grc300-6

Unit 13

Learning Assessment

1. Which of the following prerequisites must be completed before scheduling a background job for Periodic Access Review request?Choose the correct answers.

X A Run the role usage sync job

X B Sync all the roles to the AC repository

X C Sync all the users to the AC repository

X D Sync all the workflow settings to the AC repository

2. The visibility of buttons in the Approver's Work Inbox UI are determined by the BC set.Determine whether this statement is true or false.

X True

X False

3. Before you can assign reviewer coordinator mapping, you must set a request type and priority for User Access Review Requests in configuration and set Admin Review Required to YES.Determine whether this statement is true or false.

X True

X False

4. Where can you find the access requests that you are supposed to review?Choose the correct answers.

X A In the Access Management work center

X B In the Master Data work center

X C In the My Home work center

X D In the Reports and Analytics work center

© Copyright . All rights reserved. 491

SAP Class Week of April 30, 2012

DEMO : Purchase from www.A-PDF.com to remove the watermark

http://www.a-pdf.com/?product-split-demo

5. How do you remove a role during a review?Choose the correct answers.

X A Choose Propose Removal

X B Choose Actual Removal

X C Choose Mitigate the Risk

X D You cannot remove a role during a review

6. Which of the following statements are true about Role Reaffirm?Choose the correct answers.

X A Roles must be reaffirmed after a specific period of time

X B You must notify users as part of the review process

X C Maintain the Role Reaffirm period in Access Request Management

X D An automatic periodic requet is generated

Unit 13: Learning Assessment

492 © Copyright . All rights reserved.


Unit 13

Learning Assessment- Answers

1. Which of the following prerequisites must be completed before scheduling a background job for Periodic Access Review request?Choose the correct answers.

X A Run the role usage sync job

X B Sync all the roles to the AC repository

X C Sync all the users to the AC repository

X D Sync all the workflow settings to the AC repository

2. The visibility of buttons in the Approver's Work Inbox UI are determined by the BC set.Determine whether this statement is true or false.

X True

X False

3. Before you can assign reviewer coordinator mapping, you must set a request type and priority for User Access Review Requests in configuration and set Admin Review Required to YES.Determine whether this statement is true or false.

X True

X False



4. Where can you find the access requests that you are supposed to review?Choose the correct answers.

X A In the Access Management work center

X B In the Master Data work center

X C In the My Home work center

X D In the Reports and Analytics work center

5. How do you remove a role during a review?Choose the correct answers.

X A Choose Propose Removal

X B Choose Actual Removal

X C Choose Mitigate the Risk

X D You cannot remove a role during a review

6. Which of the following statements are true about Role Reaffirm?Choose the correct answers.

X A Roles must be reaffirmed after a specific period of time

X B You must notify users as part of the review process

X C Maintain the Role Reaffirm period in Access Request Management

X D An automatic periodic requet is generated

Unit 13: Learning Assessment- Answers



UNIT 14 Reporting

Lesson 1

Working with the Reporting Framework 496Exercise 1: Change an Existing Report 501Exercise 2: Add Custom Fields to Request Header 504Exercise 3: Add Custom Fields to Role Definition 509

UNIT OBJECTIVES

● Change an existing report without programming

● Add custom fields to a report



Unit 14Lesson 1

Working with the Reporting Framework

LESSON OVERVIEWThis lesson shows you how to change reports and add custom fields.

Business ExampleYou are tasked with creating new reports and adding custom fields to reports.

LESSON OBJECTIVESAfter completing this lesson, you will be able to:



Changing Existing ReportsCreate a new report.

1. Execute transaction SM34 and maintain view cluster VC_GRFNREPCUST

2. Create a report name, for example GRAC_SPM_CONS_REPORT

3. Define report details:a) Text and description

b) Report Type

c) WD Name

d) Function Group

e) Application Component

f) Cases

4. Maintain other report attributesa) Filter: define the list of selection screen filters

b) Columns: Output ALV columns are maintained under the Column section

5. Assign Report to Launchpad Rolea) Transaction code LPD_CUST

b) Select respective Launchpad Role and assign the report to it



Adding Custom FieldsTerminology for ABAP Dictionary

● Domain

● Data Type

Prerequisites

● These activities should be carried out by an ABAP Developer

● Must have S_DEVELOP authorization

● Must have a developer key

A Domain describes the technical attributes of a field, such as a data type or the number of positions in a field. The domain defines primarily a value range describing the valid data values for the fields referring to this domain. Different technical fields of the same type can be combined in a domain. Fields referring to the same domain are changed a the same time when a domain is changed. This ensures consistency of these fields.

A Data Type is where the actual Data Element, Structure or Table type is created. Items related to Access Control v10.0 Custom Fields, only Data Element will be used. This will become the actual Field with in structures that are already delivered.

This activity should be carried out by a developer as you need to have S_DEVELOP object authorization and also have a developer key to make these configuration changes.

Create a Domain

1. Execute transaction SE11 for the ABAP Dictionary

2. Domain: Enter the ID of the type of data to be stored

3. Domains can be reused and standard domains are provided by SAP. Company policy should dictate how to proceed.

4. Choose the Definition tab.

5. Relevant fields for Access Control include:a) Short Description – used as explanatory text in documentation (F1 Help) and when lists are

generated

b) Data Type – The data class describes the data format at the user interface. When the fields are used in an ABAP program, that data class is converted into a format used by the ABAP processor

c) Number of Characters – the number of valid positions of a field

d) Decimal Places – the number of decimal places allowed for a value

6. Choose the Value Range tab.a) If there are always specific values or value ranges associated with this data type, the Value

Range tab can constrict what values can be entered.

Lesson: Working with the Reporting Framework



7. When all of the data has been entered for the domain, click Activate. The status at the end will change from NEW to Active.

Create a Data TypeOnce the domain is created, a data type must be created.

1. Execute transaction SE11.

2. There are three data types:a) Data Element

b) Structure

c) Table Type

d) This example will focus on Data Element, which describes the technical attributes and contents of a table or structure field. Fields with the same contents refer to the same data element.

3. Data Element relevant fields:a) Short Description

b) Domain

4. Enter a short description to describe this data element and enter the domain for the data element characteristics. Once the domain is entered, notice that the information entered from that domain is automatically entered.

5. Choose the Field Label tab.

6. Enter the length and the Field Label to be used on the screens where the field displays. The Short, Medium, and Long entries will be used in screen labels, and the Heading will be used when the field values are searched.

Assign Custom Fields to Access Requests and RolesOnce custom fields are created, assign the custom fields to access requests and roles.

1. Again, using transaction SE11, modify Database table.a) For Access Requests: GRACREQ

b) For Roles: GRACROLEOnce the custom field is created, the field needs to be added to the customer include structure. This is included already in the database tables. For access request header fields, the data base table that needs to be updated is GRACREQ. For Role custom fields, the data base table that needs to be updated is GRACROLE.

2. Go to the Change Table screen, where there will be a .INCLUDE field with the appropriate structure in the Data Element.

3. Double click the structure name. If the structure has not yet been fully created, click Yes to create the structure.

4. Select the appropriate structure to modify:

Unit 14: Reporting



a) Access Requests: CI_GRAC_REQ_ATTR

b) Roles: CI_ROLE_ATTR

5. Once the Changs Structure screen displays, enter the relevant data needed:a) In the Short Description describe the data that is contained in the structure.

b) In the Component field enter customer specific data ID.

c) In the Component Type field enter the specific Custom Field to be entered.

d) It is important to note, the fields are prefixed with Z or Y or ZZ or YY so as to ensure that there is no overlap with SAP delivered field names.

e) It is important to keep all names unique. All Customer fields are used in the global reporting structure. If the same field name is used twice it causes problems. Also, verify that the field name is no longer than 16 characters.

6. Enter the Enhancement Category information.a) Because the Customer Include structure is already an Enhancement Structure, it cannot

be further enhanced.

b) This must be entered by the menu path: Extras >>>>>>>> Enhancement Category.

c) In the window that displays, indicate that that the structure Cannot Be Enhanced, then click Copy.

d) When complete, save, check and activate the structure. Several dependent structures and database tables are reactivated as well.

7. Personalize Custom Fields.a) To make sure there are no conflicts or issues, execute program GRFN_CHECK_CDF. This

program will validate that the structures have been successfully generated.

b) Run in a Correction Mode.

c) Check all boxes in the To Be Corrected section.

d) Execute and view confirmation message.

e) Once this is complete, the fields are available in the access request header or the role maintenance screen, depending on which structure this was added to.

8. Configure Custom Fieldsa) Custom fields are not accessible in End User Provisioning configuration; they are

configured in a separate area.

b) Access the IMG using SPRO, then follow the menu path Governance, Risk and Compliance >>>>>>>> Shared Master Data Settings >>>>>>>> Maintain Field-Based Configuration.

c) This task will set a custom field to be Required Entry, Optional Entry, Display, or Hidden.

Additional Information about Custom Fields

● Custom Fields are not accessible in End User Personalization.

● Multiple Languages can be configured in SE63 – Standard Translation Environment




● Custom fileds can be used in BRF+ (or other API rules) but only if the rules are created AFTER maintaining the custom field

Custom fields are not available in the End User Provisioning configuration. Multiple languages can be maintained in transaction SE63, Standard Translation Environment. Custom fields can be used in BRF+ (or other API rules) but only if the rules are maintained AFTER maintaining the custom field.

Unit 14: Reporting



Unit 14Exercise 1

Change an Existing Report

All syncs must have been completed in the GRC system to perform this exercise.

1. Create a new report. Enter /nsm34 in the Transaction code entry field, then click the green check mark icon.

2. Enter VC_GRFNREPCUST in the View Cluster field.

3. Click Maintain.

4. Click the green check mark when you see the cross-client caution message.

5. Select a report to use as a source for your new report: GRAC_SOD_ACTION_ROLES_RPT.

6. Right click and choose Copy As…

7. Enter a new report name, for example, GRAC_CUSTOMxx.

8. Click the green check mark; copy all dependencies.You should see your nrew report Z_GRAC_CUSTOMxx: Action in roles not in rules-Customxx listed.

9. Double click Filters to define selection screen filters.

10.Highlight Profile and click minus to remove the filter from the screen.

11. Double click Columns to define output ALV columns. Choose New Entries.

12. Enter new columns for report, then save.

13. Assign report to Launchpad role.



Unit 14Solution 1

Change an Existing Report

All syncs must have been completed in the GRC system to perform this exercise.

1. Create a new report. Enter /nsm34 in the Transaction code entry field, then click the green check mark icon.

2. Enter VC_GRFNREPCUST in the View Cluster field.

3. Click Maintain.

4. Click the green check mark when you see the cross-client caution message.

5. Select a report to use as a source for your new report: GRAC_SOD_ACTION_ROLES_RPT.

6. Right click and choose Copy As…

7. Enter a new report name, for example, GRAC_CUSTOMxx.a) Enter report details:

b) Text and Description: XX Report

c) Report Type: End-User

d) WD Name: GRAC_SOD_ACTION_ROLES_RPT

e) Function Group Name:

f) Application Component: GRC-AC

g) Cases: One per reporting timeframe

8. Click the green check mark; copy all dependencies.You should see your nrew report Z_GRAC_CUSTOMxx: Action in roles not in rules-Customxx listed.

9. Double click Filters to define selection screen filters.

10.Highlight Profile and click minus to remove the filter from the screen.

11. Double click Columns to define output ALV columns. Choose New Entries.

12. Enter new columns for report, then save.

13. Assign report to Launchpad role.a) Enter /nLPD_CUST in the Transaction code entry field, then click the green check mark

icon.

b) Double click the GRACREPS launchpad role.



c) Highlight the top folder, then right click.

d) Choose New Folder from the top menu bar.

e) Enter folder information.

f) Save. A new folder displays in the list. This adds a new sub group to the Reports and Analytics work center.



Unit 14Exercise 2

Add Custom Fields to Request Header

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID)

2. Execute Transaction SE11

3. Create Domains – Note: Save items as LOCAL OBJECT (where xx is your Participant ID)Domain ID Short Description Data Type Number of Chars

ZAC_CF_TX20_xx Char String 20 Chars for Group xx

CHAR 20

ZAC_CF_REG_xx Multiple Values String for Group xx

CHAR 5

Enter the following values for this domain

● EMEA – Europe

● APJ – Asia Pacific Japan

● ANZ – Australia New Zealand

● AMER – Americas

ZAC_CF_DATE_xx Single Date Value for Group xx

DATS Attributes will be populated automatically

4. Create Data Elements (where xx is your Participant ID)Data Type Short Description Domain Length-Field Label

ZAC_DE_EID_xx Employee ID – Custom Field for AC Training Group 99

ZAC_CF_TX20_xx● 10-Emp IDxx

● 10-Emp IDxx

● 20-Employee IDxx




Data Type Short Description Domain Length-Field Label

ZAC_DE_DIV_xx Division – Custom Field for AC Training Group 99

ZAC_CF_TX20_xx● 5-DIVxx

● 10-Divisionxx

● 20- Divisionxx

● 20- Divisionxx

ZAC_DE_MKT_xx Market – Custom Field for AC Training Group 99

ZAC_CF_REG_xx● 5 – MKTxx

● 10-Marketxx

● 10- Marketxx

● 10- Marketxx

ZAC_DE_HIR_xx Hire Date – Custom Field for AC Training Group 99

ZAC_CF_DATE_xx● 8 – Hirexx

● 10 – Hire Dtexx



5. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to add these fields (where xx is your Participant ID)

6. Check the Customer Defined fields for issues (where xx is your Participant ID)

7. Configure Custom Fields as shown (where xx is your Participant ID)

8. Verify that the fields just created appear on the Access Request screen.

9. Verify that the fields just created appear in BRF+ context.



Unit 14Solution 2

Add Custom Fields to Request Header

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID)


3. Create Domains – Note: Save items as LOCAL OBJECT (where xx is your Participant ID)Domain ID Short Description Data Type Number of Chars

ZAC_CF_TX20_xx Char String 20 Chars for Group xx

CHAR 20

ZAC_CF_REG_xx Multiple Values String for Group xx

CHAR 5

Enter the following values for this domain

● EMEA – Europe

● APJ – Asia Pacific Japan

● ANZ – Australia New Zealand

● AMER – Americas

ZAC_CF_DATE_xx Single Date Value for Group xx

DATS Attributes will be populated automatically


ZAC_DE_EID_xx Employee ID – Custom Field for AC Training Group 99

ZAC_CF_TX20_xx● 10-Emp IDxx

● 10-Emp IDxx





Data Type Short Description Domain Length-Field Label

ZAC_DE_DIV_xx Division – Custom Field for AC Training Group 99

ZAC_CF_TX20_xx● 5-DIVxx

● 10-Divisionxx

● 20- Divisionxx

● 20- Divisionxx

ZAC_DE_MKT_xx Market – Custom Field for AC Training Group 99

ZAC_CF_REG_xx● 5 – MKTxx

● 10-Marketxx

● 10- Marketxx

● 10- Marketxx

ZAC_DE_HIR_xx Hire Date – Custom Field for AC Training Group 99

ZAC_CF_DATE_xx● 8 – Hirexx




5. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to add these fields (where xx is your Participant ID)a) In the short Description enter “Custom Fields INCLUDE for Request Header”

Component Component Type

ZZAC_DE_EID_xx ZAC_DE_EID_xx

ZZAC_DE_DIV_xx ZAC_DE_DIV_xx

ZZAC_DE_MKT_xx ZAC_DE_MKT_xx

ZZAC_DE_HIR_xx ZAC_DE_HIR_xx

6. Check the Customer Defined fields for issues (where xx is your Participant ID)

7. Configure Custom Fields as shown (where xx is your Participant ID)a) Create Transport, in short description enter “Custom Field Customizing Group xx”

Field ID Status

ZZAC_DE_EID_xx Required Entry

ZZAC_DE_DIV_xx Optional Entry

ZZAC_DE_MKT_xx Optional Entry

ZZAC_DE_HIR_xx Required Entry

8. Verify that the fields just created appear on the Access Request screen.



9. Verify that the fields just created appear in BRF+ context.



Unit 14Exercise 3

Add Custom Fields to Role Definition

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID).



ZAC_DE_RMKT_xx Market of Role – Custom Field for AC Training Group xx

ZAC_CF_REG_xx● 10 – Mkt Rolexx

● 15 – Mkt of Rolexx

● 10 – Market of Role99

● 10– Market of Role99

ZAC_DE_RREQ_xx Role Request Date – Custom Field for AC Training Group xx

ZAC_CF_DATE_xx● 8 – ReqDtxx

● 10 – Req Datexx



4. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add these fields (where xx is your Participant ID)Component Component Type

ZZAC_DE_RMKT_xx ZAC_DE_RMKT_xx

ZZAC_DE_RREQ_xx ZAC_DE_RREQ_xx

5. Check the Customer Defined fields for issues

6. Verify that the fields just created appear on the Role Maintenance screen

7. Verify that the field just created appear in BRF+ context



Unit 14Solution 3

Add Custom Fields to Role Definition

1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID).



ZAC_DE_RMKT_xx Market of Role – Custom Field for AC Training Group xx

ZAC_CF_REG_xx● 10 – Mkt Rolexx

● 15 – Mkt of Rolexx

● 10 – Market of Role99

● 10– Market of Role99

ZAC_DE_RREQ_xx Role Request Date – Custom Field for AC Training Group xx

ZAC_CF_DATE_xx● 8 – ReqDtxx




4. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add these fields (where xx is your Participant ID)Component Component Type

ZZAC_DE_RMKT_xx ZAC_DE_RMKT_xx

ZZAC_DE_RREQ_xx ZAC_DE_RREQ_xx

5. Check the Customer Defined fields for issues

6. Verify that the fields just created appear on the Role Maintenance screen

7. Verify that the field just created appear in BRF+ context



LESSON SUMMARYYou should now be able to:






Unit 14: Reporting



Unit 14

Learning Assessment

1. Which view cluster do you maintain to create a new report?Choose the correct answers.

X A VC_GRFN_REPCUST

X B VC_GRFNCUST

X C VC_GRFNREPCUST

X D VC_GRFN_REP_CUST

2. Put the following steps related to creating custom fields in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.

0 Create a data type

0 Create the custom fields

0 Assign custom fields to access requests and roles

0 Create a domain



Unit 14


1. Which view cluster do you maintain to create a new report?Choose the correct answers.

X A VC_GRFN_REPCUST

X B VC_GRFNCUST

X C VC_GRFNREPCUST

X D VC_GRFN_REP_CUST

2. Put the following steps related to creating custom fields in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.

2 Create a data type

3 Create the custom fields

4 Assign custom fields to access requests and roles

1 Create a domain



UNIT 15 Implementing Access Control

Lesson 1

Working with the Access Control Implementation Process 516

Lesson 2

Designing the Access Control Solution 518

Lesson 3

Planning Upgrade and Migration 521

Lesson 4

Configuring Access Control 526

Lesson 5

Implementing the Solution 528

Lesson 6

Optimizing and Enhancing the Solution 531

UNIT OBJECTIVES

● Describe the main implementation steps and project team members

● Design the Access Control Solution

● Identify key considerations for upgrade and migration

● Perform final tasks and prepare for go live


● Ensure system stability and optimize performance



Unit 15Lesson 1

Working with the Access Control Implementation Process

LESSON OVERVIEWThis lesson presents an overview of the Access Control Implementation Process.

Business ExampleYou are preparing for an implementation and must introduce the main steps to the project team in order to ensure a successful implementation.



Introduction to Implementation

Planning for ImplementationThe most important thing to remember when implementing Access Control is PLANNING

● Planning is the key to keeping the project on track

● Deliver the approved view of the solution end state

● Identify the scope of functionality

● Determine the use of options of chosen functionality

● Determine the solution implementation process: new implementation versus upgrade and migration

● Identify the solution deployment process: Big Bang versus Phased Approach

● Plan resources

Project Implementation OverviewASAP 7 Methodology

● Project Preparation

● Blueprint

● Realization

● Final Preparation



● Go Live Support

● Run

Figure 150: Project Implementation Overview

Project Preparation

● Define and document project scope

● Define implementation plan and roll-out strategy

● Define project standards and infrastructure

● Determine knowledge transfer approach

● Determine master data design

Figure 151: Project Preparation

Project TeamsA typical project team may include the following members:

● Installation (Technical) Architects

● Solution (Functional) Architects

● Business Process Experts

● Security Experts

● Auditors & Regulators (Internal Controls/Compliance)

● Senior Management



Lesson: Working with the Access Control Implementation Process



Unit 15Lesson 2

Designing the Access Control Solution

LESSON OVERVIEWThis lesson shows you how to prepare for implementation and blueprinting.

Business ExampleYou are assigned to an implementation project and must design the Access Control solution to meet the organization's business requirements.



Blueprinting Overview

● Identify Business requirements

● Specify business process design

● Specify solution design, including a fit gap analysis

Figure 152: Blueprinting Phase

Analyze Security and Provisioning Requirements

Determine Security Requirements

● Configurators

● Administrators

● Approvers

● End Users

● Requestors

Determine Provisioning Requirements

● Process Flows for Provisioning Approvals



● Process Flows for Access Control Master Data Approvals

● Periodic Access Reviews

● Role Certifications

Analyze and Propose Workflow Solution

Approval Workflow Analysis

● Approval Requirements

● Current State

● To-Be State

● Gap Analysis

● SCRUM Methodology

Multiple Solution Implementation

● Recommended order of implementation

Build Proof of Concept Document

Proof of Concept Document

● Business Process Flows

● Workflow Design

● Requirements Documented

Define Prototype

● Subset of the business processes

● Use to build a small demo system

Update Project Plan

● Document possible gaps/risk identified

● Add further detail to the project based upon POC or prototype review

● Validate project changes, if any, are appropriate for project scope

● Secure approval for project plan changes

Evaluate Architecture Requirements

Architecture Requirements

● Hardware type and sizing

● System information and parameters

● System connectivity

Lesson: Designing the Access Control Solution



Installation and Sizing Guides

● Installation Guide: service.sap.com/instguides

● Sizing Guide: service.sap.com/sizing



Unit 15: Implementing Access Control



Unit 15Lesson 3

Planning Upgrade and Migration

LESSON OVERVIEWThis lesson presents upgrade and migration topics as part of the Access Control Implementation process overview.

Business ExampleYou are assigned to an implementation project for an upgrade to Access Control 10.0 and must plan the upgrade and migration stratey with your project team.



Upgrade and Migration OverviewAnother aspect to consider when creating an Access Control Implementation plan is the possibility of upgrade or migration.

Figure 153: Planning Upgrade and Migration is Part of the Blueprint Phase

Upgrade and MigrationTerminology Description

Upgrade● The technical upgrade of the software

program

● Does not touch the data within the database tables

Migration Moves data from one platform to another

New Implementation No previous data will be preserved

Upgrade/Migration Previous data is preserved



Figure 154: Upgrade and Migration Overview

Access Control Migration OverviewThe Access Control Migration Guide can be referenced at service.sap.com/instguides.

Figure 155: Access Control Migration Overview

Configuration Prerequisites

Prerequisites for Upgrading from Version 4.0Certain prerequisites must be completed prior to migrating Access Control 4.0 to Access Control 10.0:

● Verify that SAP NetWeaver 7.02 SP6 or higher is running before migrating Access Control 4.0 data

● Install Access Control 10.0 plug-ins on all back end systems

● Create all relevant GRC 10.0 users on the target system

● Verify that the following default configuration parameter is maintained:

● Parameter Group: Superuser Management

● Parameter ID: 4000 - Application Type




● Specify a dedicated data export/import directory accessible from both Access Control 4.0 and Access Control 10.0 systems

Prerequisites for Upgrading from Version 5.3Certain prerequisites must be completed prior to migrating Access Control 5.3 to Access Control 10.0:

● Verify that SAP NetWeaver 7.02 SP6 or higher is running before migrating Access Control 5.3 data.

● Upgrade the Access Control 5.x application to Access Control 5.3 SP 13.

● Install Access Control 10.0 plug-ins on all back end systems.

● Verify that all applicable BC sets are activated for GRC 10.0.

● For Access Request Management roles: the GRAC_ROLE_MGMT_STATUS and GRAC_ROLE_MGMT_METHODOLOGY BC sets must be activated.

● For Business Role Management roles, the GRAC_ROLE_MGMT_LANDSCAPE BC set must be activated.

● Verify that the following default configuration parameters are maintained:

● Parameter Group: Role Management

● Parameter ID - 3000 Default Business Process

● Parameter ID - 3001 Default Sub Process

● Parameter ID - 3002 Default Critical Level

● Parameter ID - 3003 Default Project Release

● Parameter ID - 3004 Default Role Status

● Parameter Group: Superuser Management, Parameter ID - 4000 Application Type

● Create all relevant GRC 10.0 users on the target system

● Before migrating EAM and BRM data, manually create all Access Control 5.3 custom fields in Access Control 10.0, using SAP custom field naming conventions (begin field names with X, Y, or Z)

● Specify a dedicated data export/import directory accessible from both Access Control 5.3 and Access Control 10.0

Lesson: Planning Upgrade and Migration



Define a Migration Plan

Figure 156: Define a Migration Plan

The Migration guide describes the detailed information for each step below:

1. Complete the prerequisites.

2. Export the ARA and SPM data (AC 4.0) or export the SPM data (AC 5.3), and then copy the exported data to the import location.

3. Export the configuration, master, and transactional data (AC 5.3 only), and then copy the exported data to the import location.

4. Import the common configuration data into GRC 10.0.

5. Complete the intra-migration tasks:

a. Maintain connectors and connector groups.

b. Perform repository synchronization for all defined connectors.

c. Maintain configuration settings.

d. Import roles for defined connectors (Compliant User Provisioning Roles only).

e. Create prerequisites (CUP Roles only).

6. Import the application data into GRC 10.0.

7. Complete the post-import tasks:

a. Activate GRC_MSMP_CONFIGURATION BC set.

b. Generate the rules.

c. Create function modules.




d. Maintain workflow stage settings.

e. Complete methodology process assignments.

8. Validate the data.

Defining a Migration Plan for Multiple Solutions

● For customers who already have multiple GRC solutions in place, a joint migration/upgrade is possible

● There is no pre-defined upgrade sequence for a joint PC 3.0 and RM 3.0 upgrade, so either solution can be upgraded first

Note:If previous Access Control versions are involved in this migration/upgrade, Access Control must be the last component to be migrated.

Figure 157: Defining a Migration Plan for Multiple Solutions



Lesson: Planning Upgrade and Migration



Unit 15Lesson 4

Configuring Access Control

LESSON OVERVIEWThis lesson reviews how to configure common setting and AC-specific settings in the IMG as part of the Implementation process.

Business ExampleYou are assigned to an Access Control implementation project and must configure the application as part of the process.



Configuration Overview

● Configuring Access Control 10.0 is completed in the IMG of the GRC Access Control system

● If Risk Terminator is used, configuration is also completed in each connected system where Risk Terminator is active

Figure 158: Configuring Access Control is part of the Realization Phase

Configure Common Settings

1. Configuration: Post Installation Tasks

● Activating the applications in clients

● Activating SAP ICF Services

● Maintaining System Data

● Activating Crystal Reports

● Maintaining Plug-in Settings

● Create Initial User in AC Main System

● Mass Creation of Profiles/Roles



● Activating Common Workflow

2. Configuration: Common Component Settings / Integration Framework

● Create connectors

● Maintain connectors and connection types

● Maintain connection settings

Activate BC Sets

3. Configuration: Activate Rule Set BC Sets for Access Risk Analysis

● This IMG activity will upload the SAP delivered rule set

● The BC set GRAC_RA_RULESET_COMMON contains the master data that is assigned to the rule set in general an dis not connector-specific

● Depending on the systems connected, subsequent BC sets should be activated

● These BC sets related to the system-specific information contained in the rule set are:

GRAC_RA_RULESET_JDEGRAC_RA_RULESET_ORACLEGRAC_RA_RULESET_PSOFTGRAC_RA_RULESET_SAP_APOGRAC_RA_RULESET_SAP_BASISGRAC_RA_RULESET_SAP_CRMGRAC_RA_RULESET_SAP_ECCSGRAC_RA_RULESET_SAP_HRGRAC_RA_RULESET_SAP_NHRGRAC_RA_RULESET_SAP_R3GRAC_RA_RULESET_SAP_SRM

Configure Access Control-Specific SettingsConfiguration settings configured in this section of the IMG apply to two or more of the Access Control functionalities.

4. Configuration: Access Control-Specific Settings

● Common Access Control Configuration

● Functionality-Specific Configuration (ARA, ARM, BRM, Workflow)



Lesson: Configuring Access Control



Unit 15Lesson 5

Implementing the Solution

LESSON OVERVIEWThis lesson shows you how to prepare for realization and go live support.

Business ExampleYou are nearing the end of your Access Control implementation project and must prepare for go-live.



Implementing the Solution Overview

● Test Data and Configuration

● Business Process Procedures

● Quality Assurance System Environment

● Production System Environment

● Develop and Test Interfaces, Conversions and Reports

● Evaluate and Enhance Security and Controls

● End User Training Material and Plan

● End User Training System Environment

● Data Conversion Plan

● User Acceptance Test

Figure 159: Realization Phase

Conduct Deployment and Business Process Definition Workshop

● Deliver Business Process Flows to End Users



● Validate Design Plan

● Gain acceptance of the Deployment Plan

Determine Rule Set Load Methodology

● Custom rule set load

● SAP delivered

Configure WorkflowIn this step, finalize workflow configuration.

● Customize SAP delivered workflows

● Set up Access Control scheduled jobs (Synchronizations, Reminders, Notifications)

● Complete any necessary business rules in BRFplus

● Test finalized workflows to validate execution per project plan

Promote Solution Design from Development to Testing to ProductionAt this point you enter the Final Preparation stage.

Figure 160: Final Preparation

Final PreparationDuring Final Preparation, you promote the solution to Production.

● Promote transports to Production in preparation for cut-over

● Final preparation:

● Data Converted

● Cut-Over Plan established

● End Users Trained

● End User IDs created

● Support Organization is in place

● Productive system is operational

Test the Implementation

● Testing the implementation includes the following actions:

● Execute test plans in Productive environment

Lesson: Implementing the Solution



● Correct any issues that arise

● Complete any remaining End User Training

Prepare for Go Live

● Live Production Environment

● Operational Help Desk

● Cut-over and Conversion activities completed

● Post Go Live End User Training

● Updated Business Case

● Lessons Learned






Unit 15Lesson 6

Optimizing and Enhancing the Solution

LESSON OVERVIEWThis lesson presents the last phase of the implementation process, during which you run the solution and adjust for optimal results.

Business ExampleYou have completed the earlier steps of the Access Control implementation process and now are tasked with optimizing the system stability and performance.



Run Phase Overview

Figure 161: Run Phase

Run Phase

● Assessment of Operation Standards for optimized solution operation

● Identify scope

● Set up project schedule for implementing

● For each relevant operation standard:

● Design of processes, organization and roles, blueprint for tool usage

● Setup of processes, organizations and roles, tool setup

● Transition into Production, including training and rollout

● Operating

Track PerformanceWhen tracking performance, you are implementing or optimizing the relevant SAP Standards for Solution Operations:



● Exception handling and business process and interface monitoring

● Data volume management

● Job scheduling management

● Transactional consistency and data integrity

● Value Management

Adjust Configuration Settings

● Change request management

● Change control management

● Changes are implemented and transferred to the Test or Production environment, using SAP Solution Manager, if available

● Test management

● Upgrade change

Manage Expectations for Additional Requirements and Enhancements

● During this step, publish policies to handle requests for additional requirements or possible enhancements

Ensure System Stability

● Defined and verified monitoring objects

● Defined KPIs with reaction methods and defined thresholds

● Clear task, roles, responsibilities and contact persons within each process

● Defined dependencies on and interfaces to other processes

● Concept for service-level reporting

● Physical implementation of the monitoring and reporting processes

● Testing of the monitoring process and report functionality

● Adjustment of the system monitoring concept to changes in the environment

● Constant quality improvement for the monitoring concept






Unit 15

Learning Assessment

1. Which of the groups below may be included on a typical project team?Choose the correct answers.

X A Business Process Experts

X B End Users

X C Security Experts

X D Senior Management

2. The most important aspect of project preparation is planning.Determine whether this statement is true or false.

X True

X False

3. What are the main tasks performed during blueprinting?Choose the correct answers.

X A Identify business requirements

X B Specify business process design

X C Identify members of the project team

X D Specify solution design, including a fit gap analysis



4. If previous Access Control versions are involved in a migration/upgrade for multiple solutions, when must Access Control be migrated?Choose the correct answers.

X A First

X B Last

X C Before Process Control, but after Risk Management

X D After Process Control, but before Risk Management

5. Match the term on the left with the best description on the right.Match items from 1st column to the corresponding item in 2nd column.

Upgrade

Migration

New Implementation

Upgrade/Migration

No previous data will be preserved

Previous data is preserved

Moves data from one platform to another

Does not touch the data within the database tables

6. Arrange the following configuration steps in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.

0 Configure common component settings

0 Perform post-installation tasks

0 Configure Access Control-Specific Settings

0 Activate Rule Set BC Sets for Access Risk Analysis




7. At what point do you move from Realization to Final Preparation?Choose the correct answers.

X A When you conduct the Business Process Definition workshop

X B After you test the implementation

X C When you load the rule set

X D When you promote the solution design from development to testing

8. During the Run phase, you assess operation standards in order to optimize solution operation and system performance.Determine whether this statement is true or false.

X True

X False




Unit 15


1. Which of the groups below may be included on a typical project team?Choose the correct answers.

X A Business Process Experts

X B End Users

X C Security Experts

X D Senior Management

2. The most important aspect of project preparation is planning.Determine whether this statement is true or false.

X True

X False

3. What are the main tasks performed during blueprinting?Choose the correct answers.

X A Identify business requirements

X B Specify business process design

X C Identify members of the project team

X D Specify solution design, including a fit gap analysis



4. If previous Access Control versions are involved in a migration/upgrade for multiple solutions, when must Access Control be migrated?Choose the correct answers.

X A First

X B Last

X C Before Process Control, but after Risk Management

X D After Process Control, but before Risk Management

5. Match the term on the left with the best description on the right.Match items from 1st column to the corresponding item in 2nd column.

Upgrade

Migration

New Implementation

Upgrade/Migration

Does not touch the data within the database tables

Moves data from one platform to another

No previous data will be preserved

Previous data is preserved

6. Arrange the following configuration steps in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.

2 Configure common component settings

1 Perform post-installation tasks

4 Configure Access Control-Specific Settings

3 Activate Rule Set BC Sets for Access Risk Analysis




7. At what point do you move from Realization to Final Preparation?Choose the correct answers.

X A When you conduct the Business Process Definition workshop

X B After you test the implementation

X C When you load the rule set

X D When you promote the solution design from development to testing

8. During the Run phase, you assess operation standards in order to optimize solution operation and system performance.Determine whether this statement is true or false.

X True

X False




grc300-6

Documents

correct answers

periodic access review

access requests

user access review requests

admin review

home work centerx d

review processx c

ac repositoryx d sync