You are on page 1of 60

Maintaining Configuration Settings in Access Control

Applies to:
SAP BusinessObjects™ Access Control 10.0 SP07
®

Summary:
This guide contains additional information about the parameters used when configuring the access control application. The information covers the configuration parameters available as of SP07.

Created :

December 2011

Version 1.0

© 2011SAP AG

Document History
Document Version 1.00 1.10 Description Initial release SP07 Updates

© 2011 SAP AG

Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Description Caution Note or Important Example Recommendation or Tip

Example text

Example text

<Example text>

EXAMPLE TEXT

...........52 © 2011 SAP AG ........... Standard Settings .........................................................................6 Copyright .....................6 Details of Configuration Parameters ..............2 1................................. Maintain Configuration Settings ...........................................................1 Activities .....................................................Table of Contents 1..3 2......................................................................................................................................1 1..1 1.......................................................................................

In this Customizing activity. and Compliance > Access Control.1 Standard Settings The following table lists the delivered parameters and default values. you maintain the global configuration settings and parameters used in the access control application. In the above list. Note: Values labeled as <empty> have no default value.0 1. The activity includes settings for the following parameter groups: 01 Change Log 02 Mitigation 03 Risk Analysis 04 Risk Analysis . number 16 is not used. Parameter Group Change Log Change Log Change Log Change Log Change Log Change Log Change Log Change Log Mitigation Mitigation Parameter ID Description 1001 1002 1003 1004 1005 1006 1007 1008 1011 1012 Enable Function Change Log Enable Risk Change Log Enable Organization Rule Log Enable Supplementary Rule Log Enable Critical Role Log Enable Critical Profile Log Enable Rule Set Change Log Enable Role Change Log Default expiration time for mitigating control assignments (in days) Consider Rule ID also for mitigation assignment Default Value YES YES YES YES YES YES YES YES 365 NO December 2011 1 . Risks.Spool 05 Workflow 06 Superuser Management 07 UAR Review 08 Performance 09 Risk Analysis .Access Request 10 Role Management 11 Risk Analysis . 1. Maintain Configuration Settings This document covers the use of the Customizing activity Maintain Configuration Settings under Governance.Maintaining Configuration Settings in Access Control 10.Risk Terminator 12 Access Request Role Selection 13 Access Request Default Roles 14 Access Request Role Mapping 15 SOD Review 17 Assignment Expiry 18 Access Request Training Verification 19 Authorizations Note: The numbering is part of the parameter group name.

Risk Terminator Risk Analysis .Risk 1035 1036 1037 1046 1051 1052 1053 1061 1062 1063 1064 1071 1072 1080 1081 YES NO YES <empty> 200000 <empty> D NO NO NO NO NO NO <empty> NO December 2011 2 .Spool Risk Analysis .Maintaining Configuration Settings in Access Control 10.Access Request Risk Analysis .0 Parameter Group Mitigation Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis Parameter ID Description 1013 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 Consider System for mitigation assignment Consider Org Rules for other applications Allow object IDs for this connector to be case sensitive Default report type for risk analysis Default risk level for risk analysis Default rule set for risk analysis Default user type for risk analysis Enable Offline Risk Analysis Include Expired Users Include Locked Users Include Mitigated Risks Ignore Critical Roles and Profiles Include Reference user when doing user analysis Include Role/Profile Mitigating Controls in Risk Analysis Max number of objects in a package for parallel processing Send e-mail notification to the monitor of the updated mitigated object Show all objects in Risk Analysis Use SoD Supplementary Table for Analysis Extended objects enabled connector Max number of objects in a file or database record Spool File Location Spool Type Mitigating Control Maintenance Mitigation Assignment Risk Maintenance Function Maintenance Enable risk analysis on form submission Mitigation of critical risk required before approving the request Connector enabled for Risk Terminator Enable Risk Terminator for PFCG Default Value NO NO <empty> 2 3 <empty> A NO NO NO NO YES YES YES 100 Risk Analysis Risk Analysis Risk Analysis Risk Analysis Risk Analysis .Spool Workflow Workflow Workflow Workflow Risk Analysis .Access Request Risk Analysis .Spool Risk Analysis .

Risk Terminator Risk Analysis .Risk Terminator Risk Analysis .Risk Terminator Risk Analysis . review required before Default Value NO NO NO NO NO NO 2 NO 12 13 14 15 16 17 18 19 20 2 3 4 WF-BATCH 1000 1000 1000 1000 <empty> 005 MANAGER YES December 2011 3 .0 Parameter Group Terminator Risk Analysis .Risk Terminator Authorizations Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Workflow Performance Performance Performance Performance UAR Review UAR Review UAR Review UAR Review Parameter ID Description Role Generation 1082 1083 1084 1085 1086 1087 1088 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1120 1121 1122 1123 2004 2005 2006 2007 Enable Risk Terminator for PFCG User Assignment Enable Risk Terminator for SU01 Role Assignment Enable Risk Terminator for SU10 multiple User Assignment Stop role generation if violations exist Comments are required in case of violations Send Notification in case of violations Default report type for Risk Terminator Enable authorization logging Create Request for Risk Approval Update Request for Risk Approval Delete Request for Risk Approval Create Request for Function Approval Update Request for Function Approval Delete Request for Function Approval Create Request for Mitigation Assignment Approval Update Request for Mitigation Assignment Approval Delete Request for Mitigation Assignment Approval High High High Access Control E-mail Sender Batch size for Batch Risk Analysis Batch size for User Sync Batch size for Role Sync Batch size for Profile Sync Request Type for UAR Default Priority Who are the reviewers? Admin.Risk Terminator Risk Analysis .Risk Terminator Risk Analysis .Maintaining Configuration Settings in Access Control 10.Risk Terminator Risk Analysis .

review required before sending tasks to reviewers Is actual removal of role allowed? Training and verification Allow All Roles for Approver Approver Role Restriction Attribute Allow All Roles for Requestor Requestor Role Restriction Attribute Allow Role Comments Role Comments Mandatory Display expired roles for existing roles Auto Approve Roles without Approvers Search Role by Transactions from Backend System Duration for assignment expiry in Days Enable Realtime LDAP Search for Access Request User Enable User ID Validation in Access Default Value YES <empty> <empty> <empty> <empty> YES YES <empty> <empty> MANAGER YES YES <empty> YES <empty> YES <empty> YES YES YES YES NO <empty> NO NO December 2011 4 .Maintaining Configuration Settings in Access Control 10.0 Parameter Group Access Request Default Roles Access Request Default Roles Access Request Default Roles Access Request Default Roles Access Request Default Roles Access Request Role Mapping Access Request Role Mapping SOD Review SOD Review SOD Review SOD Review SOD Review Access Request Training Verification Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Access Request Role Selection Assignment Expiry Performance Performance Parameter ID Description sending tasks to reviewers 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2023 2024 2031 2032 2033 2034 2035 2036 2037 2038 2039 2041 2050 2051 Consider Default Roles Request type for default roles Default Role Level Role Attributes Request Attributes Enable Role Mapping Applicable to Role Removals Request Type for SoD Default priority for SoD Who are the reviewers? Admin.

Maintaining Configuration Settings in Access Control 10.0 Parameter Group Parameter ID Description Request Against Search Data Sources 2052 3000 3001 3002 3003 3004 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 Obtain user@domain information from USERPRINCIPALNAME attribute of Active Directory Default Business Process Default Subprocess Default Criticality Level Default Project Release Default Role Status Allow add functions to an authorization Allow editing organizational level values for derived roles A ticket number is required after authorization data changes Allow Role Deletion from back-end system Allow attaching files to the role definition Conduct Risk Analysis before Role Generation Allow Role Generation on Multiple Systems Use logged-on user credentials for role generation Allow role generation with Permission Level violations Allow role generation with Critical Permission violations Allow role generation with Action Level violations Allow role generation with Critical Action violations Allow role generation with Critical Role/Profile violations Overwrite individual role Risk Analysis results for Mass Risk Analysis Role certification reminder notification Directory for mass role import server files Request Type for Role Approval Priority for Role Approval Enforce methodology process for Default Value LDAP Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management Role Management YES <empty> <empty> <empty> <empty> <empty> YES NO YES YES YES YES NO NO NO NO NO NO NO Role Management 3019 NO Role Management Role Management Workflow Workflow Workflow 3020 3021 3022 3023 3024 10 <empty> 21 5 YES December 2011 5 .

however. Choose the New Entries pushbutton and select a parameter group from the dropdown list. Application Type Default Firefighter Validity Period (in days) Send E-mail Immediately Retrieve Change Log Retrieve System Log Retrieve Audit Log Retrieve O/S Command Log Send Log Report Execution Notification Immediately Send FirefightId Logon Notification Log Report Execution Notification Firefighter ID Role Name Default Value Role Managment Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management Superuser Management NO 1 <empty> YES YES YES YES YES YES YES YES ZSAP_GRAC_SMP_FFID 1. enter a number for the priority. Note: The application provides a standard set of work centers. Select a Parameter Value from the dropdown list. Additionally.3 Details of Configuration Parameters The information in this section explains in further detail the configuration parameters. 3.Maintaining Configuration Settings in Access Control 10. 4. December 2011 6 . 1. the available option values. 2. the table includes information about the purpose of the parameter. The short description appears on the right-hand side. your system administrator can customize them according to your company’s corporate processes and structures. and screenshots to provide context about how the parameter affects the application. Value Maps without leading org. In the Parameter ID column. For each parameter. Choose Save.2 Activities To maintain the configuration settings: 1. The table is formatted and ordered to match the table displayed in the actual Customizing activity. select a parameter ID for use with the parameter group. In the Priority field.0 Parameter Group Parameter ID Description derived roles during generation 3025 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 Allow selection of Org. or enter values in the field. 5.

Maintaining Configuration Settings in Access Control 10.0 application. # Parameter Group Change Log Parameter ID 1001 Description Enable Function Change Log DEFAULT Value YES Set to YES to display the Change History tab on the Function screen. 2 December 2011 7 . The navigation paths included in this document and in the screenshots may differ from yours. Depending on the GRC applications you have licensed. different areas of the access control application are displayed.0 Access Control is available both as a standalone application and as part of the GRC 10. 1 Change Log 1002 Enable Risk Change Log YES Set to YES to display the Change History tab on the Access Risk screen.

0 # Parameter Group Change Log Parameter ID 1003 Description Enable Organization Rule Log Default Value YES Set to YES to display the Change History tab on the Organization Rules screen.Maintaining Configuration Settings in Access Control 10. 4 December 2011 8 . 3 Change Log 1004 Enable Supplementary Rule Log YES Set to YES to display the Change History tab on the Supplementary Rules screen.

5 Change Log 1006 Enable Critical Profile Log YES Set to YES to display the Change History tab on the Critical Profile screen.Maintaining Configuration Settings in Access Control 10. 6 December 2011 9 .0 # Parameter Group Change Log Parameter ID 1005 Description Enable Critical Role Log Default Value YES Set to YES to display the Change History tab on the Critical Role screen.

7 Change Log 1008 Enable Role Change Log YES Set to YES to display the Change History link on the Additional Details tab of the Role Maintenance screen.0 # Parameter Group Change Log Parameter ID 1007 Description Enable Rule Set Change Log Default Value YES Set to YES to display the Change History tab on the Rule Sets screen. 8 December 2011 10 .Maintaining Configuration Settings in Access Control 10.

Maintaining Configuration Settings in Access Control 10. 9 December 2011 11 .0 # Parameter Group Mitigation Parameter ID 1011 Description Default expiration time for mitigating control assignments (in days) Default Value 365 The default quantity of days you are allowed to mitigate any object (selection on service map). You can overwrite this quantity in the Valid To field.

Maintaining Configuration Settings in Access Control 10. Setting the value to YES allows you to specify the specific Rule ID to be included when mitigating the risk. 10 December 2011 12 .0 # Parameter Group Mitigation Parameter ID 1012 Description Consider Rule ID also for mitigation assignment Default Value NO By default the application includes all rules when it mitigates the access risk.

Maintaining Configuration Settings in Access Control 10.0

#

Parameter Group
Mitigation

Parameter ID
1013

Description
Consider System for mitigation assignment

Default Value
NO

Setting the value to YES allows you to apply mitigating controls to risks originating from specific systems.

11

December 2011

13

Maintaining Configuration Settings in Access Control 10.0

#

Parameter Group
Risk Analysis

Parameter ID
1021

Description
Consider Org Rules for other applications

Default Value
NO

Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and Role Maintenance screens.

12

December 2011

14

Maintaining Configuration Settings in Access Control 10.0

#

Parameter Group
Risk Analysis

Parameter ID
1022

Description
Allow object IDs for this connector to be case sensitive

Default Value
<empty>

On the Risk Analysis screen you can perform risk analysis. You specify the system and the analysis criteria such as User, Risk Level, and so on. This parameter allows you to specify for which systems the information entered is case sensitive. In the example below, z_cup_USR001 is case sensitive for system NCACLNT001.

13

Note: To enter more than one system or connector, enter additional instances of the parameter.

December 2011

15

such as analysis criteria. 14 Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk Analysis screens. and additional criteria. # Parameter Group Parameter ID Description Default Value December 2011 16 . press F4 to display the available types. This parameter allows you to choose the type of report that is selected by default.0 # Parameter Group Risk Analysis Parameter ID 1023 Description Default report type for risk analysis Default Value 2 The Risk Analysis screen allows you to select several options for the risk analysis. report options. you must set these separately. such as Permission Level. Note: In the value cell.Maintaining Configuration Settings in Access Control 10. and so on.

Risk Analysis 22 1031 Ignore Critical Roles and Profiles YES Set the value to YES to exclude critical roles and profiles for risk analysis. Therefore. report options. Risk Analysis 19 1028 Include Expired Users NO Set to YES to include expired users from plug-in systems for risk analysis. such as analysis criteria. such as analysis criteria. December 2011 17 . Risk Analysis 1026 Default user type for risk analysis A 17 The Risk Analysis screen allows you to select several options for the risk analysis. This parameter allows you to choose the User Type that is selected by default. Three packages initially and then one by one to each process which complete the package execution. Risk Analysis 1025 Default rule set for risk analysis <empty> 16 The Risk Analysis screen allows you to select several options for the risk analysis. This parameter allows you to choose the Risk Level that is selected by default. This parameter allows you to choose the Rule Set that is selected by default. The application displays the SoD violations. Risk Analysis 1027 Enable Offline Risk Analysis NO The Risk Analysis screen allows you to select several options for the risk analysis. such as analysis criteria.0 Risk Analysis 15 1024 Default risk level for risk analysis 3 The Risk Analysis screen allows you to select several options for the risk analysis. Each package is submitted to a separate background process which is available to the application via the application group.000 users to analyze and this value is 100. if the RZ10 parameter is set to 2. report options. such as analysis criteria. On the Risk Analysis screen the Offline Data checkbox is automatically selected. and additional criteria. then there will be 100 packages created each having 100 users. If instead. 21 Set the parameter value to YES to include Mitigated Risks in the risk analysis by default. and additional criteria. then the application ignores the parameter in this setting and uses the value 2 instead. if there are 10. report options. the Include Mitigated Risks checkbox is automatically selected. and the mitigating control assigned to it. Risk Analysis 24 1033 Include Role/Profile Mitigating Controls in Risk Analysis YES Set the value to YES to include the mitigating controls assigned to the user’s roles and profiles for risk analysis. 100 packages are submitted one by one to these processes. Risk Analysis 23 1032 Include Reference user when doing user analysis YES Set the value to YES to include referenced users when performing SoD risk analysis for users. For example. report options. Risk Analysis 20 Set to YES to include locked users from plug-in systems for risk analysis. Risk Analysis 1034 Maximum number of objects in a package for parallel processing 100 The application uses this parameter in conjunction with the Number of Tasks specified in the Customizing activity Distribute Jobs for Parallel Processing to determine the distribution of objects that are processed per job. report options. Risk Analysis 1030 Include Mitigated Risks NO 1029 Include Locked Users NO The Risk Analysis screen allows you to select several options for the risk analysis. 25 Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. On the Risk Analysis screen. and additional criteria. the mitigated risks.Maintaining Configuration Settings in Access Control 10. and additional criteria. This is also valid for Batch Risk Analysis. 18 Set the parameter value to YES to include Offline Data in risk analysis by default. such as analysis criteria. we specify three background processes are available to GRAC_SOD. and additional criteria.

0 # Parameter Group Risk Analysis Parameter ID 1035 Description Send e-mail notification to the monitor of the updated mitigated object Default Value YES Set the value to YES to send e-mail notifications to the owner of the mitigating control when the mitigated object is updated. such as the user/role.Maintaining Configuration Settings in Access Control 10. 26 December 2011 18 .

27 The objects that do not have violations are displayed with the Action: No Violations.0 # Parameter Group Risk Analysis Parameter ID 1036 Description Show all objects in Risk Analysis Default Value NO Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default. Note: This setting applies to SoD Batch Risk Analysis.Maintaining Configuration Settings in Access Control 10. Risk Analysis 1037 Use SoD Supplementary Table for Analysis YES Set value to YES to use supplementary rules for SoD risk analysis. 28 .

32 Note: You see the intermediate results while risk analysis is running.Maintaining Configuration Settings in Access Control 10. Prerequisite: You have configured parameters 1052 and 1053. December 2011 20 . Prerequisite: You have configured parameter 1053. Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table.Spool 1051 Max number of objects in a file or database record 200000 You can use this parameter to specify the maximum number of analytics data objects the application stores. If you change the location type (such as from D to F) in mid-course. you can still read the data up to the point the files or database records were created. If you cancel the job before the report is finished. the value is the maximum number of objects stored in the file. such as ad hoc SoD violations. For example. 29 Note: You can set multiple connectors by adding multiple instances of the parameter. This parameter allows you to specify the connectors for non-SAP systems. 30 If parameter 1053 is set to D. Risk Analysis . the report will still read the previously generated files or database records. Index tables keep track of the source of the records when the data was generated. (You set the file location in parameter 1052).Spool 1053 Spool Type D You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for access control. The connectors can have object lengths greater than SAP objects. SAP User ID length is 12. Set the value to D to store the data inthe GRACSODREPDATA table. Risk Analysis . Set the value to F to store the data on the file system.Spool 31 1052 Spool File Location <empty> You can specify the file location the application stores the analytics data. This gives you an opportunity to see if the desired records are created and choose to stop or cancel the job. Risk Analysis . If parameter 1053 is set to F. the value is the maximum number of objects stored in the REPCONTENT column of the GRACSODREPDATA table. but the extended object length may be 50. Note: This parameter is only valid if parameter 1053 is set to F.0 # Parameter Group Risk Analysis Parameter ID 1046 Description Extended objects enabled connector Default Value <empty> Extended objects are objects from non-SAP systems. such as \\<ip_address>\public\SoD\.

the application sends a workflow item to an approver to approve the action. Figure B below shows you can use Maintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER). and Compliance > Access Control > Workflow for Access Control.0 # Parameter Group Workflow Parameter ID 1061 Description Mitigating Control Maintenance Default Value NO The application allows users to create and change mitigating controls. Set the value to YES to require that when users create or change mitigating controls. Note: On the Mitigating Control screen. the Create button is replaced by a Submit button. You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance.Maintaining Configuration Settings in Access Control 10. Figure A below shows that on the control Owners tab the Mitigation Control Approver points to the Approver. Risk. Figure A Figure B .

Maintaining Configuration Settings in Access Control 10. Risk. 34 December 2011 22 . Set the value to NO and the users can mitigate risks without approval. and Compliance > Access Control > Workflow for Access Control. The screen displays a Save button.0 # Parameter Group Workflow Parameter ID 1062 Description Mitigation Assignment Default Value NO The application allows users to mitigate risks for objects (user. Note: You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance. The screen displays a Submit button. and so on). role. Set the value to YES to require the application send an approval workflow item to the mitigating control approver. profile.

35 December 2011 23 . The screen displays a Save button. and Compliance > Access Control > Workflow for Access Control. The screen displays a Submit button. Set the value to YES to require the application send an approval workflow item to the Risk Owner (or to any alternate workflow agent you set) for approval. Risk. Set the value to NO and then users can create and modify risks without approval. Note: You can configure the role that receives the approval workflow item using the Customizing activity Maintain MSMP Workflows under Governance.0 # Parameter Group Workflow Parameter ID 1063 Description Risk Maintenance Default Value NO The application allows users to create and modify risks.Maintaining Configuration Settings in Access Control 10.

Set the value to YES to require the application send an approval workflow item to the specified workflow agent for approval when functions are created or modified. and Compliance > Access Control > Workflow for Access Control.0 # Parameter Group Workflow Parameter ID 1064 Description Function Maintenance Default Value NO The application allows users to create and change functions. You can change the approver agent by using the Customizing activity Maintain MSMP Workflows under Governance.Maintaining Configuration Settings in Access Control 10. 36 December 2011 24 . Risk. Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER.

as follows: Note: The Plug-in Connector is maintained in parameter 1000. The GRC Connector is maintained in parameter 1001. the risk analysis results appear on the approver’s screens but not on the requestor’s screens. Note: The risk analysis results are intended for the approver.Risk Terminator 1080 Connector enabled for Risk Terminator <empty> Enter the name of the connector in the value field to enable it for risk terminator. Therefore.Access Request 38 1072 Mitigation of critical risk required before approving the request NO Set the value to YES to require mitigation of Risks that are of the type Critical Access.Access Request Parameter ID 1071 Description Enable risk analysis on form submission Default Value NO The application automatically performs risk analysis when the requestor submits the request. 39 December 2011 25 .0 # Parameter Group Risk Analysis . You can enter multiple values by entering multiple instances of the parameter. Risk Analysis . 37 Risk Analysis .Maintaining Configuration Settings in Access Control 10.

The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs.Risk Terminator 1082 Enable Risk Terminator for PFCG User Assignment NO 41 Set to YES to trigger the risk terminator service for PFCG User Assignment.0 # Parameter Group Risk Analysis . Risk Analysis .Maintaining Configuration Settings in Access Control 10. the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Risk Analysis . For example. Risk Analysis . Authorizations 48 1100 Enable the authorization logging NO If set to YES. Risk. and Compliance > Access Control > User Provisioning.Risk Terminator 43 1084 Enable Risk Terminator for SU10 multiple User Assignment NO Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment. This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR.Risk Terminator Parameter ID 1081 Description Enable Risk Terminator for PFCG Role Generation Default Value NO 40 Set to YES to trigger the risk terminator service for PFCG Role Generation. Risk Analysis . Risk Analysis .Risk Terminator 1087 Send Notification in case of violations NO 46 Set the value to YES to enable the application to send e-mail notifications to the role owner when violations occur. an owner wants to perform an action and is missing the necessary authorizations.Risk Terminator 47 1088 Default report type for Risk Terminator 2 Select the default report type the risk terminator service uses to report SoD violations. Risk Analysis . Workflow 1101 Create Request for Risk Approval 12 Use F4 help and choose the request type the workflow uses to create requests for risk approval. Use F4 help to display the available report types. 49 December 2011 26 .Risk Terminator 42 1083 Enable Risk Terminator for SU01 Role Assignment NO Set to YES to trigger the risk terminator service for SU01 Role Assignment. Risk Analysis .Risk Terminator 44 1085 Stop role generation if violations exist NO Set to YES the risk terminator service stops generating roles if violations exist.Risk Terminator 45 1086 Comments are required in case of violations NO Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with role generation or role assignment.

You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk approval priorities. Workflow 1107 Create Request for Mitigation Assignment Approval 18 55 Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. and Compliance > Access Control > User Provisioning. (See also parameter 1101). The request type is associated with an MSMP process ID. Risk. and Compliance > Access Control > User Provisioning. Risk. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. and Compliance > Access Control > User Provisioning. Workflow 1103 Delete Request for Risk Approval 14 51 Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. Risk. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. and Compliance > Access Control > User Provisioning. Workflow 1108 Update Request for Mitigation Assignment Approval 19 56 Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval.Maintaining Configuration Settings in Access Control 10. (See also parameter 1101). Workflow 1104 Create Request for Function Approval 15 52 Use F4 help and choose the request type the workflow uses to create requests for function approval. (See also parameter 1101). The request type is associated with an MSMP process ID. Risk. Workflow 1109 Delete Request for Mitigation Assignment Approval 20 57 Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. (See also parameter 1101). Workflow 1105 Update Request for Function Approval 16 53 Use F4 help and choose the request type the workflow uses to update requests for function approval. (See also parameter 1101). The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. and Compliance > Access Control > User Provisioning. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. December 2011 27 .0 # Parameter Group Workflow Parameter ID 1102 Description Update Request for Risk Approval Default Value 13 50 Use F4 help and choose the request type the workflow uses to update requests for risk approval. The request type is associated with an MSMP process ID. Risk. and Compliance > Access Control > User Provisioning. Use F4 help to display the list of available priorities. Workflow 1106 Delete Request for Function Approval 17 54 Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. (See also parameter 1101). Workflow 1110 High 2 58 You use this parameter to set the default workflow request priority for Updating and Creating Risks. (See also parameter 1101). The request type is associated with an MSMP process ID. Risk. and Compliance > Access Control > User Provisioning. and Compliance > Access Control > User Provisioning. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Risk. and Compliance > Access Control > User Provisioning. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. Risk. (See also parameter 1101). You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Risk.

Each batch is processed in its entirety before moving on to the next. Each batch is processed in its entirety before continuing with the next. and Compliance > Access Control > Synchronization Jobs Performance 64 1122 Batch size for Role sync 1000 The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. Risk. if the batch size is 1000 and there are 10. and Compliance > Access Control > User Provisioning. you use the Customizing activity Repository Object Synch under Governance. Performance 1120 Batch size for Batch Risk Analysis 1000 62 The application uses this value to determine the size of the batch when performing batch risk analysis. (See also parameter 1121 for an example). Each batch is processed in its entirety before moving on to the next. See also parameter 1121. December 2011 28 .0 Security Guide for information about required authorizations for the WF-BATCH user. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function approval priorities. and Compliance > Access Control > User Provisioning.0 # Parameter Group Workflow Parameter ID 1111 Description High Default Value 3 59 You use this parameter to set the default workflow request priority for Creating and Updating Functions. and then processes the job in 10 batches of the range 0 to 1000. To synchorinize users to the GRC AC Repository. Workflow 1113 Access Control E-mail sender WF-BATCH 61 The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers. Workflow 1112 High 4 60 You use this parameter to set the default workflow request priority for Mitigation Control Assignments. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. See also parameter 1121. 63 For example. Risk. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance.Maintaining Configuration Settings in Access Control 10. See the Access Control 10. Use F4 help to display the list of available priorities. Performance 1121 Batch size for User sync 1000 The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository.000 users. Performance 1123 Batch size for Profile sync 1000 65 The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Risks. the application divides the total users (10.000) by the batch size (1000). You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities. 1001 to 2000 so on. Use F4 help to display the list of available priorities.

and Compliance > Access Control > User Provisioning. In this example.0 # Parameter Group UAR Review Parameter ID 2004 Description Request Type for UAR Default Value <empty> All Request Types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressing F4. 24. 66 This is important for tagging the workflow in MSMP for UAR Review. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. Review. 67 You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. UAR Review 2005 Default Priority 005 You use this parameter to set the default priority for user access request reviews. 22. December 2011 29 .Maintaining Configuration Settings in Access Control 10. Risk. priority IDs 10. Use F4 help to display the list of available priorities for UAR Requests. and 36 are relevant for UAR.

0 UAR Review 2006 Who are the reviewers? MANAGER Select either Manager or Role Owner as the approver type for user access review requests. 68 December 2011 30 . Managers receive review requests sorted by USER.Maintaining Configuration Settings in Access Control 10. The application creates a review workflow for the specified approver type. and Role Owners receive review requests sorted by ROLE.

review required before sending tasks to reviewers Default Value YES Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers in parameter 2006). the value for the attribute Functional Area maps to a relevant default role. In this example. and 2013. 70 December 2011 31 . 2012.Maintaining Configuration Settings in Access Control 10.0 # Parameter Group UAR Review Parameter ID 2007 Description Admin. Prerequisites: You have maintained the following parameters as needed: 2011. so the application adds the role to the request. the application automatically adds the relevant Default Roles to the access request. 69 Access Request Default Roles 2009 Consider Default Roles YES If set to YES.

That is. because Functional Area is a relevant attribute.0 # Parameter Group Access Request Default Roles Parameter ID 2010 Description Request type for default roles Default Value <empty> Enter the request types that are relevant for default roles functionality. and 2013. Enter multiple request types by adding additional instances of the parameter. and Compliance > Access Control > User Provisioning. You define the relevant request attributes in parameter 2013. 72 In this example.The application uses the request attributes to determine the relevant default roles and adds the default roles when the request is displayed for the approver. the user does see the added default roles at the time they create the request. In this example. the value is set to Request. 2011. Request . 2012. You define the relevant role attributes in parameter 2012. The manager receives a request with the default role z_user_admin already added. the value is set to Role. Role – The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the user adds the roles to the request. the application shows the default roles as Existing and adds them to the request. Risk. The application adds default roles only for the specified roles. 71 Use F4 help to display the available request types. That is.Maintaining Configuration Settings in Access Control 10. See also parameters 2009. December 2011 32 . the user does not see the added default roles at the time they create the request. You maintain the list of available request types in the Customizing activity Define Request Type under Governance. Access Request Default Roles 2011 Default Role Level <empty> Select which attribute type the application uses to determine the relevance of the default roles. On the request screen.

December 2011 33 . You can add multiple role attributes by adding additional instances of the parameter. 2010. Access Request Default Roles 2012 Role Attributes <empty> Enter the role attributes the application considers for Default Role Attribute mapping.Maintaining Configuration Settings in Access Control 10. and 2013. These are mutually exclusive of the request attributes maintained in parameter 2013. 2012. 2011. 73 See also parameters 2009. and 2013.0 See also parameters 2009. 2010.

2010. SOD Review 2016 Request Type for SoD <empty> Use F4 help and select the request type when SoD review requests are created. You can add multiple role attributes by adding additional instances of the parameter. you can select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles. then the mapped roles are automatically included in the request. December 2011 34 . Note: On the Role Maintenance screen. The role mappings are applicable for provisioning access requests. the user is requesting the role BS_BS_123 of system GF1->GO7. and 2012. These are mutually exclusive of the request attributes maintained in parameter 2012. Risk. The mapped role AC_C_ROLE1 is automatically added to the request. For example. The user can choose to keep the mapped roles by deleting them from the removal request. Note: The Source System dropdown list is from the same landscape you chose on the Detail tab. and Compliance > Access Control > User Provisioning. 75 Access Request Role Mapping 76 2015 Applicable to Role Removals YES Set the value to YES to allow users to include mapped roles in requests for role removal. The user can choose to remove the role from the request. and the role has mapped roles. 2011. Access Request Role Mapping 2014 Enable Role Mapping YES The application allows you to assign roles as child roles (or map the roles). if a user creates a request to remove a role assigned to them.0 # Parameter Group Access Request Default Roles Parameter ID 2013 Description Request Attributes Default Value <empty> Enter the request attributes the application considers for Default Role Attribute mapping. In the following example. Set the parameter value to YES to enable this functionality. 74 See also parameters 2009. 77 You maintain the list of available request type values in the Customizing activity Define Request Types under Governance.Maintaining Configuration Settings in Access Control 10. This allows anyone who is assigned this role to also be assigned the authorizations and access for the child roles. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.

therefore have the risk of potentially deleting relevant roles.Maintaining Configuration Settings in Access Control 10. On the SoD Review screen.0 # Parameter Group SOD Review Parameter ID 2017 Description Default priority for SoD Default Value <empty> Use F4 help and select the default priority used for SoD review requests. Reviewers can only propose the removal of roles associated with a SoD risk violation. review required before sending tasks to reviewers SOD Review 2019 YES Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. and the recommended setting. This allows the reviewer to delete the roles directly without going through approval by the security administrator. the application displays the Remove Role button. Warning: Reviewers do not have the ability to view the source of the risks. On the SoD Review screen. (You specify reviewers in parameter 2018). 80 SOD Review 2023 Is actual removal of role allowed YES 81 You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the actual roles associated with a SoD risk or only propose removal of the roles. 78 You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. and Risk Owners receive review requests sorted by Risk. December 2011 35 . Managers receive review requests sorted by USER. The application creates a review workflow for the specified approver type. Set value as NO This is the default setting. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW. SOD Review 79 2018 Who are the reviewers? MANAGER Select either Manager or Risk Owner as the approver type for user access review requests. The workflow goes to the security administrator who is able to view the source of the risk before deciding whether to remove the role. the application displays the Propose Removal button. and Compliance > Access Control > User Provisioning. Risk. Admin. Set value as YES This setting is not recommended.

To configure the connectors. and instead. Configuring the data source systems for verifying if the training requirements are completed Exam ple 1: The user is requesting a role that has a TRAINING prerequisite. Setting training requirements (See Example 1 below. You specify the restriction criteria in parameter 2032. You specify the prerequisite system in the connector configuration. Leave the value field empty to disable the function. and Compliance > Common Component Settings > Integration Framework.) 2. The workflow does not take any routing paths. Set the value to WS and the application uses the specified web service to perform the verification.0 # Parameter Group Access Request Training Verification Parameter ID 2024 Description Training and verification Default Value <empty> The application allows you to require that users complete specific training courses before the application provisions specific roles to them. Risk. Prerequisite: You have implemented the BadI or webservice (WS) as needed. Risk. The routing checks this parameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add. 82 The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). it correct to say that to disable this function. sends the request to the routing path. Set the value to BAdI and the application uses the specified BAdI to perform the verification. You enable this functionality by : 1. If the required training is not completed for a particular role the application does not provision the role. Set the value to NO to restrict the roles the approvers can view and select for request creation. Set the value to YES to allow approvers to view and select all roles. Yes. You can define the logical port in transaction SOAMANAGER. The application will not allow them to submit the request until all the prerequisites are met. use the Customizing activity Maintain Connectors and Connector Types under Governance. Configuring MSMP routing rule 3. leave the value field empty. and Verify on Request is set to Yes. and Compliance > Access Control > Workflow for Access Control. December 2011 36 . The connector must be of the type WS and associated with a logical port. So if the value is empty Note: You can configure the routing in the Customizing activity Maintain MSMP Workflows under Governance.Maintaining Configuration Settings in Access Control 10. Access Request Role Selection 83 2031 Allow All Roles for Approver YES The application allows approvers to add additional roles to access requests when reviewing them.

You can restrict the roles approvers can view and select for request creation. 84 Access Request Role Selection 85 2033 Allow All Roles for Requestor YES Set the value to YES to allow the user to view all roles for request creation. the application ignores the restrictions specified here. Set the value to NO to restrict the roles the user can view for request creation. Prerequisite: You have set parameter 2031 to NO. Approvers can view and add only those roles with functional area attributes that match those in the request. You can add multiple restriction values by adding additional instances of the parameter. December 2011 37 .Maintaining Configuration Settings in Access Control 10. You specify the restriction criteria in parameter 2034. If parameter 2031 is set to YES. Set the value to A to Restrict on Role Approver. Set the value to B to Restrict on Business Process.0 # Parameter Group Access Request Role Selection Parameter ID 2032 Description Approver Role Restriction Attribute Default Value <empty> The application allows approvers to add additional roles to access requests when reviewing them. Approvers can view and add only those roles with business process attributes that match those in the request Set the value to F to Restrict on Functional Area. Approvers can view and select only those roles for which they are the role approver.

for access request creation. Access Request Role Selection 88 2036 Role Comments Mandatory YES Set value to YES to require Role Comments when creating access requests. If parameter 2033 is set to YES. December 2011 38 . the application displays only the roles that have attributes that match the specified requestor attributes. Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. You can add multiple restriction values by adding additional instances of the parameter. the application ignores the restrictions specified here. Mandatory comments can also be determined at the individual role level. Note: This is a GLOBAL setting and is required for all roles included on requests.Maintaining Configuration Settings in Access Control 10. Prerequisite: Parameter 2035 must be set to YES. Set the value to B to Restrict on Business Process. Set the value to F to Restrict on Functional Area.0 # Parameter Group Access Request Role Selection Parameter ID 2034 Description Requestor Role Restriction Attribute Default Value <empty> This parameter allows you to require that. The application displays only the roles that match the requestor’s business process attribute. The application displays only the roles that match the requestor’s functional area attribute. 86 Access Request Role Selection 87 2035 Allow Role Comments YES Set value to YES to allow the user to enter Role Comments when creating access requests.

It fetches role information from the specified system in real time. 89 Access Request Role Selection 90 2038 Auto Approve Roles without Approvers YES Set the value to YES to allow the application to automatically approve access requests for roles without role owners. which may have an effect on performance. It makes the System criteria mandatory. Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time. This has the following effect: It adds the Transaction from Backend System criteria to the Select Roles screen. 91 December 2011 39 .0 # Parameter Group Access Request Role Selection Parameter ID 2037 Description Display expired roles for existing roles Default Value YES Set the value to YES to include the roles for which the user assignment is expired when the user chooses the Existing Assignment button on the Access Request.Maintaining Configuration Settings in Access Control 10. Access Request Role Selection 2039 Search Role by Transactions from Backend System NO Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository.

Maintaining Configuration Settings in Access Control 10. the My Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to the user that is about to expire in 1 to 45 days. they will not be searched when the data source is LDAP unless this parameter is set to YES. Note: Be aware that because the search is performed in real time. You use this parameter to specify the timeframe (in days) that triggers the application to display the status as Expiring. If the user does not exist. Prerequisite: You have specified the data source as LDAP. or else the application ignores this parameter. Performance 93 2050 Enable Realtime LDAP Search for Access Request User. Roles that are about to expire displays the status of Expiring.0 # Parameter Group Assignment Expiry Parameter ID 2041 Description Duration for assignment expiry in Days Default Value <empty> On the My Profile and Existing Assignm ent screens. NO If set to YES. The validation is performed when you choose Submit or press Enter. December 2011 40 . the application displays the Status field for the roles. the application does not allow the request to continue. 92 In the following example. the application validates the UserID exists on the specified source system. If users exist within different domains in an LDAP forest. the application searches for the access request user on the specified LDAP source and in real time. 94 95 LDAP 2052 Obtain user@domain information from USERPRINCIPALNAME attribute of Active Directory YES If set to YES. Workflow 2051 Enable User ID Validation in Access Request against Search Data Sources NO If set to YES. it impacts performance. the application uses the attribute USERPRINCIPALNAME of the Active Directory to bind to LDAP.

Role Management 3002 Default Criticality Level <empty> 98 Select the criticality level the application displays by default on the Role Import screen. 96 Role Management 97 3001 Default Subprocess <empty> Select the subprocess the application displays by default on the Role Import screen. Role Management 3004 Default Role Status <empty> 100 Select the role status the application displays by default on the Role Import screen. Risk and Compliance > Access Control. Risk and Compliance > Access Control > Role Management. Use F4 help to display the available subprocesses. Role Management 3003 Default Project Release <empty> 99 Select the project release the application displays by default on the Role Import screen. Use F4 help to display the available business processes.0 # Parameter Group Role Management Parameter ID 3000 Description Default Business Process Default Value <empty> Select the business process the application displays by default on the Role Import screen. You maintain the list of subprocesses in the Customizing activity Specify Criticality Level under Governance. Use F4 help to display the available criticality levels. Use F4 help to display the available role status. December 2011 41 . Risk and Compliance > Access Control. You maintain the list of business processes in the Customizing activity Maintain Business Processes and Subprocesses under Governance.Maintaining Configuration Settings in Access Control 10. Risk and Compliance > Access Control > Role Management. You maintain the list of subprocesses in the Customizing activity Maintain Business Processes and Suprocesses under Governance. Risk and Compliance > Access Control > Role Management. You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance. You maintain the list of project releases in the Customizing activity Maintain Project and Product Release Name under Governance. Use F4 help to display the available project releases.

Note: The Ticket Number field is a free text entry field. The application only provides the field and does not have any specific requirements.Maintaining Configuration Settings in Access Control 10. 103 December 2011 42 . Set the value to YES to allow the derived roles to change the values for the organizational levels. Role Management 3008 A ticket number is required after authorization data changes YES Set the value to YES to require a ticket number when role authorizations are modified in PFCG and the user chooses the Synch with PFCG button. 101 Role Management 102 3007 Allow editing organizational level values for derived roles NO The maintenance screen for derived roles displays organizational levels from the parent role.0 # Parameter Group Role Management Parameter ID 3006 Description Allow add functions to an authorization Default Value YES Set the value to YES to display the Add/Delete Function button on the Maintain Authorizations tab of the Role Maintenance screen. You can enter information appropriate for your company’s change request processes.

105 December 2011 43 . For example the role is DELETED directly from PRD instead of having a delete request transported through CTS. Set the value to NO to allow users to delete roles only from Access Control.Maintaining Configuration Settings in Access Control 10. Setting this value to Yes deletes the roles in each of the systems the role resided individually.0 # Parameter Group Role Management Parameter ID 3009 Description Allow Role Deletion from back-end system Default Value YES Set the value to YES to allow users the option to roles from both Access Control and relevant plug-in systems. 104 Role Management 3010 Allow attaching files to the role definition YES Set the value to YES to allow users to attach files by displaying the Attachments tab on the Role Maintenance screen.

Maintaining Configuration Settings in Access Control 10. 106 Role Management 3012 Allow Role Generation on Multiple Systems NO Set the value to YES to allow users to select multiple systems when generating roles. 107 December 2011 44 . The application displays systems in the landscape which are available for role generation action.0 # Parameter Group Role Management Parameter ID 3011 Description Conduct Risk Analysis before Role Generation Default Value YES Set the value to YES to automatically perform risk analysis when the user generates roles.

Set the value to NO to prohibit role generation if permission level violations are present. and Compliance > Common Component Settings > Integration Framework. Set the value to NO to prohibit role generation if permission level violations are present. 108 Set the value to NO to use a generic username/password for the connection to the ERP system. The applicatiion needs a username/password to open the connection to the back-end ERP system. You can use this parameter to specify whether the application uses a generic username/password for all role generation connections to the ERP system. Role Management 3017 Allow role generation with Critical Action violations NO 112 Set the value to YES to allow the application to generate roles even if critical action violations are present. Risk. the application connects to back-end systems to push the authorization data.0 # Parameter Group Role Management Parameter ID 3013 Description Use logged-on user credentials for role generation Default Value NO When generating a role. with the generic username/password. they can view exactly who generated it. You maintain the generic username/password for the connector in the Customizing activity Create Connectors under Governance. 109 Role Management 110 3015 Allow role generation with Critical Permission violations NO Set the value to YES to allow the application to generate roles even if permission level violations are present. Set the value to YES to allow the application to use the username/password of the person who is generating the role.Maintaining Configuration Settings in Access Control 10. Set the value to NO to prohibit role generation if action level violations are present. Set the value to NO to prohibit role generation if critical action violations are present. Role Management 3018 Allow role generation with Critical Role/Profile violations NO 113 Set the value to YES to allow the application to generate roles even if critical role/profile violations are present. Set the value to NO to prohibit role generation if critical role/profile violations are present. The advantage of setting this parameter to Yes is that when someone opens a role in the ERP system. has generated it. or the username/password of the person generating the role. Role Management 3014 Allow role generation with Permission Level violations NO Set the value to YES to allow the application to generate roles even if Permission Level violations are present. Role Management 3016 Allow role generation with Action Level violations NO 111 Set the value to YES to allow the application to generate roles even if action level violations are present. If the parameter is set to No they can see only that the connector. December 2011 45 .

the application searches the stored data to determine if there are previous risk analysis results for each role. Set the parameter value to YES to overwrite previous results. on the Properties tab.0 # Parameter Group Role Management Parameter ID 3019 Description Overwrite individual role Risk Analysis results for Mass Risk Analysis Default Value NO The application allows you to perform ad hoc risk analysis for multiple roles under Access Management > Role Mass Maintenance > Run Risk Analysis. xxxx. The application stores the results of the analysis. Note: This is done per individual role. 114 Role Management 3020 Role certification reminder notification 10 You use this parameter to set how many days prior to the Next Certification date the application sends a reminder to the role owner. 115 Note – Additional information about Certification Notifications: You can use the following Customizing activities to maintain custom notification e-mails under Governance. (See also parameters 1052. For example. and Compliance > Access Control > Workflow for Access Control: Maintain Custom Notification Messages December 2011 46 . xxxx. Set the parameter value to NO to not overwrite previous results. You can choose whether or not the application overwrites the risk analysis results. then the application sends the reminder notification to the role owner on June 5. 1053). You set the Certification Period in Days and Next Certification date in the Define Role phase. and this parameter value is 10.Maintaining Configuration Settings in Access Control 10. W hen you next perform mass risk analysis. it does not automatically overwrite the results for all roles. Risks. if the next certification is June 15.

Risks.0 Maintain Text for Custom Notification Messages Maintain Background Job for E-mail Reminders The following is an example of a notification e-mail: The application provides notification templates. the application displays the following results screen: December 2011 47 .Maintaining Configuration Settings in Access Control 10. You can customize the notification text by using the Customizing activity Maintain Text for Custom Notification Messages under Governance. and Compliance > Access Control > Workflow for Access Control. you must run the GRAC_ERM_ROLE_CERTIFY_NOTIF program either in the foreground or the background. Risk. You can schedule background jobs to run periodically using the Customizing activity Maintain Background Job for E-mail Reminders under Governance. You can choose to assign your own custom notification templates in the Customizing activity Maintain Custom Notification Messages under Governance. and Compliance > Access Control > Workflow for Access Control. For certification notifications to be delivered. and Compliance > Access Control > Workflow for Access Control. If you run the program in the foreground. Risk.

Risk. Risk. You use this parameter to specify the location of the files on the server. You can select the Import Source as File on Server. Workflow 3023 Priority for Role Approval 5 Priority of the request for Role Approval 118 You use this parameter to set the default workflow request priority for Role Approvals. Workflow 3022 Request Type for Role Approval 21 Use F4 help and choose the request type the workflow uses for role approval. Use F4 help to display the list of available priorities. The request type is associated with an MSMP process ID. and Compliance > Access Control > User Provisioning. (See also parameter 1101). You assign the MSMP Process ID of SAP_GRAC_ROLE_APPR to role approval priorities. 117 You maintain the list of available request types in the Customizing activity Define Request Type under Governance.0 Role Management 116 3021 Directory for mass role import server files <empty> The application allows you to perform mass role import under Access Management > Role Mass Maintenance > Role Import. and Compliance > Access Control > User Provisioning. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance. December 2011 48 .Maintaining Configuration Settings in Access Control 10.

Maintaining Configuration Settings in Access Control 10. two of the roles are in Role Generation phase. Set the value to NO to display all derived roles. Figure B shows that if the value is set to YES. regardless of their phase in the methodology process. In the following example.0 # Parameter Group Role Management Parameter ID 3024 Description Enforce methodology process for derived roles during generation Default Value YES You use this parameter to determine the derived roles displayed in the role generation phase of the master role. 119 December 2011 49 . Set the value to YES to display only the derived roles that reach the role generation phase of the methodology process. only the two roles in Role Generation phase are displayed. Figure A shows five derived roles available.

If the AC Configuration parameter 3025 = YES. the screen appears as below: December 2011 50 . Set the value to NO to require that role derivaiton is performed using Org Value Maps that do contain a leading organization. Set the value to YES to allow role derivation using Org Value Maps that do not contain a leading organization.Maintaining Configuration Settings in Access Control 10. the screen appears as below: If the AC Configuraiton parameter 3025 = NO. Go to the role derivation phase and choose Derive. Value Maps without leading org. Single Role Derivation Choose Access Management Role Management Role Search Search and open any role.0 # 120 Parameter Group Role Management Parameter ID 3025 Description Allow selection of Org. Default Value NO You use this parameter to determine if users may derive roles by using Org Value Maps that do not contain a leading organization.

Search and select any map and choose Next to go to the Select Master Role screen.Maintaining Configuration Settings in Access Control 10. If the AC Configuraiton parameter 3025 = YES.0 Mass Role Derivation Choose Access Management Role Mass Maintenance Role Derivation. the screen appears as below: . the screen appears as below: If the AC Configuraiton parameter 3025 = NO.

121 # Parameter Group Superuser Management Parameter ID 4001 Description Default Firefighter Validity Period (Days) Default Value <empty> Set the default validity period (in days) of firefighter ID assignments to a firefighter. December 2011 52 . Set the value to NO and the application sends notifications only when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. 122 Superuser Management 4002 Send E-mail Immediately YES 123 The application sends e-mail notifications to the controller. Choose 2 for Role-based firefighting. Note: This is only the default period.Maintaining Configuration Settings in Access Control 10. You can override the validity period for each assignment as needed in the front-end.0 Superuser Management 4000 Application type 1 You use this parameter to set the firefighting configuration: Choose 1 for ID-based firefighting. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Managem ent Reports. Set the value to YES to send the e-mail notifications immediately.

Maintaining Configuration Settings in Access Control 10. (See also parameter 4002. (See also parameter 4002. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Managem ent Reports. Note: You can activate Audit Logs using the transaction SM19.) Note: Plug-in system must have the O/S time and R/3 time zone matched for the logs to be properly collected. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. Set the value to NO and the application only collects the logs when the user chooses the Update Firefighter Log button or runs the GRAC_SPM_LOG_SYNC_UPDATE program. or executed.) Superuser Management 4007 Send Log Report Execution Notification Immediately YES 128 The application can send log reports controllers. (See figure below. The application sends the e-mail notifications when the GRAC_SPM_WORKFLOW_SYNC program is run. The application sends the notifications as e-mails or workflow items based on the configuration of the controllers.) Superuser Management 4006 Retrieve O/S Command Log YES 127 If set to YES then the application fetches the O/S Command Log when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. December 2011 53 . changed. This is because STAD stores the logs in O/S files. (See also parameter 4002. 124 The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports. # Parameter Group Superuser Management Parameter ID 4004 Description Retrieve System Log Default Value YES 125 If set to YES then the application fetches the System Log (debug changes) when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.) Superuser Management 4005 Retrieve Audit Log YES If set to YES then the application fetches the audit (security) logs when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. (See also parameter 4002. 126 The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports.0 Superuser Management 4003 Retrieve Change Log YES If set to YES then the application fetches the Change Log when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information when O/S commands (SM49) are created. The Update Firefighter Log button is available on the Consolidated Log Report under Superuser Management Reports.) Set the value to YES and the application sends notifications when the user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.

The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them. This is identifies to the application that the user who is logging on to the target system is a firefighter ID.0 Superuser Management 129 4008 Send FirefightId Logon Notification YES Set to YES and the application sends notification to the controller whenever a firefighter logs onto a system. December 2011 54 .Maintaining Configuration Settings in Access Control 10. Superuser Management 130 Set to YES and the application sends notification to the controller when a user runs a log report. Superuser Management 131 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID 4009 Log Report Execution Notification YES Enter the name of the role assigned to the firefighter ID in the target systems.

Redbooks. Inc. System Storage. Business Objects and the Business Objects logo. WinFrame. and SAP Group shall not be liable for errors or omissions with respect to the materials. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only. and Motif are registered trademarks of the Open Group. Inc. DB2 Universal Database. iSeries. i5/OS. DB2. AS/400. Citrix. z/VM. OS/390. Windows. Crystal Decisions. and PowerPoint are registered trademarks of Microsoft Corporation. OS/400. GPFS. System x. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. AIX. VideoFrame. Intelligent Miner. Crystal Reports. S/390. Sybase is an SAP company. POWER. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services. OSF/1. System i. zSeries. System z. Sybase 365. X/Open. HACMP. SAP. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. OpenPower. System z10. Web Intelligence. POWER6. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. MetaFrame. System p. World Wide Web Consortium. RETAIN. Java is a registered trademark of Sun Microsystems. xSeries. RACF. These materials are subject to change without notice. OS/2. Inc. Nothing herein should be construed as constituting an additional warranty.S. HTML. Program Neighborhood.Maintaining Configuration Settings in Access Control 10. the Adobe logo. System i5. IBM. Parallel Sysplex. PowerVM. PartnerEdge. and other countries. Acrobat. Power Architecture. PostScript. Duet. WebSphere. ICA. Business Objects is an SAP company. JavaScript is a registered trademark of Sun Microsystems. UNIX. Oracle is a registered trademark of Oracle Corporation. Excel. used under license for technology invented and implemented by Netscape. . Outlook. POWER6+. pSeries. z9. System z9. Microsoft. S/390 Parallel Enterprise Server. ByDesign. SQL Anywhere. without representation or warranty of any kind. BusinessObjects. Xcelsius.0 2. iAnywhere. and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase. POWER5. Adobe. Linux is the registered trademark of Linus Torvalds in the U. and MultiWin are trademarks or registered trademarks of Citrix Systems. DB2 Connect. SAP BusinessObjects Explorer. Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. The information contained herein may be changed without prior notice. XML. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. Netfinity. R/3. Data contained in this document serves informational purposes only. StreamWork. SAP NetWeaver. System p5. z/OS. z10. Copyright © 2011 SAP AG. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. National product specifications may vary. POWER5+. XHTML and W3C are trademarks or registered trademarks of W3C®.. BatchPipes. Massachusetts Institute of Technology. MVS/ESA. BladeCenter. PowerPC. Sybase and Adaptive Server. Inc. All rights reserved. if any. All other product and service names mentioned are the trademarks of their respective companies. eServer.

Maintaining Configuration Settings in Access Control 10.0 .