eGRC: Governance Risk and Compliance

Governance: Structure of an organization Hierarchy

Risk: Able to commit a fraud

Compliance: Follow set of Rules and Regulations

BC SETS: A Business Configuration set (BC Set) is a management tool which helps users to
record, save and share customized settings.

BC SET contains a standard data provided by SAP which all the configuration data populated
into tables.

T-Codes:

SPRO: All Background Configurations:

NWBC: Technical Data Table (Net Weaver Business Client)

SCPR20: To activate BC SETS

SICF: To see whether the ICF Services are has been activated or not

SMGW: Host name and Service name

SM59: RFC Destinations (Display/Maintain) in SAP

SWU3: To change WF-BATCH password

SM12: Used for Display and Delete Locks in SAP

GRAC_REP_OBJ_SYNC: Repository Object Sync

GRFNMW_Configure_WD: T-code to open MSMP WORKFLOW

GRFNMW_Dev_Rules: T-code to open BRF+ Application

SWE2: SAP parameter transaction code that is used to maintain the contents of

SWFDVEVTY2 database table

Reports:
RS_APPL_REFRES : To make entries appear in SPRO

GRAC_REPOSITORY_OBJECT_SYNC: Report to do repository object sync

Tables:
SCPRACTP: To see whether the BC SETS has been activated or not

SCPRACTR: Table which contains BC Set configuration data

GRFNCONNSCNLK: Relation between Integration Scenario and connectors

RFCDES: RFCDES is a standard SAP Table which is used to store Destination table for
Remote Function Call data and is available within R/3 SAP systems depending on the version
and release level.

Background Jobs Related to GRC:

Basis:

GRAC_Repository_Object_Sync

GRAC_Action_Usage_Sync

GRAC_PFCG_Authorization_Sync

ARA:

Grac_BATCH_Risk_Analysis

EAM:

GRAC_SPM_LOG_SYNC_Update
GRAC_SPM_SYNC

ARM:

GRFNMW_BATCH_EMAIL_REMINDER

Default Roles to users:

SAP_GRC_FN_Base - Base role to run GRC applications

SAP_GRC_FN_Business_User – For Business User

SAP_GRC_NWBC – For Governance, Risk, & Compliance

Default Roles to ADMIN:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC - Governance, Risk, & Compliance

SAP_GRAC_ALL - Super Admin for AC

SAP_GRAC_NWBC

Reports Available for EAM:

1. Consolidated Log Report

2. Invalid Super User Report
3. FF Log Summery Report
4. Reason Code & Activity Report
5. Transaction Log & Session Details
6. SOD Conflict Report

Logs Available in GRC:

1. Transaction Log – STAD

2. Change Log – CDHRD, CDPOS
3. Audit Log – SM20
4. System Log – SM21
5. OS Command Log – SM49
6. All System Logs – Select this
 EAM: Emergency Access Management

BC Sets Related to EAM:

GRAC_SPM_Criticality_level

T-Codes:

GRAC_SPM: EAM/SPM launch pad logon (Centralized EAM)

GRAC_EAM: EAM/SPM launch pad logon (Centralized EAM)

/GRCPI/GRIA_EAM: For Decentralized launch pad

Tables:

GRACFFOWNER: FF Owners

GRACFFUSER: FFID’s Users

GRACFFUSERT: Details about FFID assignment to FF

GRACOBJECTT: Text table for FFID & Role details

/GRCPI/GRIAFFUSR: Relationship between User and FF (Decentralized)

Reports:

GRAC_REPOSITORY_OBJECT_SYNC: Report to do repository object sync

Users & Default Roles in EAM:

ADMIN User:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC

SAP_GRAC_NWBC
SAP_GRAC_ALL

SAP_GRAC_Super_User_Mgmt_ADMIN

Owner:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC

SAP_GRAC_Super_User_Mgmt_Owner

Controller:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User
SAP_GRC_NWBC

SAP_GRAC_Super_User_Mgmt_Cntlr

FF USER:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC

SAP_GRAC_Super_User_Mgmt_User

FFID USER: Service User

SAP_GRAC_SPM_FFID

Provided relavent FF roles

Parameters related to EAM – Few important parameters: (Total 21 Parameters)

4000 – 4015, 4017, 4018, 4020, 4021, 4025, 5033

4000 - Application Type (ID Based or Role Based)

4001 – Validity Period (default period 30 days)

4002 & 4008 – Login Notifications (When FF User login to FFID and if they execute any

Transactions it will send reports to controller)

4003 – Retrive Change Log

4004 – Retrive System Log

4005 – Retrive Audit Log

4007 & 4009 – Log Report

4010 – FFID Role Name (Default role SAP_GRAC_SPM_FFID)

4013 – FFID owner can submit request FFID owned

4012 – To all users & Controllers

4014 – FFID controller cannot raise request on his own

4015 – Centralized (No), Decentralized (Yes)

5033 – Allow FF with no controller (Yes)

SUPMG: Integration Scenario used in EAM

ARA: Access Risk Analysis (Get Clean & Stay Clean)

BC Sets Related to ARA:

 GRAC_RA_RULESET_COMMON - SoD Rules Set

 GRAC_RA_RULESET_JDE - JDE Rules Set
 GRAC_RA_RULESET_ORACLE - ORACLE Rules Set
 GRAC_RA_RULESET_PSOFT - PSOFT Rules Set
 GRAC_RA_RULESET_SAP_APO - JDE Rules Set
 GRAC_RA_RULESET_SAP_BASIS - SAP BASIS Rules Set
 GRAC_RA_RULESET_SAP_CRM - SAP CRM Rules Set
 GRAC_RA_RULESET_SAP_ECCS - SAP ECCS Rules Set
 GRAC_RA_RULESET_SAP_HR - SAP HR Rules Set
 GRAC_RA_RULESET_SAP_NHR - SAP R/3 less HR Basis Rules Set
 GRAC_RA_RULESET_SAP_R3 - SAP R/3 AC Rules Set
 GRAC_RA_RULESET_SAP_SRM - SAP SRM Rules Set

Types of Risks: SOD Risk, Critical Action, Critical Permission

SOD Risk: If user having 2 or more conflicting actions which allows to commit a fraud
Critical Action: T-Code itself is risk (like SCC5, SM01 etc)

Critical Permission: Risk at field and values level (S_Develop, S_User_GRP with activity 02)

Risk Levels: Critical, High, Medium, Low

Execution: For Existing Violations

Simulation: Possible Violations

Remediation: Preventive Control

Mitigation: By passing SOD violations for specific period. Detective control

Process:

Create Ruleset

Screens: Manditory fields in Ruleset

Create min 2 Functions

Generate rules in Access Risk – Build Risk

Perform User/Role level Execution and User /Rolelevel Simulation

Tables:

GRACFUNC – Functions

GRACACTRULE – It store SOD Action Rule detail data

GRACFUNCT – Functions with Description

GRACFUNCACT – What actions are there against functions

GRACCRROLE – Critical Roles

GRACCRROLET – Critical Roles with Description

GRACCRPROFILE – Critical Profile

GRACCRPROFILET – Critical Profile with description

GRACSODRISK – SOD Risks in System

GRACSODRISKT – SOD Risks in System with description

GRACSODRISKOWN – SOD Risks owner in System

GRACOWNER – Master table for central owner Admin

GRACUSERCONN – Connector Specific User (relation between users and systems)

Parameters related to ARA:

1001 – Enable function change log

1002 – Enable risk change log

1003 – Enable Organization rule log

1004 – Enable Supplementary rule log

1005 – Enable critical role log

1006 – Enable critical profile log

1007 – Enable RuleSet change log

1008 – Enable role change log

1023 – Default role type for risk analysis

1024 – Risk level

1025 – Rule set

1026 – User type

1027 – Enable Offline risk analysis (Batch process)

1028 – Include expired users

1029 – Include locked users

1030 – Include mitigated risk

1031 – Ignore critical roles and profiles

1032 – Include reference user when doing user analysis

1036 – Show all objects in risk analysis

1050 – Default report view

1063 – SAP Change Log that is stored in the CDHDR/CDPOS tables. ... If this parameter is set

to YES then the Firefighter can use logon pad available in Missing: 1063 | Must
include: 1063

1064 – SAP Change Log that is stored in the CDHDR/CDPOS tables. ... If this parameter is set

to YES then the Firefighter can use logon pad available in Missing: 1063 | Must
include: 1063

1071 – Enable risk analysis on form submission

Users in ARA:

Risk Owner:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User
SAP_GRC_NWBC

SAP_GRAC_RISK_OWNER

MITIGATION APPROVER:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC

SAP_GRAC_CONTROL_APPROER

MITIGATION CONTROL MONITOR:

SAP_GRC_FN_Base

SAP_GRC_FN_Business_User

SAP_GRC_NWBC

SAP_GRAC_CONTROL_MONITOR

USER LEVEL
SIMULATION LEVEL
ROLE LEVEL

ROLE LEVEL SIMULATION LEEL

 BRM: Business Role Management
BC Sets Related to BRM:

 GRAC_ROLE_MGMT_SENTIVITY* - Sensitivity
 GRAC_ROLE_MGMT_METHODOLOGY* - Methodology Process and Steps
 GRAC_ROLE_MGMT_ROLE_STATUS* - Role Status
 GRAC_ROLE_MGMT_PRE_REQ_TYPE* - Prerequisite Types
 GRAC_ROLE_SEARCH_COFIGURATION - Role Search Configuration for Access
Request
Role Types:

SIN – Single Role

COM – Composite Role

BUS – Business Role

DRD – Derived Role

Download and Upload – Temp Files

 Business Process
 Functions
 Function Business Process
 Function Actions
 Function Permissions
 Rule set
 Risk
 Risk Description
 Risk Rule Set Relationship
 Risk Owner

Important Fields to import Roles:

1. Role Name
2. Role Type
3. Business Process Name
4. Subprocess Name
5. Project/Release Name
6. Role Status
7. Methodology Status
8. System Allow Auto Provision
9. Role Name
10. Master
11. Assignment Approver
12. Role Content Approver

Parameters related to BRM:

3004 – Parameter Value – PRD - Default Role Status

3005 – Parameter Value – No - Reset Role Methodology when Changing Role Attributes

3014 – Parameter Value –Yes - Allow role generation with Permission Level violations
Tables Related BRM:
 ARM: Access Request Management
ARA provides automatic workflow for access request form

MSMP is to build a workflow for access request management

BC Sets Related to ARA:

 GRAC_ACCESS_REQUEST_REQ_TYPE* - Request Type

 GRAC_ACCESS_REQUEST_EUP* - EUP (Note: Only the value EU ID 999 is valid for this
BC set.)
 GRAC_ACCESS_REQUEST_APPL_MAPPING* - Mapping BRF Function IDs and AC
Applications
 GRAC_ACCESS_REQUEST_PRIORITY* - Request Priority
 GRAC_DT_REQUEST_DISPLAY_SECTIONS - Simplified Access Request Display
Sections
 GRAC_DT_REQUEST_FIELD_LABELS - Simplified Access Request Field Labels
 GRAC_DT_REQUEST_PAGE_SETTINGS
Tables in ARM:

Modify Task Settings:

Parameters in ARM:

2004 – Request type for UAR (001)

2005 – Default Priority (008)

2006 – Who are reviewers?

2007 – Admin review required before sending tasks to reviewers

2009 – Consider default roles

2011 – Default role level

2013 – Request Attributes

2024 – Training and Verification

2035 – Allow role comments

2038 – Auto approve roles without Approvers

2051 – Enable User ID validation in Access Request against search data source

T- Codes:

GRFNMW_Configure_WD

GRFNMW_DEV_RULES

Create BRF+ Application Type and Function Type:

 MSMP Stages:

1. Process Global Settings

2. Maintain Rules
3. Maintain Agents
4. Variable & Templates
5. Maintain Path
6. Main Route Mapping
7. Generate versions

Process ID’s:

SAP_GRAC_ACCESS_REQUEST

SAP_GRAC_ACCESS_REQUEST_HR

SAP_GRAC_CONTROL_ASGN

SAP_GRAC_CONTROL_MAINT

SAP_GRAC_FFID_REVIEW

SAP_GRAC_FIREFIGHTER_LOG_REVIEW

SAP_GRAC_FUNC_APPR

SAP_GRAC_RISK_APPR

SAP_GRAC_ROLE_APPR
SAP_GRAC_SOD_RISK_REVIEW

SAP_GRAC_USER_ACCESS_REVIEW

Escalations Conditions:

1. No Escalations
2. Defaults
3. Escalate to Specific Agent
4. Skip to Next Stage

Notification Settings:

Notification Event:

1. Request Submission
2. End of Request

Template ID: Set of rules/messages are developed by ABAP team

Recipient ID: Approver who is going to approve

Escape Conditions:

1. Approver not Fount

2. Auto Provision Failure

Rule ID Maintenance:

Rule Kind:

1. Initiator Rule
2. Agent Rule
3. Notification Variable Rule
4. Routing Rule (n-1) stage

Routing Rule:

1. SOD Violations and no role owners

2. SOD Violations
3. Training Verification
4. No Role Owner

Rule Type:

1. BRFPLUS Rule
2. Function Module Based Rule
3. ABAP Class Based Rule
 4. BRFPLUS Flat Rule (Lineitem by Lineitem)

AGENT TYPE:

1. GRC API Rules

2. PFCG Rules
3. PFCG User Groups
4. Directly Mapped Users

Provisioning Rules:

Auto provisioning at end of request

Auto Provisioning at end of each stage

No Provisioning

Manual Provisioning with auto password generation

Manual Provisioning