Unit3DesignandManageRoles Exercise3.1.1ReviewDesignandManageRolesspecificConfiguration ObjectiveTounderstandthecurrentandavailableconfigurationsoftheGRCv10.0system 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl MaintainConfigurationSettings a. ReviewthefollowingsettingsrelatedtoAnalyzeandManageRisk b. Listwhichsettingsaresetandtheirvalues i. 10RoleManagement:3000DefaultBusinessProcess ii. 10RoleManagement:3001DefaultSubprocess iii.

. 10RoleManagement:3002DefaultCriticalLevel iv. 10RoleManagement:3003DefaultProjectRelease v. 10RoleManagement:3004DefaultRoleStatus vi. 10RoleManagement:3005ResetRoleMethodologywhenChangingRoleAttributes vii. 10RoleManagement:3006Allowaddfunctionstoanauthorization viii. 10RoleManagement:3007Alloweditingorganizationallevelvaluesforderivedroles ix. 10RoleManagement:3008Aticketnumberisrequiredafterauthorizationdatachanges x. 10RoleManagement:3009AllowRoleDeletionfromBackEnd xi. 10RoleManagement:3010Allowattachingfilestotheroledefinition xii. 10RoleManagement:3011ConductRiskAnalysisbeforeRoleGeneration xiii. 10RoleManagement:3012AllowRoleGenerationonMultipleSystems xiv. 10RoleManagement:3013Useloggedonusercredentialsforrolegeneration xv. 10RoleManagement:3014AllowrolegenerationwithPermissionLevelviolations xvi. 10RoleManagement:3015AllowrolegenerationwithCriticalPermissionviolations xvii. 10RoleManagement:3016AllowrolegenerationwithActionLevelviolations xviii. 10RoleManagement:3017AllowrolegenerationwithCriticalActionviolations xix. 10RoleManagement:3018AllowrolegenerationwithCriticalRole/Profileviolations xx. 10RoleManagement:3019Overwriteindividualrole'sRiskAnalysisresultduringMassRisk Analysisrun xxi. 10RoleManagement:3020Rolecertificationremindernotification xxii. 10RoleManagement:3021Directoryformassroleimportserverfiles xxiii. 5Workflow:3022RequestTypeforRoleApproval xxiv. 5Workflow:3023PriorityforRoleApproval

Page|1

 Unit3DesignandManageRoles Exercise3.1.1ReviewDesignandManageRolesspecificConfiguration Solution:

Page|2

Page|3

 Unit3DesignandManageRoles Exercise3.1.2ReviewDesignandManageRolesspecificConfiguration ObjectiveTounderstandthecurrentandavailableconfigurationsoftheGRCv10.0system 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement MaintainRoleType Settings DeactivateRoleTypes a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. MaintainRoleTypes 1. Arethereanyroletypesthathavebeendeactivated?YES/NO ii. MaintainLabelsforRoleTypes 1. WhatisthedescriptionofRoleTypeTPL?_________________________ iii. SpecifyMaximumLengthforRoleType 1. WhatisthemaximumnumberofcharactersforSingleRolesinUserManagement Engineapplication(Hint:ApplicationType3)_____________________ 2. WhatisthemaximumnumberofcharactersforSingleRolesinSAPapplication? __________

Page|4

 Unit3DesignandManageRoles Exercise3.1.2ReviewDesignandManageRolesspecificConfiguration Solution: MaintainRoleTypes Arethereanyroletypesthathavebeendeactivated?NO MaintainLabelsforRoleTypes WhatisthedescriptionofRoleTypeTPL?TEMPLATE SpecifyMaximumLengthforRoleType WhatisthemaximumnumberofcharactersforSingleRolesinUserManagementEngine application(Hint:ApplicationType3)40 WhatisthemaximumnumberofcharactersforSingleRolesinSAPapplication?30 DeactivateRoleTypes

Page|5

Page|6

 i. MaintainLabelsforRoleTypes

Page|7

Page|8

 ii. SpecifyMaximumLengthforRoleTypes

Page|9

Page|10

 Unit3DesignandManageRoles Exercise3.1.3ReviewDesignandManageRolesspecificConfiguration ObjectiveTounderstandthecurrentandavailableconfigurationsoftheGRCv10.0system 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement SpecifyNaming Conventions a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. Howmanynamingconventionshavebeenconfigured?__________ ii. WhatistheConnectorGroupattachedtoNamingConvention3?____________ iii. ThereisamismatchinconfigurationfortheNamingConventionforBusinessRoles.Whatisit? ______________________________________________________________________________ iv. WhatroleattributesareusedforCompositerolestocreatetheroleID? ______________________________________________________________________________

Page|11

 Unit3DesignandManageRoles Exercise3.1.3ReviewDesignandManageRolesspecificConfiguration Solution: i. Howmanynamingconventionshavebeenconfigured?4 ii. WhatistheConnectorGroupattachedtoNamingConvention3?R3 iii. ThereisamismatchinconfigurationfortheNamingConventionforBusinessRoles.Whatis it?Themaximumlengthforthisroletypeisconfiguredat30characters,buttherole namingconventionisconfiguredto40characters iv. WhatroleattributesareusedforCompositerolestocreatetheroleID?RoleType,Business Process,BusinessSubprocess b. SpecifyNamingConventions

Page|12

Page|13

Page|14

Page|15

 Unit3DesignandManageRoles Exercise3.1.4ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement MaintainProject andProductReleaseName a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. Howmanyprojectreleaseshavebeenconfigured?__________ ii. WhatistheProjectReleaseIDandDescription______________________________________

Page|16

 Unit3DesignandManageRoles Exercise3.1.4ReviewDesignandManageRolesspecificConfiguration Solution: i. Howmanyprojectreleaseshavebeenconfigured?1 ii. WhatistheProjectReleaseIDandDescriptionPROD;Production c. MaintainProjectandProductReleaseName

Page|17

Page|18

 Unit3DesignandManageRoles Exercise3.1.5ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement DefineRole Sensitivity a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatisthedescriptionofRoleSensitivityID3?__________

Page|19

 Unit3DesignandManageRoles Exercise3.1.5ReviewDesignandManageRolesspecificConfiguration Solution: i. WhatisthedescriptionofRoleSensitivityID3?Restricted d. DefineRoleSensitivity

Page|20

Page|21

 Unit3DesignandManageRoles Exercise3.1.6ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement MaintainRoleStatus a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatistheRoleStatusIDforInProductiveUse?_____________

Page|22

 Unit3DesignandManageRoles Exercise3.1.6ReviewDesignandManageRolesspecificConfiguration Solution: i. WhatistheRoleStatusIDforInProductiveUse?PRD e. MaintainRoleStatus

Page|23

Page|24

 Unit3DesignandManageRoles Exercise3.1.7ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement SpecifyCriticalLevel a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatistheCriticalLevelIDforVHmean?_____________

Page|25

 Unit3DesignandManageRoles Exercise3.1.7ReviewDesignandManageRolesspecificConfiguration Solution: i. WhatistheCriticalLevelIDforVHmean?VeryHigh f. SpecifyCriticalLevel

Page|26

Page|27

 Unit3DesignandManageRoles Exercise3.1.8ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement DefineCompanies a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatistheCompanyIDfortheIDESCompany?_____________

Page|28

 Unit3DesignandManageRoles Exercise3.1.8ReviewDesignandManageRolesspecificConfiguration Solution: i. WhatistheCompanyIDfortheIDESCompany?0001 g. DefineCompanies

Page|29

Page|30

 Unit3DesignandManageRoles Exercise3.1.9ReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement MaintainFunctional Areas a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatistheFunctionalAreaIDfortheMaterialsManagement?_____________ ii. WhatistheabbreviationfortheSalesfunctionalarea?_______________

Page|31

 Unit3DesignandManageRoles Exercise3.1.9ReviewDesignandManageRolesspecificConfiguration Solution: i. WhatistheFunctionalAreaIDfortheMaterialsManagement?MATERIAL ii. WhatistheabbreviationfortheSalesfunctionalarea?SD h. MaintainFunctionalAreas

Page|32

Page|33

 Unit3DesignandManageRoles Exercise3.1.AReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement Define OrganizationalValueMaps a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. Whatistheparentorganizationalvalueforthismap?ListOrgLevel(IDordescription)andthe value._____________ ii. WhatisthevalueofOrgLevelLGNUMforthisvaluemap?_______________

Page|34

 Unit3DesignandManageRoles Exercise3.1.AReviewDesignandManageRolesspecificConfiguration Solution: i. Whatistheparentorganizationalvalueforthismap?ListOrgLevel(IDordescription)andthe value.BUKRS/CompanyCode;1000 ii. WhatisthevalueofOrgLevelLGNUMforthisvaluemap?010 i. DefineOrganizationalValueMaps

Page|35

Page|36

 Unit3DesignandManageRoles Exercise3.1.BReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement DefinePrerequisite Types a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatisthedescriptionforprerequisitetypeCERTIF?_____________

Page|37

 Unit3DesignandManageRoles Exercise3.1.BReviewDesignandManageRolesspecificConfiguration Solution: WhatisthedescriptionforprerequisitetypeCERTIF?Certification DefinePrerequisiteTypes

Page|38

Page|39

 Unit3DesignandManageRoles Exercise3.1.CReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement DefineRole Prerequisites a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. WhatistheCourseIDanddescriptionfortheCERTroleprerequisite?_____________

Page|40

 Unit3DesignandManageRoles Exercise3.1.CReviewDesignandManageRolesspecificConfiguration Solution: i. WhatistheCourseIDanddescriptionfortheCERTroleprerequisite?CERT305; CertificationCourse305 j. DefineRolePrerequisites

Page|41

Page|42

 Unit3DesignandManageRoles Exercise3.1.DReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement AssignCondition GroupstoBRFplusFunctions a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. Whataretheconditiongroupslisted?______________________________ 5. ExecutetransactionBRF+.AnewwindowwillopenthatwillshowtheBRFplusworkbench. a. NOTE:BRF+willbedetailsinasubsequentLab.ThisistofamiliarizetheparticipantwithsomeBRF+ screensandnavigation.ItisalsoimportanttonotetheBRF+isatooltoanalyzeattributesandreturna result.Thisresultisreturnedtotherequestingprogram. b. ReviewtheBRF+Application i. ClickSearchintheRepositoryNavigationpane ii. InDefineSearchscreen,searchforObjectNameZBRM*(fromtheapplicationcolumnofthe abovevieweddata) iii. ClickSearch iv. TheBRFapplicationwillnowappearintheNavigationarea v. ChangetheUserModetoExpert 1. ClickWorkbench 2. ClickUserMode 3. ClickExpert vi. OpenExpressionnavigationfolder vii. OpenDecisionTreenavigationfolder viii. SelectROLE_METHODOLOGY_EXPRESSION ix. ReviewtheBRFrules. 1. ThetablestatestheifRoleType=SIN,thentheMethodologyConditionresultreturned isSIN01,ifCOM,theresultisCOM01,ifBUS,theresultisBUS01.Thisisusedto determinetheRoleMethodologyaswillbeseeninExercise3.2F. 2. ViewthedetailedexpressionfortheSINrole a. Selecttherow(ifnotalreadyselected) b. ClickEditRow(ifEditRowisnotvisible,checktoseeifyouareinChangeMode atthetopofthescreen.Ifnot,clickEditbutton. c. ClickCanceltoreturntoTableContents. x. SelecttheAPPROVER_METHODOLOGY_EXPRESSION 1. ThistablestatesthatiftheRoleTypeisSINandtheBusinessProcessisMM00,the resultreturnedisMM01.Thisisusedtodetermineadefaultowner.Thiswillbe explainedinexercise3.3.

Page|43

 Unit3DesignandManageRoles Exercise3.1.DReviewDesignandManageRolesspecificConfiguration Solution: k. AssignConditionGroupstoBRFplusFunctions i. NOTE:BRF+willbecoveredindetailinaseparatelabexercise

Page|44

Page|45

Page|46

Page|47

Page|48

Page|49

Page|50

 Unit3DesignandManageRoles Exercise3.1.EReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement DefineMethodology ProcessesandSteps a. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. ClickDefineSteptoreviewtheavailablestepsandthePhasedefination ii. ClickDefineMethodologytoviewtheconfiguredrolemaintenancemethodologiesandwhich oneisthedefault. iii. SelectamethodologyandclickMethodologySteptoviewtheassociatedphasesandtheir sequence

Page|51

 Unit3DesignandManageRoles Exercise3.1.EReviewDesignandManageRolesspecificConfiguration Solution: l. DefineMethodologyProcessesandSteps

Page|52

Page|53

Page|54

Page|55

Page|56

 Unit3DesignandManageRoles Exercise3.1.FReviewDesignandManageRolesspecificConfiguration 1. LogontoABAPclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. ExecuteTransactionSPRO 3. ClickSAPReferenceIMG 4. OpenFoldersGovernanceRiskandCompliance AccessControl RoleManagement Associate MethodologyProcesstoConditionGroup a. Thisconfigurationusestheinformationfromtheprevious2exercises. b. ReviewthefollowingsettingsrelatedtoDesignandManageRoles i. Toexplainthecolumns 1. TheConditionGroupIDsarethesameonesthatBRF+willreturntoAccessControl basedontheattributesinthedecisiontable.ThiswascoveredinExercise3.1.D. 2. TheMethodologyColumnreferstothemethodologyIDreviewedinExercise3.1.E. c. WhichMethodologywillaCompositeroleuse?________________________________ d. WhatRoletypewilluseMethodology4?______________________________________

Page|57

 Unit3DesignandManageRoles Exercise3.1.FReviewDesignandManageRolesspecificConfiguration Solution: a. WhichMethodologywillaCompositeroleuse?3MethodologyProcessforCompositeRoles b. WhatRoletypewilluseMethodology4?BusinessRole m. AssociateMethodologyProcesstoConditionGroup i. Note:TheseassociatetotheresultsinAssignConditionGroupstoBRFplusFunctions

Page|58

Page|59

 Unit3DesignandManageRoles Exercise3.2MaintainOwnersforRoleManagement 1. LogontoNWBCclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. GotoworkcenterSetup 3. ClickAccessControlOwnersundertheAccessOwnerssection 4. ClickCreate 5. CreateRoleOwnerswiththefollowinginformation a. GroupTypeOwner b. OwnerACROLEOWNxx(wherexxisyourParticipantID) c. ClickboxinSelectcolumnforRoleOwner d. AddCommentsRoleOwnerMaintenanceforGRCTrainingCourseGroupxx(wherexxisyour ParticipantID) e. ClickSave,thenClose f. RepeatstepsaboveforUserIDACROLEAPPxx.Incommentsuse:RoleApproverMaintenanceforGRC TrainingCourseGroupxx(wherexxisyourParticipantID) 6. ClickClose 7. UseFiltertofindyourIDs a. ClickFilter b. EnterAC*xxinOwnerIDcolumn(wherexxisyourParticipantID) 8. CloseQueryScreenbyclickingonXinupperrightcorner

Page|60

 Unit3DesignandManageRoles Exercise3.2MaintainOwnersforRoleManagement Solution: 1. MaintainOwners/Approvers(Provisioning) n. AssignUserasRoleOwner

Page|61

Page|62

Page|63

Page|64

 Unit3DesignandManageRoles Exercise3.3MaintainDefaultRoleOwnerswithConditionGroup 1. Note:ThisfunctionalityistoassignDEFAULTownersbasedoncriteriathatareenteredinBRF+.Theusercanbe theAssignmentApproverortheRoleContentApproverorBOTH. 2. LogontoNWBCclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 3. GotoworkcenterSetup 4. ClickRoleOwnersundertheAccessOwnerssection 5. Reviewinformationshowninquery a. TheConditionGroupIDisthesameonethatwasdiscussedintheBRF+exercise(Exercise3.1.D) 6. CreateRoleOwnerswiththefollowinginformation

Page|65

 Unit3DesignandManageRoles Exercise3.3MaintainDefaultRoleOwnerswithConditionGroup Solution: a. AssignDefaultOwners/ApproversusingApproverConditionID(optional)

Page|66

 Unit3DesignandManageRoles Exercise3.4RoleMaintenanceSingleRole 1. LogontoNWBCclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. GotoworkcenterAccessManagement 3. ClickRoleMaintenanceundertheRoleManagementsection 4. CreateaSingleRoleusingthefollowinginformation: a. OnDefineRoletabDetails i. ApplicationTypeSAP ii. LandscapeECCLandscape iii. BusinessProcessBasis iv. SubprocessSecurity v. ProjectReleaseProduction vi. FinalizeRoleNamesothatitshowsasZS:BSSE:SINGLE_ROLE_GRPxx(wherexxisyour ParticipantID) vii. DescriptionSingleRoleMaintenanceforGRCTrainingCourseGroupxx(wherexxisyour ParticipantID) viii. ProfileNameandDescriptionLeaveBLANK b. ClickProperties i. CriticalLevelMedium ii. SensitivityNormal iii. DerivationallowedNO c. ClickFunctionalArea i. ClickAdd ii. EnterorusesearchtoselectFunctionalAreaBASIS d. ClickCompany i. ClickAdd ii. EnterorusesearchtoselectCompany0001 e. ClickPrerequisite i. ClickAdd ii. EnterorusesearchtoselectPrerequisiteNameCERT iii. VerifyonRequestNO iv. Activeenable f. ClickSavetosavedataandsayinthesamePhase g. ClickOwners/Approvers i. EnterorsearchforACROLEOWNxx(wherexxisyourParticipantID)andassignAssignment ApproverandRoleContentApprover ii. EnterorsearchforACROLEAPPxx(wherexxisyourParticipantID)andassignAssignment ApproverONLY h. ClickAdditionalDetailstab i. DetailedDescriptionThisrolewascreatedbyaTrainingParticipantGroupxx(wherexxisyour ParticipantID) i. ClickProvisioning i. SelectInDevelopment Page|67

 j. k. l. m. ClickSavetoremaininsamePhase ClickChangeHistorytoviewthechangelogforthisrole ClickSave&ContinuetomovetothenextPhase(MaintainAuthorizations) ClickMaintainAuthorizationDatabutton i. EnterACParticipantIDandpasswordintheSAPGUIShortcut 1. Passwordwillbestillbetheinitialpasswordasthisisforthebackend(ZMG)system. ii. ThePFCGscreenwillopen. iii. Createarolewiththefollowinginformation 1. InMenuTab,insertthefollowingTransactions a. XK01 b. XK02 c. XK03 d. FB60 e. MIRO 2. ClickAuthorizationstab,clickChangeAuthorizationData 3. FortheOrganizationalLevels,thisshouldbeFULLAuthorizationexceptforAccount Type,enterKandSforAccounttype 4. SetallotheritemsinAuthorizationsscreentofullbyclickingonyellowarrows. 5. ClickSave 6. ClickGenerate 7. ExitoutofPFCGscreen iv. TheNWBCscreenwillappear.ClickSync.WithPFCGtobringchangesbacktoDesignand ManageRoles. v. ClickSave&Continuetomovetonextphase(DeriveRole) vi. ClickSave&Continuetomovetonextphase(AnalyzeAccessRisks) 1. ClickForegroundtorunreportwithdefaultsettings 2. AswithAnalyzeandManageRiskreportspreviouslylearned,useTypeandFormatto changetheRiskAnalysisresults. vii. SelectImpactAnalysisinAnalysisType 1. SincethisisaNEWrole,thisisnovalueforimpactanalysisastheroleisnotprovisioned toanyoneorisnotpartofotherrolesyet.. viii. ClickSave&Continuetomovetonextphase(GenerateRoles) 1. ClickGenerate 2. ValidatetheDefaultSystemiscorrect(ZMGCLNT800) 3. ClickNext 4. ScheduletheGenerationselectForeground 5. ClickNext 6. Verifysuccessfulrolegeneration ix. ClickSave&Continuetomovetocomplete x. ClickGotoPhase,selectDefineRole 1. ClickAdditionalDetailsProvisioning a. InProvisioningAllowed,selectYES b. InAllowAutoProvisioning,selectYES c. SetRoleStatustoInProductiveUse Page|68

 2. ClickChangeHistorytoviewchangelog 3. ClickPFCGChangeHistorytoviewthebackendLog a. EnterlogondatainSAPGUIShortcut b. VerifyReportParameters c. ClickExecute,reviewreturneddata d. ExittheBackendsytem 4. CloseRolescreen 5. VerifyCurrentPhaseforroleisnowCOMPLETE. 5.

Page|69

 Unit3DesignandManageRoles Exercise3.4RoleMaintenanceSingleRole Solution: 2. CreateSingleTechnicalRole

Page|70

Page|71

Page|72

Page|73

Page|74

Page|75

Page|76

Page|77

Page|78

Page|79

Page|80

Page|81

Page|82

Page|83

Page|84

Page|85

Page|86

Page|87

Page|88

Page|89

Page|90

Page|91

Page|92

Page|93

Page|94

Page|95

Page|96

Page|97

Page|98

Page|99

 Unit3DesignandManageRoles Exercise3.5RoleMaintenanceCompositeRole 1. LogontoNWBCclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. GotoworkcenterAccessManagement 3. ClickRoleMaintenanceundertheRoleManagementsection 4. CreateaCompositeRoleusingthefollowinginformation: a. OnDefineRoletabDetails i. ApplicationTypeSAP ii. LandscapeECCLandscape iii. BusinessProcessBasis iv. SubprocessSecurity v. ProjectReleaseProduction vi. FinalizeRoleNamesothatitshowsasZS:BSSE:COMPOSITE_ROLE_xx(wherexxisyour ParticipantID) vii. DescriptionCompositeRoleMaintenanceforGRCTrainingCourseGroupxx(wherexxisyour ParticipantID) viii. ProfileNameandDescriptionLeaveBLANK b. ClickProperties i. CriticalLevelHigh ii. SensitivityRestricted iii. CommentsMandatoryYES c. ClickFunctionalArea i. ClickAdd ii. EnterorusesearchtoselectFunctionalAreaBASIS d. ClickCompany i. ClickAdd ii. EnterorusesearchtoselectCompany0001 e. ClickPrerequisite i. ClickAdd ii. EnterorusesearchtoselectPrerequisiteNameCERT iii. VerifyonRequestNO iv. Activeenable f. ClickSavetosavedataandsayinthesamePhase g. ClickRoles i. ClickAdd ii. EnterorSearchforRole 1. ZS:BSSE:SINGLE_ROLE_GRPxx(wherexxisyourParticipantID) 2. UseArrowtomoveroletoSelected 3. ClickOK h. ClickOwners/Approvers i. EnterorsearchforACROLEOWNxxandRoleContentApproverONLY(wherexxisyour ParticipantID) Page|100

 ii. EnterorsearchforACROLEAPPxxandassignAssignmentApproverONLY(wherexxisyour ParticipantID) i. ClickAdditionalDetailstab i. DetailedDescriptionThisrolewascreatedbyaTrainingParticipant(Groupxx) j. ClickProvisioning i. SelectInDevelopment k. ClickSavetoremaininsamePhase l. ClickChangeHistorytoviewthechangelogforthisrole m. ClickSave&ContinuetomovetothenextPhase(MaintainAuthorizations) i. ClickSave&Continuetomovetonextphase(AnalyzeAccessRisks) 1. ClickForegroundtorunreportwithdefaultsettings 2. AswithAnalyzeandManageRiskreportspreviouslylearned,useTypeandFormatto changetheRiskAnalysisresults. ii. SelectImpactAnalysisinAnalysisType 1. SincethisisaNEWrole,thisisnovalueforimpactanalysisastheroleisnotprovisioned toanyoneorisnotpartofotherrolesyet.. iii. ClickSave&Continuetomovetonextphase(RequestApproval) 1. ClickitiateApprovalRequest 2. EnterRequestReasonTrainingCourseGroupxx(wherexxisyourParticipantID) 3. ClickOK iv. LogofftheNWBCclientusingtheLogofflink. v. LogontheNWBCclientusingIDACROLEOWNxx(wherexxisyourParticipantID) vi. InMyHomeworkcenter,clickWorkInox vii. Locaterequestfornewcompositeroleandapprove 1. EnterCommentsApprovedTrainingRequestGroupxx(wherexxisyourParticipantID) 2. ClickYEStoconfirmapproval 3. ClickClose 4. LogoffACROLEOWNxx(wherexxisyourParticipantID) viii. LogonasACTRNGxx(wherexxisyourParticipantID) ix. GotoworkcenterAccessManagement x. ClickRoleMaintenanceundertheRoleManagementsection xi. SelectRolefromquery xii. ClickOpen xiii. OnceRequestisapproved,beginRoleMaintenanceprocesstogeneraterole 1. GotoworkcenterAccessManagement 2. ClickRoleMaintenanceundertheRoleManagementsection 3. ValidatetheDefaultSystemiscorrect(ZMGCLNT800) 4. ClickNext 5. ScheduletheGenerationselectForeground 6. ClickNext 7. Verifysuccessfulrolegeneration xiv. ClickSave&Continuetomovetocomplete xv. ClickGotoPhase,selectDefineRole 1. ClickAdditionalDetailsProvisioning Page|101

 a. SetRoleStatustoInProductiveUse b. InProvisioningAllowed,selectYES c. InAllowAutoProvisioning,selectYES ClickChangeHistorytoviewchangelog ClickPFCGChangeHistorytoviewthebackendLog a. EnterlogondatainSAPGUIShortcut b. VerifyReportParameters c. ClickExecute,reviewreturneddata d. ExittheBackendsystem CloseRolescreen VerifyCurrentPhaseforroleisnowCOMPLETE.

2. 3.

4. 5.

Page|102

 Unit3DesignandManageRoles Exercise3.5RoleMaintenanceCompositeRole Solution: 3. CreateCompositeTechnicalRole

Page|103

Page|104

Page|105

Page|106

Page|107

Page|108

Page|109

Page|110

Page|111

Page|112

LogonasACTRNGxx

Page|113

Page|114

Page|115

Page|116

Page|117

 Unit3DesignandManageRoles Exercise3.6RoleMaintenanceBusinessRole 1. LogontoNWBCclientforGRCV10.0(ZMC)withuserIDACTRNGxx(wherexxisyourParticipantID) 2. GotoworkcenterAccessManagement 3. ClickRoleMaintenanceundertheRoleManagementsection 4. CreateaBusinessRoleusingthefollowinginformation: a. OnDefineRoletabDetails i. ApplicationTypeBusinessRoles ii. LandscapeRoleMangementBusinessGroup iii. ProcessBasis iv. SubprocessSecurity v. ProjectReleaseProduction vi. FinishRoleNameZB:BS:BUSINESS_ROLE_GRPxx(wherexxisyourParticipantID) vii. DescriptionBusinessRoleMaintenanceforGRCTrainingCourseGroupxx(wherexxisyour ParticipantID) b. ClickProperties i. CriticalLevelHigh ii. CommentsMandatoryYES c. ClickFunctionalArea i. ClickAdd ii. EnterorusesearchtoselectFunctionalAreaBASIS d. ClickCompany i. ClickAdd ii. EnterorusesearchtoselectCompany0001 e. ClickPrerequisite i. ClickAdd ii. EnterorusesearchtoselectPrerequisiteNameCERT iii. VerifyonRequestNO iv. Activeenable f. ClickSavetosavedataandsayinthesamePhase g. ClickRoles i. ClickAdd ii. EnterorSearchforRole 1. ZS:BSSE:SINGLE_ROLE_GRPxx(wherexxisyourParticipantID) 2. ZC:BSSE:COMPOSITE_ROLExx(wherexxisyourParticipantID) 3. UseArrowtomoveroletoSelected 4. ClickOK h. ClickOwners/Approvers i. EnterorsearchforACROLEOWNxxandRoleContentApproverONLY(wherexxisyour ParticipantID) ii. EnterorsearchforACROLEAPPxxandassignAssignmentApproverONLY(wherexxisyour ParticipantID) i. ClickAdditionalDetailstab Page|118

 i. DetailedDescriptionThisrolewascreatedbyaTrainingParticipantGroupxx(wherexxisyour ParticipantID) ClickProvisioning i. SelectInDevelopment ClickDefineRoletab ClickSavetoremaininsamePhase ClickChangeHistorytoviewthechangelogforthisrole ClickSave&Continuetomovetonextphase(AnalyzeAccessRisks) i. ClickForegroundtorunreportwithdefaultsettings ii. AswithAnalyzeandManageRiskreportspreviouslylearned,useTypeandFormattochange theRiskAnalysisresults. SelectImpactAnalysisinAnalysisType i. SincethisisaNEWrole,thisisnovalueforimpactanalysisastheroleisnotprovisionedto anyoneorisnotpartofotherrolesyet.. ClickSave&Closetomovetonextphase(MaintainTestCases) i. ClickCreate ii. EnterTestCaseNameBusinessRoleTestCaseGroupxx(wherexxisyourParticipantID) iii. EnterTestCaseDescriptionBusinessRoleTestCaseGroupxx(wherexxisyourParticipantID) iv. ClickAdd,thenAddLink 1. TitleBusinessRoleTestLinkxx(wherexxisyourParticipantID) 2. Pathwww.sap.com 3. ClickSave ClickSave&Continuetocompletemaintenance. ClickGotoPhase,selectDefineRole i. ClickAdditionalDetailProvisioning ii. InRoleStatus,selectInProductiveUse iii. ClickSave.

j. k. l. m. n.

o.

p.

q. r.

Page|119

 Unit3DesignandManageRoles Exercise3.6RoleMaintenanceBusinessRole Solution: 4. CreateBusinessRole

Page|120

Page|121

Page|122

Page|123

Page|124

Page|125

Page|126

Page|127

Page|128

 FirefighterIDOwnerFirefighterIDOwnersareresponsibleformaintainingfirefighterIDsandtheirassignmentsto firefighters FirefighterRoleOwnerFirefighterRoleOwnersareresponsibleformaintainingfirefighterrolesandtheirassignmentsto firefighters RiskOwnerRiskOwnersareassignedtorisksandarecommonlyresponsibleforapprovingchangestoriskdefinitions andviolationsoftherisk.RiskOwnersmayalsoreceiveconflictingandcriticalactionalerts. RoleOwnerRoleownersareresponsibleforapprovingeitherrolecontentoruserroleassignmentorboth MitigationMonitorsMitigationMonitorsareassignedtocontrolstomonitoractivityandmayreceivecontrolmonitor alerts. MitigationApproversMitigationApproversareassignedtocontrolsandareresponsibleforapprovingchangestothe controldefinitionandassignmentswhenworkflowisenabled. FirefighterIDControllerFirefighterIDControllersareresponsibleforreviewingthelogreportgeneratedduring firefighterIDusage. FirefighterRoleControllerFirefighterRoleControllersareresponsibleforreviewingthelogreportgeneratedduring firefighterroleusage. PointofContactPointofContactisanapproverforaspecificFunctionalArea.FunctionalAreaisanattributeusedto categorizeusersandroles. SecurityLeadSecurityLeadisagrouporindividualthatcanprovidesecondaryapprovalforaccessrequestsandreviews WorkflowAdministratorWorkflowadministratorisresponsibleforreassignmentofworkflowsduetoanincorrect approver,errorcondition,orescalation.

Page|129