important that you monitor the execution of these tasks on a regular basis. The tasks are
scheduled using transaction SM36, except for the Background Job for Missed Deadlines, which uses transaction
SWU3.
Management 10.1
26 PUBLIC Managing the Application
Table 9: Scheduled Periodic Tasks
Program Name/Task Recommended Frequency Description
Schedule Background Job for Missed Every 3 minutes Specify a time interval at which the back
Deadlines ground job is called regularly. With each execu
tion, the background job checks whether new
deadlines have been missed since the last time
it ran.
Schedule Job for Sending E-Mail Every 3 minutes This program checks whether there are new
work items for Process Control and Risk Man
agement, and determines the e-mail addresses
of the work item recipients.
GRFN_AM_JOBSTEP_MONITOR Hourly The monitoring program to update job / job

step status.
/GRCPI/GRIA_AM_CHANGELOG (in Daily This program captures the GRC PC change log.
plug-in system. Process Control only)
Transfer Work Items to Replacement Daily The program transfers work items from users
that are no longer working in Process Control
and Risk Management to the replacement
users entered in the system for these users.
Maintain DataMart Daily Schedule the report

GRFN_DATAMART_MAINTAIN. This can be
used for maintaining and uploading the data to
DataMart.
Execute KRI Queries and Evaluate Busi Daily Schedule the report GRRM_KRI_RUNTIME.
ness Rules You schedule this job to query the KRI values
from the source systems, such as SAP Net
(Risk Management only)
Weaver Business Warehouse or SAP ERP, and
the business rules are evaluated to attain risk
alerts.
Carryforward after Sign-Off After event Schedule the program close

(GRPC_CLOSING_BACKGROUND). Once
(Process Control only)
sign-off has been performed for an organiza
tion, the program copies any open cases to the
new timeframe, and clears the workflows.
Document Copy after Sign-Off After event Schedule a job so that, after tasks have been
carried forward into a new timeframe, the
(Process Control only)
documents for those tasks are also copied into
the new timeframe. This applies to documents
that were created for issues or remediation
plans during assessment and tests.
Management 10.1
Access Control Synchronization Tasks
The following tasks are accomplished through the Customizing activities (transaction SPRO) found at SAP
Reference IMG Governance, Risk, and Compliance Access Control Synchronization Jobs . Also, refer to the
documentation next to each activity for detailed directions.
Note
The frequencies are recommendations, but adjust these according to your business need. For example, when
you are first implementing the product, you might want to run these tasks more often.
Table 10: Access Control Synchronization Tasks
Customizing Task Name Recommended Frequency Transaction
Authorization Synch Weekly GRAC_AUTH_SYNC
Repository Object Synch Daily GRAC_REP_OBJ_SYNC
(includes Profile, Role and User Synchroniza

tion)
Action Usage Synch Daily GRAC_ACT_USAGE_SYNC
Role Usage Synch Daily GRAC_ROLE_USAGE_SYNC
Firefighter Log Synch Daily GRAC_SPM_LOG_SYNC
Firefighter Workflow Synch Daily GRAC_SPM_WF_SYNC
Fetch IDM Schema as needed GRAC_IDM_SCHEMA_SYNC
EAM Master Data Synch as needed GRAC_SPM_SYNC
4.6 Load Balancing
Process Control, Risk Management and Access Control use SAP NetWeaver for load balancing.
Recommendation
Management 10.1
28 PUBLIC Managing the Application
4.7 User Management
Process Control, Risk Management and Access Control use SAP NetWeaver for user management.
Recommendation
For more information, see the documentation on the SAP Help Portal at help.sap.com/netweaver .
● For specific user management and authorization functions, see the application security guides at http://
help.sap.com/grc .
4.8 Printing
Process Control, Risk Management, and Access Control use SAP NetWeaver for printing.
Recommendation
Management 10.1
5 High Availability
Use
Process Control, Risk Management, and Access Control use SAP NetWeaver for high availability.
Integration
Recommendation
For more information, see the documentation at http://www.sdn.sap.com/irj/sdn/ha .
Management 10.1
30 PUBLIC High Availability
6 Software Change Management
6.1 Introduction
Software Change Management standardizes and automates software distribution, maintenance, and testing
procedures for software landscapes and multiple software development platforms. These functions support your
project teams, development teams, and application support teams.
Software Change Management establishes solution-wide change management that allows for specific
maintenance procedures, global rollouts (including localizations), and open integration with third-party products.
This section provides additional information about the most important software components.
The following topics are covered:
● Transport and Change Management:

Enables and secures the distribution of software changes from the development environment to the quality
assurance and production environment.
● Development Request and Development Release Management:
Enables customer-specific maintenance procedures and open integration with third-party products.
● Template Management:
Enables and secures the rollout of global templates, including localizations.
● Quality Management and Test Management:
Reduce the time, cost, and risk associated with software changes.
● Support Packages and SAP Notes Implementation:
Provide standardized software distribution and maintenance procedures.
● Release and Upgrade Management:
Reduces the time, cost, and risk associated with upgrades.
6.2 Transport and Change Management
For transport and change management issues, the procedures of SAP NetWeaver apply.
Recommendation
Management 10.1
Software Change Management PUBLIC 31
6.3 Development Requests and Development Release
Management
The standard procedures of SAP NetWeaver apply. For more information, see the Technical Operations Manual for
SAP NetWeaver in the SAP Library.
6.4 Quality Management and Test Management
You can use the SAP NetWeaver Development Infrastructure to learn about the various possibilities to test your
software changes.
6.5 Support Packages and Patch Implementation
We recommend you implement Support Package Stacks (SP-STACKS), which are sets of Support Packages and
patches for the respective product version that must be used in the given combination.
Read the corresponding Release and Information Notes (RIN) before you apply any Support Packages or Patches
of the selected SP-Stack.
The RIN and support packages for Process Control, Risk Management, and Access Control are available in the
SAP Service Marketplace at http://service.sap.com/patches .
Recommendation
For information about the tools required for implementing patches, see the Technical Operations Manual for
SAP NetWeaver at http://help.sap.com/netweaver SAP NetWeaver Platform System Administration
and Maintenance Information
Management 10.1
32 PUBLIC Software Change Management
7 Troubleshooting
Use
Access Control, Process Control, and Risk Management are provided as add-on components for SAP NetWeaver
and use the same troubleshooting tools for the SAP NetWeaver Application server.
Recommendation
For more information about troubleshooting the SAP NetWeaver Application server, see the Technical
Operations Manual for SAP NetWeaver.
Use the following components when reporting issues:
● GRC-SAC for Access Control

● GRC-SPC for Process Control
● GRC-RM for Risk Management
Process
Troubleshooting Process Control Scheduler
The following troubleshooting procedure applies to the Process Control scheduler function only.
Symptom
The Monitor Scheduler does not display Completed.
Procedure
1. Determine if the cause is in Process Control or the ERP server.

1. In the Monitor Scheduler, select the line item and click Show Log. The details screen appears.
2. Select the job and click Job Status. This shows the job log for process control. If the Job Detail button is
disabled, the cause is in Process Control. If the Job Detail button is enabled, the cause is in the ERP
application.
2. Do the following to troubleshoot issues in Process Control:
1. In transaction SM37, enter the job name, user, and date, and click Log to display the Job Status.
2. If there is an ABAP dump, click the line item or go to transaction ST22 to view more information to
address the issue.
3. Do the following to troubleshoot issues in the ERP server:
1. In transaction SM37, enter the job name and date, and click Log to display the Job Detail.
2. If there is an ABAP dump, click the line item or go to transaction ST22 to view more information to
address the issue.
Management 10.1
Troubleshooting PUBLIC 33
The information for troubleshooting Process Control is maintained in SAP Notes. For troubleshooting information,
see SAP Note 1302302 Troubleshooting Guides for PC.
Management 10.1
34 PUBLIC Troubleshooting
8 Configuring Remote Connection to SAP
Support
8.1 Introduction
SAP offers access to remote support and remote services. You have to set up a remote network connection to
SAP.
Recommendation
For more information, see SAP Service Marketplace at http://service.sap.com/remoteconnection .
8.2 Read Only Role
Use
For remote support from SAP, a support user must have read-only access to the support tools. Since these
applications are built upon the NetWeaver ABAP stack, a support user can use the SAP standard CSS remote
support tool which is accessible through the SAPGUI or web browser.
Integration
The read-only roles are as follows:
● SAP_GRAC_DISPLAY_ALL for Access Control

● SAP_GRC_FN_DISPLAY for Process Control and Risk Management
Management 10.1
Configuring Remote Connection to SAP Support PUBLIC 35
9 Appendix
9.1 Categories of System Components for Backup and

Restore
Table 11:
Categories of Sys Category Properties Suggested Methods for Backup and Re Examples
tem Components store
I Only software, no configu No backup, new installation in case of a re BDOC modeler
ration, or application data covery
Initial software backup after installation and

upgrade
Backup of log files
II Only software and configu Backup after changes have been applied SAP Gateway
ration information, no appli
cation data No backup, new installation, and configura Communication Station
tion in case of a recovery
Backup of log files SAP Business Connector, SAP IPC

(2.0C)
III Only replicated application Data SAP IMS/Search

data, replication time is suf
ficiently small for a recov No data backup needed Engine
ery
Backup of software, configuration, log files SAP IPC (2.0B)
IV Only replicated application Data SAP IMS/Search

data, backup recom
mended because replica Application specific file system backup or Engine
tion time is too long, data
Multiple instances Web server
not managed by a DBMS
V Only replicated application Data SAP IPC (2.0B)

data, backup recom
mended because replica Database and log backup or Catalog Server
tion time is too long, data
Multiple instances Web server
managed by a DBMS
Management 10.1
36 PUBLIC Appendix
Table 12:
Categories of Systems Com Category Properties Suggested Methods for Examples

ponents Backup and Restore
VI Original application data, Data Web Server

standalone system, data not
Application specific file sys
managed by a DBMS
tem backup
Backup of software, configu

ration and log files
VII Original application data, Data none available

standalone system, data
Database and log backup
managed by a DBMS, not
based on SAP NetWeaver Ap Backup of software, configu
plication Server ration and log files
VIII Original application data, Data Standalone SAP

standalone system, based on
Database and log backup, ap SAP ERP
SAP NetWeaver Application
plication log backup (such as
Server none available
job logs in file system)

ration and log files
IX Original application data, data Data none available

exchange with other systems,
Application specific file sys
data not managed by a DBMS
tem backup, data consistency
with other systems must be
considered

ration, log files
X Original application data, data Data SAP Live Cache

Database and log backup, SAP Mobile
data managed by a DBMS,
data consistency with other
not based on SAP NetWeaver Workbench
systems must be considered
Application Server
ration, log files
Management 10.1
Appendix PUBLIC 37
Categories of Systems Com Category Properties Suggested Methods for Examples
ponents Backup and Restore
XI Original application data, data Data SAP ERP

Database and log backup, ap SAP CRM
based on SAP NetWeaver Ap
plication log backup (such as
plication Server SAP APO
job logs in the system), data
consistency with other sys SAP NetWeaver Business
tems must be considered Warehouse

ration, log files
9.2 Related Information
The following table contains links to information relating to the Solution Operation Guide.
Table 13:
Content Quick Link to the SAP Service Marketplace (http://serv

ice.sap.com)
Master Guide, Installation Guide and Upgrade Guide /instguides
/ibc
Related SAP Notes /notes
Released Platforms /platforms
Network Security /securityguide
/network
Technical Infrastructure /ti
SAP Solution Manager /solutionmanager
Management 10.1
38 PUBLIC Appendix
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).
Management 10.1
Important Disclaimers and Legal Information PUBLIC 39
go.sap.com/registration/
contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1

Uploaded by

Copyright:

Available Formats

Operations Guide PUBLIC

Operations Guide for SAP Access Control 10.1, SAP

2 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Monitoring of the Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Managing the Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6 Software Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

8 Configuring Remote Connection to SAP Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About this Guide

1.2 Global Definitions

1.3 Important SAP Notes

● SAP Access Control 10.1 Master Guide at http://help.sap.com/grc-ac .

2.2 Related Documentation

Topic Guide/Tool Link on SAP Service Marketplace

Application and industry specific compo­ Master Guide http://service.sap.com/instguides

Technology Components such as SAP

Sizing Quick Sizer Tool http://service.sap.com/sizing

Installation Installation Guide http://service.sap.com/instguides

Security Security Guide http://service.sap.com/security

3.2 CCMS Monitor Templates

The SAP Web Service Monitor Template is Web Service Monitor.

3.3 Alert Monitoring with CCMS

Figure 3: Job Overview

Figure 6: Workload in System

Monitor system logs for any errors.

Figure 8: Local Analysis

Table 2: Access Control Transaction Codes

Transaction Code Description

NWBC Access the majority of the Access Control capabilities and

GRAC_ALERT_GENERATE Alert generation

GRAC_BATCH_RA Risk Analysis in Batch Mode

GRAC_EAM Emergency Access Management (EAM) Launchpad Logon

GRAC_SPM_CLEANUP Cleanup EAM (SPM) Application Data

GRACRABATCH_MONITOR Batch Risk Analysis Monitor

Figure 9: System Errors

Figure 10: Monitors

3.4 Detailed Monitoring and Tools for Problem and

● The Access Control log object is GRAC.

The following tables list the log subobjects:

Table 3: Access Control Log Subobjects

Log Object Log Subobjects Description

GRAC AUTH Authorization check

GRAC BATCH Batch risk analysis

GRAC HRTRIGGER HR trigger

GRAC SOD_RISK_ANALYSIS Segregation of Duties (SOD) Risk Analy­

GRAC SPM Emergency Access Management log

GRAC UAR User Access Review (UAR)

Table 4: Process Control Log Subogjects

Log Object Log Subobjects Description

GRPC API GRPC Entity API Calls

GRPC AS_REORG GRPC AS REORG Log

GRPC ATTACHMENTS_CLONING Copy Documents During Carryforward

GRPC ATTACHMENTS_DOWNLOAD Documents download log

GRPC ATTACHMENTS_SERVICES Documents Log for Backend Services

GRPC AUTHORIZE Logging of Authorization Checks

GRPC CASE_INT Case Management Integration

GRPC EVENT Event-based Control Monitoring

GRPC NWBC Netweaver Business Client Integration

GRPC PLANNER Planner

GRPC REPLACEMENT Succession

GRPC SCHEDULER Scheduler log

GRPC SIGNOFF Sign off

GRPC SOD_CHECK Check of Function Separator

Table 5: Risk Management Log Subobjects

Application and industry specific compo Master Guide http://service.sap.com/instguides

GRAC SOD_RISK_ANALYSIS Segregation of Duties (SOD) Risk Analy

GRFN MSMP_WF_CN Multi-Stage Multi-Path (MSMP) Work

GRFN MSMP_WF_NT Multi-Stage Multi-Path (MSMP) Work

GRFN MSMP_WF_RT Multi-Stage Multi-Path (MSMP) Work

GRFN RM_BANKING Operational Risk Management for Bank

Datamart GRFN_DATAMART_UP Process Control This is the reporting compo

For more information, see the Technical Operations Man

(includes Profile, Role and User Synchroniza