ac 10.0 - post-installationdocshare01.docshare.tips/files/16662/166624653.pdf · after you have...
TRANSCRIPT
AC 10.0 Post-Installation
Customer Solution Adoption
April 6th 2011
Version 1.0
Purpose of this document
This guide covers the basic steps required after the installation of Access
Control 10.0 specifically. For other GRC solutions (PC or RM) please see
the corresponding guides.
© 2011 SAP AG. All rights reserved. 3
Disclaimer
This presentation outlines our general product direction and should not be relied on in
making a purchase decision. This presentation is not subject to your license agreement
or any other agreement with SAP. SAP has no obligation to pursue any course of
business outlined in this presentation or to develop or release any functionality
mentioned in this presentation. This presentation and SAP's strategy and possible future
developments are subject to change and may be changed by SAP at any time for any
reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no
responsibility for errors or omissions in this document, except if such damages were
caused by SAP intentionally or grossly negligent.
© 2011 SAP AG. All rights reserved. 4
Contents
• User Role
• BC Sets
• AC Parameters
• Connector and Connector Settings
• Plug-in Customizing
• Further information
© 2011 SAP AG. All rights reserved. 5
AC Roles
User needs to have role SAP_GRAC_NWBC assigned to be able to access AC from
standalone NWBC
And the AC roles starting with SAP_GRAC_... e.g.
SAP_GRAC_ACCESS_REQUESTER to perform access requests
See also the GRC 10.0 security guide
© 2011 SAP AG. All rights reserved. 6
BC Sets For Access Control (1)
The following are the BC Sets need to be activated for Access Control to work by
default
Note: use the “expert mode” during the activation of theses BC sets!
GRAC_RA_RULESET_COMMON
and respective back-end rule-set(s) e.g. GRAC_RA_RULESET_SAP_R3 for R/3
GRAC_ACCESS_REQUEST_REQ_TYPE
GRAC_ACCESS_REQUEST_EUP
GRAC_ACCESS_REQUEST_APPL_MAPPING
GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ROLE_MGMT_SENTIVITY
GRAC_ROLE_MGMT_METHODOLOGY
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_PRE_REQ_TYPE
GRAC_SPM_CRITICALITY_LEVEL
GRC_MSMP_CONFIGURATION
See also next slide
© 2011 SAP AG. All rights reserved. 7
BC Sets For Access Control (2)
© 2011 SAP AG. All rights reserved. 8
BC Sets Not in IMG Setting
There are some BC Sets which are not in the IMG Setting. Please refer to the listing
from the installation guide
These BC sets can be activated via transaction code SCPR20
© 2011 SAP AG. All rights reserved. 9
Navigate to the AC settings in IMG
Call transaction “SPRO“ in your GRC
10.0 system and navigate to the AC
parameters:
© 2011 SAP AG. All rights reserved. 10
Move to the Connector Section in IMG
Now go to the IMG settings for GRC in
general (not AC specific) and click
“Create Connectors“:
© 2011 SAP AG. All rights reserved. 11
Create a Connector
• E.g. creat an ABAP Connector to an ERP system where the AC 10.0 plug-in is
installed as shown below
• The (service or comms) user entered in Logon & Security needs the
authorization S_RFC
© 2011 SAP AG. All rights reserved. 12
Perform a Connection Test
Note: If you are using a service or communications user the remote logon test
will fail – however this (dialog) logon is not needed for AC functions!
© 2011 SAP AG. All rights reserved. 13
Move to the Connector Section in IMG
Next, go to the IMG settings for GRC
in general (not AC specific) and select
“Maintain Connectors and
Connection Types“:
© 2011 SAP AG. All rights reserved. 14
Set Connector Background Job Parameters
• Maintain the Logical Port information with the same entry as the Target
Connector (as defined in SM59)
• Source Connector is not needed for AC
• Change the setting “Max No. of BG...“ parameters to “3“ (i.e. this connector
will use a maximum of 3 background jobs for synch jobs)
© 2011 SAP AG. All rights reserved. 15
Set Connector Application Type
Navigate back to the AC IMG section and choose “Maintain Connector
Settings“ and set the “Appl Type“ (Application Type) for your connector(s) –
type 1 is an SAP ERP, 2 a NetWeaver Portal etc., see F4 help for details. Then
set the “Active“ checkbox for your connector(s)
© 2011 SAP AG. All rights reserved. 16
Plug-in Customizing (1)
After you have installed the AC 10.0 plug-in(s) in your backend ERP systems
you need to perform some customizing steps there. Connect to your backend
ERP (where the AC plug-in is installed) and call transaction “SPRO“ –
navigate to “Governance, Risk and Compliance“. Execute the node “Maintain
Plug-in Configuration Settings“:
Note: This plug-in customizing is only required for Risk Terminator or HR Trigger
functionality!
© 2011 SAP AG. All rights reserved. 17
Plug-in Customizing (2)
Maintain the entries similar to those below
especially
• Plug-in Connector (pointing to the ERP itself)
• GRC conncector (pointing to the AC server &
client, logical name)
• Ruleset (what Ruleset to use in AC)
The Risk Terminator settings are optional – set
those as defined for the AC project scope
Implement SAP Note 1545511 if you're using
Emergency Access (User Exit to prevent local
logon with FF IDs)
Note: This plug-in customizing is only required for Risk Terminator or HR Trigger
functionality!
© 2011 SAP AG. All rights reserved. 18
Plug-in Customizing (4)
Now go back to IMG and execute the node “Maintain Plug-in Exit Settings“:
© 2011 SAP AG. All rights reserved. 19
Plug-in Customizing (5)
Enter the user exits as shown in the table below – see also next slide
SAP_AFTER_PROF_GEN /GRCPI/GRIA_AFTER_PROF_GEN
SAP_BEFORE_PROF_GEN /GRCPI/GRIA_BEFORE_PROF_GEN
SAP_EXIT_USERS_SAVE /GRCPI/GRIA_EXIT_USERS_SAVE
SAP_SINGLE_USERPROF /GRCPI/GRIA_SINGLE_USERPROFS
© 2011 SAP AG. All rights reserved. 20
Plug-in Customizing (6)
See also previous slide
© 2011 SAP AG. All rights reserved. 21
Further Information
• See also the functional (pre-implementation) guides
• In case you get an error with a “CCITS“ message during synch jobs go back
and check the connections in SM59 so that those do not contain any (white-)
space characters
• Also make sure you entered the Logical Port information as shown on page
13
© 2011 SAP AG. All rights reserved. 22
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.