grc300-6
TRANSCRIPT
Unit 13
Learning Assessment
1. Which of the following prerequisites must be completed before scheduling a background job for Periodic Access Review request?Choose the correct answers.
X A Run the role usage sync job
X B Sync all the roles to the AC repository
X C Sync all the users to the AC repository
X D Sync all the workflow settings to the AC repository
2. The visibility of buttons in the Approver's Work Inbox UI are determined by the BC set.Determine whether this statement is true or false.
X True
X False
3. Before you can assign reviewer coordinator mapping, you must set a request type and priority for User Access Review Requests in configuration and set Admin Review Required to YES.Determine whether this statement is true or false.
X True
X False
4. Where can you find the access requests that you are supposed to review?Choose the correct answers.
X A In the Access Management work center
X B In the Master Data work center
X C In the My Home work center
X D In the Reports and Analytics work center
© Copyright . All rights reserved. 491
SAP Class Week of April 30, 2012
DEMO : Purchase from www.A-PDF.com to remove the watermark
5. How do you remove a role during a review?Choose the correct answers.
X A Choose Propose Removal
X B Choose Actual Removal
X C Choose Mitigate the Risk
X D You cannot remove a role during a review
6. Which of the following statements are true about Role Reaffirm?Choose the correct answers.
X A Roles must be reaffirmed after a specific period of time
X B You must notify users as part of the review process
X C Maintain the Role Reaffirm period in Access Request Management
X D An automatic periodic requet is generated
Unit 13: Learning Assessment
492 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 13
Learning Assessment- Answers
1. Which of the following prerequisites must be completed before scheduling a background job for Periodic Access Review request?Choose the correct answers.
X A Run the role usage sync job
X B Sync all the roles to the AC repository
X C Sync all the users to the AC repository
X D Sync all the workflow settings to the AC repository
2. The visibility of buttons in the Approver's Work Inbox UI are determined by the BC set.Determine whether this statement is true or false.
X True
X False
3. Before you can assign reviewer coordinator mapping, you must set a request type and priority for User Access Review Requests in configuration and set Admin Review Required to YES.Determine whether this statement is true or false.
X True
X False
© Copyright . All rights reserved. 493
SAP Class Week of April 30, 2012
4. Where can you find the access requests that you are supposed to review?Choose the correct answers.
X A In the Access Management work center
X B In the Master Data work center
X C In the My Home work center
X D In the Reports and Analytics work center
5. How do you remove a role during a review?Choose the correct answers.
X A Choose Propose Removal
X B Choose Actual Removal
X C Choose Mitigate the Risk
X D You cannot remove a role during a review
6. Which of the following statements are true about Role Reaffirm?Choose the correct answers.
X A Roles must be reaffirmed after a specific period of time
X B You must notify users as part of the review process
X C Maintain the Role Reaffirm period in Access Request Management
X D An automatic periodic requet is generated
Unit 13: Learning Assessment- Answers
494 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
UNIT 14 Reporting
Lesson 1
Working with the Reporting Framework 496Exercise 1: Change an Existing Report 501Exercise 2: Add Custom Fields to Request Header 504Exercise 3: Add Custom Fields to Role Definition 509
UNIT OBJECTIVES
● Change an existing report without programming
● Add custom fields to a report
© Copyright . All rights reserved. 495
SAP Class Week of April 30, 2012
Unit 14Lesson 1
Working with the Reporting Framework
LESSON OVERVIEWThis lesson shows you how to change reports and add custom fields.
Business ExampleYou are tasked with creating new reports and adding custom fields to reports.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Change an existing report without programming
● Add custom fields to a report
Changing Existing ReportsCreate a new report.
1. Execute transaction SM34 and maintain view cluster VC_GRFNREPCUST
2. Create a report name, for example GRAC_SPM_CONS_REPORT
3. Define report details:a) Text and description
b) Report Type
c) WD Name
d) Function Group
e) Application Component
f) Cases
4. Maintain other report attributesa) Filter: define the list of selection screen filters
b) Columns: Output ALV columns are maintained under the Column section
5. Assign Report to Launchpad Rolea) Transaction code LPD_CUST
b) Select respective Launchpad Role and assign the report to it
496 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Adding Custom FieldsTerminology for ABAP Dictionary
● Domain
● Data Type
Prerequisites
● These activities should be carried out by an ABAP Developer
● Must have S_DEVELOP authorization
● Must have a developer key
A Domain describes the technical attributes of a field, such as a data type or the number of positions in a field. The domain defines primarily a value range describing the valid data values for the fields referring to this domain. Different technical fields of the same type can be combined in a domain. Fields referring to the same domain are changed a the same time when a domain is changed. This ensures consistency of these fields.
A Data Type is where the actual Data Element, Structure or Table type is created. Items related to Access Control v10.0 Custom Fields, only Data Element will be used. This will become the actual Field with in structures that are already delivered.
This activity should be carried out by a developer as you need to have S_DEVELOP object authorization and also have a developer key to make these configuration changes.
Create a Domain
1. Execute transaction SE11 for the ABAP Dictionary
2. Domain: Enter the ID of the type of data to be stored
3. Domains can be reused and standard domains are provided by SAP. Company policy should dictate how to proceed.
4. Choose the Definition tab.
5. Relevant fields for Access Control include:a) Short Description – used as explanatory text in documentation (F1 Help) and when lists are
generated
b) Data Type – The data class describes the data format at the user interface. When the fields are used in an ABAP program, that data class is converted into a format used by the ABAP processor
c) Number of Characters – the number of valid positions of a field
d) Decimal Places – the number of decimal places allowed for a value
6. Choose the Value Range tab.a) If there are always specific values or value ranges associated with this data type, the Value
Range tab can constrict what values can be entered.
Lesson: Working with the Reporting Framework
© Copyright . All rights reserved. 497
SAP Class Week of April 30, 2012
7. When all of the data has been entered for the domain, click Activate. The status at the end will change from NEW to Active.
Create a Data TypeOnce the domain is created, a data type must be created.
1. Execute transaction SE11.
2. There are three data types:a) Data Element
b) Structure
c) Table Type
d) This example will focus on Data Element, which describes the technical attributes and contents of a table or structure field. Fields with the same contents refer to the same data element.
3. Data Element relevant fields:a) Short Description
b) Domain
4. Enter a short description to describe this data element and enter the domain for the data element characteristics. Once the domain is entered, notice that the information entered from that domain is automatically entered.
5. Choose the Field Label tab.
6. Enter the length and the Field Label to be used on the screens where the field displays. The Short, Medium, and Long entries will be used in screen labels, and the Heading will be used when the field values are searched.
Assign Custom Fields to Access Requests and RolesOnce custom fields are created, assign the custom fields to access requests and roles.
1. Again, using transaction SE11, modify Database table.a) For Access Requests: GRACREQ
b) For Roles: GRACROLEOnce the custom field is created, the field needs to be added to the customer include structure. This is included already in the database tables. For access request header fields, the data base table that needs to be updated is GRACREQ. For Role custom fields, the data base table that needs to be updated is GRACROLE.
2. Go to the Change Table screen, where there will be a .INCLUDE field with the appropriate structure in the Data Element.
3. Double click the structure name. If the structure has not yet been fully created, click Yes to create the structure.
4. Select the appropriate structure to modify:
Unit 14: Reporting
498 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
a) Access Requests: CI_GRAC_REQ_ATTR
b) Roles: CI_ROLE_ATTR
5. Once the Changs Structure screen displays, enter the relevant data needed:a) In the Short Description describe the data that is contained in the structure.
b) In the Component field enter customer specific data ID.
c) In the Component Type field enter the specific Custom Field to be entered.
d) It is important to note, the fields are prefixed with Z or Y or ZZ or YY so as to ensure that there is no overlap with SAP delivered field names.
e) It is important to keep all names unique. All Customer fields are used in the global reporting structure. If the same field name is used twice it causes problems. Also, verify that the field name is no longer than 16 characters.
6. Enter the Enhancement Category information.a) Because the Customer Include structure is already an Enhancement Structure, it cannot
be further enhanced.
b) This must be entered by the menu path: Extras >>>>>>>> Enhancement Category.
c) In the window that displays, indicate that that the structure Cannot Be Enhanced, then click Copy.
d) When complete, save, check and activate the structure. Several dependent structures and database tables are reactivated as well.
7. Personalize Custom Fields.a) To make sure there are no conflicts or issues, execute program GRFN_CHECK_CDF. This
program will validate that the structures have been successfully generated.
b) Run in a Correction Mode.
c) Check all boxes in the To Be Corrected section.
d) Execute and view confirmation message.
e) Once this is complete, the fields are available in the access request header or the role maintenance screen, depending on which structure this was added to.
8. Configure Custom Fieldsa) Custom fields are not accessible in End User Provisioning configuration; they are
configured in a separate area.
b) Access the IMG using SPRO, then follow the menu path Governance, Risk and Compliance >>>>>>>> Shared Master Data Settings >>>>>>>> Maintain Field-Based Configuration.
c) This task will set a custom field to be Required Entry, Optional Entry, Display, or Hidden.
Additional Information about Custom Fields
● Custom Fields are not accessible in End User Personalization.
● Multiple Languages can be configured in SE63 – Standard Translation Environment
Lesson: Working with the Reporting Framework
© Copyright . All rights reserved. 499
SAP Class Week of April 30, 2012
● Custom fileds can be used in BRF+ (or other API rules) but only if the rules are created AFTER maintaining the custom field
Custom fields are not available in the End User Provisioning configuration. Multiple languages can be maintained in transaction SE63, Standard Translation Environment. Custom fields can be used in BRF+ (or other API rules) but only if the rules are maintained AFTER maintaining the custom field.
Unit 14: Reporting
500 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 14Exercise 1
Change an Existing Report
All syncs must have been completed in the GRC system to perform this exercise.
1. Create a new report. Enter /nsm34 in the Transaction code entry field, then click the green check mark icon.
2. Enter VC_GRFNREPCUST in the View Cluster field.
3. Click Maintain.
4. Click the green check mark when you see the cross-client caution message.
5. Select a report to use as a source for your new report: GRAC_SOD_ACTION_ROLES_RPT.
6. Right click and choose Copy As…
7. Enter a new report name, for example, GRAC_CUSTOMxx.
8. Click the green check mark; copy all dependencies.You should see your nrew report Z_GRAC_CUSTOMxx: Action in roles not in rules-Customxx listed.
9. Double click Filters to define selection screen filters.
10.Highlight Profile and click minus to remove the filter from the screen.
11. Double click Columns to define output ALV columns. Choose New Entries.
12. Enter new columns for report, then save.
13. Assign report to Launchpad role.
© Copyright . All rights reserved. 501
SAP Class Week of April 30, 2012
Unit 14Solution 1
Change an Existing Report
All syncs must have been completed in the GRC system to perform this exercise.
1. Create a new report. Enter /nsm34 in the Transaction code entry field, then click the green check mark icon.
2. Enter VC_GRFNREPCUST in the View Cluster field.
3. Click Maintain.
4. Click the green check mark when you see the cross-client caution message.
5. Select a report to use as a source for your new report: GRAC_SOD_ACTION_ROLES_RPT.
6. Right click and choose Copy As…
7. Enter a new report name, for example, GRAC_CUSTOMxx.a) Enter report details:
b) Text and Description: XX Report
c) Report Type: End-User
d) WD Name: GRAC_SOD_ACTION_ROLES_RPT
e) Function Group Name:
f) Application Component: GRC-AC
g) Cases: One per reporting timeframe
8. Click the green check mark; copy all dependencies.You should see your nrew report Z_GRAC_CUSTOMxx: Action in roles not in rules-Customxx listed.
9. Double click Filters to define selection screen filters.
10.Highlight Profile and click minus to remove the filter from the screen.
11. Double click Columns to define output ALV columns. Choose New Entries.
12. Enter new columns for report, then save.
13. Assign report to Launchpad role.a) Enter /nLPD_CUST in the Transaction code entry field, then click the green check mark
icon.
b) Double click the GRACREPS launchpad role.
502 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
c) Highlight the top folder, then right click.
d) Choose New Folder from the top menu bar.
e) Enter folder information.
f) Save. A new folder displays in the list. This adds a new sub group to the Reports and Analytics work center.
© Copyright . All rights reserved. 503
SAP Class Week of April 30, 2012
Unit 14Exercise 2
Add Custom Fields to Request Header
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID)
2. Execute Transaction SE11
3. Create Domains – Note: Save items as LOCAL OBJECT (where xx is your Participant ID)Domain ID Short Description Data Type Number of Chars
ZAC_CF_TX20_xx Char String 20 Chars for Group xx
CHAR 20
ZAC_CF_REG_xx Multiple Values String for Group xx
CHAR 5
Enter the following values for this domain
● EMEA – Europe
● APJ – Asia Pacific Japan
● ANZ – Australia New Zealand
● AMER – Americas
ZAC_CF_DATE_xx Single Date Value for Group xx
DATS Attributes will be populated automatically
4. Create Data Elements (where xx is your Participant ID)Data Type Short Description Domain Length-Field Label
ZAC_DE_EID_xx Employee ID – Custom Field for AC Training Group 99
ZAC_CF_TX20_xx● 10-Emp IDxx
● 10-Emp IDxx
● 20-Employee IDxx
● 20-Employee IDxx
504 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Data Type Short Description Domain Length-Field Label
ZAC_DE_DIV_xx Division – Custom Field for AC Training Group 99
ZAC_CF_TX20_xx● 5-DIVxx
● 10-Divisionxx
● 20- Divisionxx
● 20- Divisionxx
ZAC_DE_MKT_xx Market – Custom Field for AC Training Group 99
ZAC_CF_REG_xx● 5 – MKTxx
● 10-Marketxx
● 10- Marketxx
● 10- Marketxx
ZAC_DE_HIR_xx Hire Date – Custom Field for AC Training Group 99
ZAC_CF_DATE_xx● 8 – Hirexx
● 10 – Hire Dtexx
● 12 – Hire Dtexx
● 12 – Hire Dtexx
5. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to add these fields (where xx is your Participant ID)
6. Check the Customer Defined fields for issues (where xx is your Participant ID)
7. Configure Custom Fields as shown (where xx is your Participant ID)
8. Verify that the fields just created appear on the Access Request screen.
9. Verify that the fields just created appear in BRF+ context.
© Copyright . All rights reserved. 505
SAP Class Week of April 30, 2012
Unit 14Solution 2
Add Custom Fields to Request Header
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID)
2. Execute Transaction SE11
3. Create Domains – Note: Save items as LOCAL OBJECT (where xx is your Participant ID)Domain ID Short Description Data Type Number of Chars
ZAC_CF_TX20_xx Char String 20 Chars for Group xx
CHAR 20
ZAC_CF_REG_xx Multiple Values String for Group xx
CHAR 5
Enter the following values for this domain
● EMEA – Europe
● APJ – Asia Pacific Japan
● ANZ – Australia New Zealand
● AMER – Americas
ZAC_CF_DATE_xx Single Date Value for Group xx
DATS Attributes will be populated automatically
4. Create Data Elements (where xx is your Participant ID)Data Type Short Description Domain Length-Field Label
ZAC_DE_EID_xx Employee ID – Custom Field for AC Training Group 99
ZAC_CF_TX20_xx● 10-Emp IDxx
● 10-Emp IDxx
● 20-Employee IDxx
● 20-Employee IDxx
506 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Data Type Short Description Domain Length-Field Label
ZAC_DE_DIV_xx Division – Custom Field for AC Training Group 99
ZAC_CF_TX20_xx● 5-DIVxx
● 10-Divisionxx
● 20- Divisionxx
● 20- Divisionxx
ZAC_DE_MKT_xx Market – Custom Field for AC Training Group 99
ZAC_CF_REG_xx● 5 – MKTxx
● 10-Marketxx
● 10- Marketxx
● 10- Marketxx
ZAC_DE_HIR_xx Hire Date – Custom Field for AC Training Group 99
ZAC_CF_DATE_xx● 8 – Hirexx
● 10 – Hire Dtexx
● 12 – Hire Dtexx
● 12 – Hire Dtexx
5. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to add these fields (where xx is your Participant ID)a) In the short Description enter “Custom Fields INCLUDE for Request Header”
Component Component Type
ZZAC_DE_EID_xx ZAC_DE_EID_xx
ZZAC_DE_DIV_xx ZAC_DE_DIV_xx
ZZAC_DE_MKT_xx ZAC_DE_MKT_xx
ZZAC_DE_HIR_xx ZAC_DE_HIR_xx
6. Check the Customer Defined fields for issues (where xx is your Participant ID)
7. Configure Custom Fields as shown (where xx is your Participant ID)a) Create Transport, in short description enter “Custom Field Customizing Group xx”
Field ID Status
ZZAC_DE_EID_xx Required Entry
ZZAC_DE_DIV_xx Optional Entry
ZZAC_DE_MKT_xx Optional Entry
ZZAC_DE_HIR_xx Required Entry
8. Verify that the fields just created appear on the Access Request screen.
© Copyright . All rights reserved. 507
SAP Class Week of April 30, 2012
9. Verify that the fields just created appear in BRF+ context.
508 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 14Exercise 3
Add Custom Fields to Role Definition
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID).
2. Execute Transaction SE11
3. Create Data Elements (where xx is your Participant ID)Data Type Short Description Domain Length-Field Label
ZAC_DE_RMKT_xx Market of Role – Custom Field for AC Training Group xx
ZAC_CF_REG_xx● 10 – Mkt Rolexx
● 15 – Mkt of Rolexx
● 10 – Market of Role99
● 10– Market of Role99
ZAC_DE_RREQ_xx Role Request Date – Custom Field for AC Training Group xx
ZAC_CF_DATE_xx● 8 – ReqDtxx
● 10 – Req Datexx
● 12 – Req Datexx
● 12 – Req Datexx
4. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add these fields (where xx is your Participant ID)Component Component Type
ZZAC_DE_RMKT_xx ZAC_DE_RMKT_xx
ZZAC_DE_RREQ_xx ZAC_DE_RREQ_xx
5. Check the Customer Defined fields for issues
6. Verify that the fields just created appear on the Role Maintenance screen
7. Verify that the field just created appear in BRF+ context
© Copyright . All rights reserved. 509
SAP Class Week of April 30, 2012
Unit 14Solution 3
Add Custom Fields to Role Definition
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID).
2. Execute Transaction SE11
3. Create Data Elements (where xx is your Participant ID)Data Type Short Description Domain Length-Field Label
ZAC_DE_RMKT_xx Market of Role – Custom Field for AC Training Group xx
ZAC_CF_REG_xx● 10 – Mkt Rolexx
● 15 – Mkt of Rolexx
● 10 – Market of Role99
● 10– Market of Role99
ZAC_DE_RREQ_xx Role Request Date – Custom Field for AC Training Group xx
ZAC_CF_DATE_xx● 8 – ReqDtxx
● 10 – Req Datexx
● 12 – Req Datexx
● 12 – Req Datexx
4. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add these fields (where xx is your Participant ID)Component Component Type
ZZAC_DE_RMKT_xx ZAC_DE_RMKT_xx
ZZAC_DE_RREQ_xx ZAC_DE_RREQ_xx
5. Check the Customer Defined fields for issues
6. Verify that the fields just created appear on the Role Maintenance screen
7. Verify that the field just created appear in BRF+ context
510 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
LESSON SUMMARYYou should now be able to:
● Change an existing report without programming
● Add custom fields to a report
Lesson: Working with the Reporting Framework
© Copyright . All rights reserved. 511
SAP Class Week of April 30, 2012
Unit 14: Reporting
512 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 14
Learning Assessment
1. Which view cluster do you maintain to create a new report?Choose the correct answers.
X A VC_GRFN_REPCUST
X B VC_GRFNCUST
X C VC_GRFNREPCUST
X D VC_GRFN_REP_CUST
2. Put the following steps related to creating custom fields in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.
0 Create a data type
0 Create the custom fields
0 Assign custom fields to access requests and roles
0 Create a domain
© Copyright . All rights reserved. 513
SAP Class Week of April 30, 2012
Unit 14
Learning Assessment- Answers
1. Which view cluster do you maintain to create a new report?Choose the correct answers.
X A VC_GRFN_REPCUST
X B VC_GRFNCUST
X C VC_GRFNREPCUST
X D VC_GRFN_REP_CUST
2. Put the following steps related to creating custom fields in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.
2 Create a data type
3 Create the custom fields
4 Assign custom fields to access requests and roles
1 Create a domain
514 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
UNIT 15 Implementing Access Control
Lesson 1
Working with the Access Control Implementation Process 516
Lesson 2
Designing the Access Control Solution 518
Lesson 3
Planning Upgrade and Migration 521
Lesson 4
Configuring Access Control 526
Lesson 5
Implementing the Solution 528
Lesson 6
Optimizing and Enhancing the Solution 531
UNIT OBJECTIVES
● Describe the main implementation steps and project team members
● Design the Access Control Solution
● Identify key considerations for upgrade and migration
● Perform final tasks and prepare for go live
● Perform final tasks and prepare for go live
● Ensure system stability and optimize performance
© Copyright . All rights reserved. 515
SAP Class Week of April 30, 2012
Unit 15Lesson 1
Working with the Access Control Implementation Process
LESSON OVERVIEWThis lesson presents an overview of the Access Control Implementation Process.
Business ExampleYou are preparing for an implementation and must introduce the main steps to the project team in order to ensure a successful implementation.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Describe the main implementation steps and project team members
Introduction to Implementation
Planning for ImplementationThe most important thing to remember when implementing Access Control is PLANNING
● Planning is the key to keeping the project on track
● Deliver the approved view of the solution end state
● Identify the scope of functionality
● Determine the use of options of chosen functionality
● Determine the solution implementation process: new implementation versus upgrade and migration
● Identify the solution deployment process: Big Bang versus Phased Approach
● Plan resources
Project Implementation OverviewASAP 7 Methodology
● Project Preparation
● Blueprint
● Realization
● Final Preparation
516 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
● Go Live Support
● Run
Figure 150: Project Implementation Overview
Project Preparation
● Define and document project scope
● Define implementation plan and roll-out strategy
● Define project standards and infrastructure
● Determine knowledge transfer approach
● Determine master data design
Figure 151: Project Preparation
Project TeamsA typical project team may include the following members:
● Installation (Technical) Architects
● Solution (Functional) Architects
● Business Process Experts
● Security Experts
● Auditors & Regulators (Internal Controls/Compliance)
● Senior Management
LESSON SUMMARYYou should now be able to:
● Describe the main implementation steps and project team members
Lesson: Working with the Access Control Implementation Process
© Copyright . All rights reserved. 517
SAP Class Week of April 30, 2012
Unit 15Lesson 2
Designing the Access Control Solution
LESSON OVERVIEWThis lesson shows you how to prepare for implementation and blueprinting.
Business ExampleYou are assigned to an implementation project and must design the Access Control solution to meet the organization's business requirements.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Design the Access Control Solution
Blueprinting Overview
● Identify Business requirements
● Specify business process design
● Specify solution design, including a fit gap analysis
Figure 152: Blueprinting Phase
Analyze Security and Provisioning Requirements
Determine Security Requirements
● Configurators
● Administrators
● Approvers
● End Users
● Requestors
Determine Provisioning Requirements
● Process Flows for Provisioning Approvals
518 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
● Process Flows for Access Control Master Data Approvals
● Periodic Access Reviews
● Role Certifications
Analyze and Propose Workflow Solution
Approval Workflow Analysis
● Approval Requirements
● Current State
● To-Be State
● Gap Analysis
● SCRUM Methodology
Multiple Solution Implementation
● Recommended order of implementation
Build Proof of Concept Document
Proof of Concept Document
● Business Process Flows
● Workflow Design
● Requirements Documented
Define Prototype
● Subset of the business processes
● Use to build a small demo system
Update Project Plan
● Document possible gaps/risk identified
● Add further detail to the project based upon POC or prototype review
● Validate project changes, if any, are appropriate for project scope
● Secure approval for project plan changes
Evaluate Architecture Requirements
Architecture Requirements
● Hardware type and sizing
● System information and parameters
● System connectivity
Lesson: Designing the Access Control Solution
© Copyright . All rights reserved. 519
SAP Class Week of April 30, 2012
Installation and Sizing Guides
● Installation Guide: service.sap.com/instguides
● Sizing Guide: service.sap.com/sizing
LESSON SUMMARYYou should now be able to:
● Design the Access Control Solution
Unit 15: Implementing Access Control
520 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 15Lesson 3
Planning Upgrade and Migration
LESSON OVERVIEWThis lesson presents upgrade and migration topics as part of the Access Control Implementation process overview.
Business ExampleYou are assigned to an implementation project for an upgrade to Access Control 10.0 and must plan the upgrade and migration stratey with your project team.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Identify key considerations for upgrade and migration
Upgrade and Migration OverviewAnother aspect to consider when creating an Access Control Implementation plan is the possibility of upgrade or migration.
Figure 153: Planning Upgrade and Migration is Part of the Blueprint Phase
Upgrade and MigrationTerminology Description
Upgrade● The technical upgrade of the software
program
● Does not touch the data within the database tables
Migration Moves data from one platform to another
New Implementation No previous data will be preserved
Upgrade/Migration Previous data is preserved
© Copyright . All rights reserved. 521
SAP Class Week of April 30, 2012
Figure 154: Upgrade and Migration Overview
Access Control Migration OverviewThe Access Control Migration Guide can be referenced at service.sap.com/instguides.
Figure 155: Access Control Migration Overview
Configuration Prerequisites
Prerequisites for Upgrading from Version 4.0Certain prerequisites must be completed prior to migrating Access Control 4.0 to Access Control 10.0:
● Verify that SAP NetWeaver 7.02 SP6 or higher is running before migrating Access Control 4.0 data
● Install Access Control 10.0 plug-ins on all back end systems
● Create all relevant GRC 10.0 users on the target system
● Verify that the following default configuration parameter is maintained:
● Parameter Group: Superuser Management
● Parameter ID: 4000 - Application Type
Unit 15: Implementing Access Control
522 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
● Specify a dedicated data export/import directory accessible from both Access Control 4.0 and Access Control 10.0 systems
Prerequisites for Upgrading from Version 5.3Certain prerequisites must be completed prior to migrating Access Control 5.3 to Access Control 10.0:
● Verify that SAP NetWeaver 7.02 SP6 or higher is running before migrating Access Control 5.3 data.
● Upgrade the Access Control 5.x application to Access Control 5.3 SP 13.
● Install Access Control 10.0 plug-ins on all back end systems.
● Verify that all applicable BC sets are activated for GRC 10.0.
● For Access Request Management roles: the GRAC_ROLE_MGMT_STATUS and GRAC_ROLE_MGMT_METHODOLOGY BC sets must be activated.
● For Business Role Management roles, the GRAC_ROLE_MGMT_LANDSCAPE BC set must be activated.
● Verify that the following default configuration parameters are maintained:
● Parameter Group: Role Management
● Parameter ID - 3000 Default Business Process
● Parameter ID - 3001 Default Sub Process
● Parameter ID - 3002 Default Critical Level
● Parameter ID - 3003 Default Project Release
● Parameter ID - 3004 Default Role Status
● Parameter Group: Superuser Management, Parameter ID - 4000 Application Type
● Create all relevant GRC 10.0 users on the target system
● Before migrating EAM and BRM data, manually create all Access Control 5.3 custom fields in Access Control 10.0, using SAP custom field naming conventions (begin field names with X, Y, or Z)
● Specify a dedicated data export/import directory accessible from both Access Control 5.3 and Access Control 10.0
Lesson: Planning Upgrade and Migration
© Copyright . All rights reserved. 523
SAP Class Week of April 30, 2012
Define a Migration Plan
Figure 156: Define a Migration Plan
The Migration guide describes the detailed information for each step below:
1. Complete the prerequisites.
2. Export the ARA and SPM data (AC 4.0) or export the SPM data (AC 5.3), and then copy the exported data to the import location.
3. Export the configuration, master, and transactional data (AC 5.3 only), and then copy the exported data to the import location.
4. Import the common configuration data into GRC 10.0.
5. Complete the intra-migration tasks:
a. Maintain connectors and connector groups.
b. Perform repository synchronization for all defined connectors.
c. Maintain configuration settings.
d. Import roles for defined connectors (Compliant User Provisioning Roles only).
e. Create prerequisites (CUP Roles only).
6. Import the application data into GRC 10.0.
7. Complete the post-import tasks:
a. Activate GRC_MSMP_CONFIGURATION BC set.
b. Generate the rules.
c. Create function modules.
Unit 15: Implementing Access Control
524 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
d. Maintain workflow stage settings.
e. Complete methodology process assignments.
8. Validate the data.
Defining a Migration Plan for Multiple Solutions
● For customers who already have multiple GRC solutions in place, a joint migration/upgrade is possible
● There is no pre-defined upgrade sequence for a joint PC 3.0 and RM 3.0 upgrade, so either solution can be upgraded first
Note:If previous Access Control versions are involved in this migration/upgrade, Access Control must be the last component to be migrated.
Figure 157: Defining a Migration Plan for Multiple Solutions
LESSON SUMMARYYou should now be able to:
● Identify key considerations for upgrade and migration
Lesson: Planning Upgrade and Migration
© Copyright . All rights reserved. 525
SAP Class Week of April 30, 2012
Unit 15Lesson 4
Configuring Access Control
LESSON OVERVIEWThis lesson reviews how to configure common setting and AC-specific settings in the IMG as part of the Implementation process.
Business ExampleYou are assigned to an Access Control implementation project and must configure the application as part of the process.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Perform final tasks and prepare for go live
Configuration Overview
● Configuring Access Control 10.0 is completed in the IMG of the GRC Access Control system
● If Risk Terminator is used, configuration is also completed in each connected system where Risk Terminator is active
Figure 158: Configuring Access Control is part of the Realization Phase
Configure Common Settings
1. Configuration: Post Installation Tasks
● Activating the applications in clients
● Activating SAP ICF Services
● Maintaining System Data
● Activating Crystal Reports
● Maintaining Plug-in Settings
● Create Initial User in AC Main System
● Mass Creation of Profiles/Roles
526 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
● Activating Common Workflow
2. Configuration: Common Component Settings / Integration Framework
● Create connectors
● Maintain connectors and connection types
● Maintain connection settings
Activate BC Sets
3. Configuration: Activate Rule Set BC Sets for Access Risk Analysis
● This IMG activity will upload the SAP delivered rule set
● The BC set GRAC_RA_RULESET_COMMON contains the master data that is assigned to the rule set in general an dis not connector-specific
● Depending on the systems connected, subsequent BC sets should be activated
● These BC sets related to the system-specific information contained in the rule set are:
GRAC_RA_RULESET_JDEGRAC_RA_RULESET_ORACLEGRAC_RA_RULESET_PSOFTGRAC_RA_RULESET_SAP_APOGRAC_RA_RULESET_SAP_BASISGRAC_RA_RULESET_SAP_CRMGRAC_RA_RULESET_SAP_ECCSGRAC_RA_RULESET_SAP_HRGRAC_RA_RULESET_SAP_NHRGRAC_RA_RULESET_SAP_R3GRAC_RA_RULESET_SAP_SRM
Configure Access Control-Specific SettingsConfiguration settings configured in this section of the IMG apply to two or more of the Access Control functionalities.
4. Configuration: Access Control-Specific Settings
● Common Access Control Configuration
● Functionality-Specific Configuration (ARA, ARM, BRM, Workflow)
LESSON SUMMARYYou should now be able to:
● Perform final tasks and prepare for go live
Lesson: Configuring Access Control
© Copyright . All rights reserved. 527
SAP Class Week of April 30, 2012
Unit 15Lesson 5
Implementing the Solution
LESSON OVERVIEWThis lesson shows you how to prepare for realization and go live support.
Business ExampleYou are nearing the end of your Access Control implementation project and must prepare for go-live.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Perform final tasks and prepare for go live
Implementing the Solution Overview
● Test Data and Configuration
● Business Process Procedures
● Quality Assurance System Environment
● Production System Environment
● Develop and Test Interfaces, Conversions and Reports
● Evaluate and Enhance Security and Controls
● End User Training Material and Plan
● End User Training System Environment
● Data Conversion Plan
● User Acceptance Test
Figure 159: Realization Phase
Conduct Deployment and Business Process Definition Workshop
● Deliver Business Process Flows to End Users
528 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
● Validate Design Plan
● Gain acceptance of the Deployment Plan
Determine Rule Set Load Methodology
● Custom rule set load
● SAP delivered
Configure WorkflowIn this step, finalize workflow configuration.
● Customize SAP delivered workflows
● Set up Access Control scheduled jobs (Synchronizations, Reminders, Notifications)
● Complete any necessary business rules in BRFplus
● Test finalized workflows to validate execution per project plan
Promote Solution Design from Development to Testing to ProductionAt this point you enter the Final Preparation stage.
Figure 160: Final Preparation
Final PreparationDuring Final Preparation, you promote the solution to Production.
● Promote transports to Production in preparation for cut-over
● Final preparation:
● Data Converted
● Cut-Over Plan established
● End Users Trained
● End User IDs created
● Support Organization is in place
● Productive system is operational
Test the Implementation
● Testing the implementation includes the following actions:
● Execute test plans in Productive environment
Lesson: Implementing the Solution
© Copyright . All rights reserved. 529
SAP Class Week of April 30, 2012
● Correct any issues that arise
● Complete any remaining End User Training
Prepare for Go Live
● Live Production Environment
● Operational Help Desk
● Cut-over and Conversion activities completed
● Post Go Live End User Training
● Updated Business Case
● Lessons Learned
LESSON SUMMARYYou should now be able to:
● Perform final tasks and prepare for go live
Unit 15: Implementing Access Control
530 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 15Lesson 6
Optimizing and Enhancing the Solution
LESSON OVERVIEWThis lesson presents the last phase of the implementation process, during which you run the solution and adjust for optimal results.
Business ExampleYou have completed the earlier steps of the Access Control implementation process and now are tasked with optimizing the system stability and performance.
LESSON OBJECTIVESAfter completing this lesson, you will be able to:
● Ensure system stability and optimize performance
Run Phase Overview
Figure 161: Run Phase
Run Phase
● Assessment of Operation Standards for optimized solution operation
● Identify scope
● Set up project schedule for implementing
● For each relevant operation standard:
● Design of processes, organization and roles, blueprint for tool usage
● Setup of processes, organizations and roles, tool setup
● Transition into Production, including training and rollout
● Operating
Track PerformanceWhen tracking performance, you are implementing or optimizing the relevant SAP Standards for Solution Operations:
© Copyright . All rights reserved. 531
SAP Class Week of April 30, 2012
● Exception handling and business process and interface monitoring
● Data volume management
● Job scheduling management
● Transactional consistency and data integrity
● Value Management
Adjust Configuration Settings
● Change request management
● Change control management
● Changes are implemented and transferred to the Test or Production environment, using SAP Solution Manager, if available
● Test management
● Upgrade change
Manage Expectations for Additional Requirements and Enhancements
● During this step, publish policies to handle requests for additional requirements or possible enhancements
Ensure System Stability
● Defined and verified monitoring objects
● Defined KPIs with reaction methods and defined thresholds
● Clear task, roles, responsibilities and contact persons within each process
● Defined dependencies on and interfaces to other processes
● Concept for service-level reporting
● Physical implementation of the monitoring and reporting processes
● Testing of the monitoring process and report functionality
● Adjustment of the system monitoring concept to changes in the environment
● Constant quality improvement for the monitoring concept
LESSON SUMMARYYou should now be able to:
● Ensure system stability and optimize performance
Unit 15: Implementing Access Control
532 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
Unit 15
Learning Assessment
1. Which of the groups below may be included on a typical project team?Choose the correct answers.
X A Business Process Experts
X B End Users
X C Security Experts
X D Senior Management
2. The most important aspect of project preparation is planning.Determine whether this statement is true or false.
X True
X False
3. What are the main tasks performed during blueprinting?Choose the correct answers.
X A Identify business requirements
X B Specify business process design
X C Identify members of the project team
X D Specify solution design, including a fit gap analysis
© Copyright . All rights reserved. 533
SAP Class Week of April 30, 2012
4. If previous Access Control versions are involved in a migration/upgrade for multiple solutions, when must Access Control be migrated?Choose the correct answers.
X A First
X B Last
X C Before Process Control, but after Risk Management
X D After Process Control, but before Risk Management
5. Match the term on the left with the best description on the right.Match items from 1st column to the corresponding item in 2nd column.
Upgrade
Migration
New Implementation
Upgrade/Migration
No previous data will be preserved
Previous data is preserved
Moves data from one platform to another
Does not touch the data within the database tables
6. Arrange the following configuration steps in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.
0 Configure common component settings
0 Perform post-installation tasks
0 Configure Access Control-Specific Settings
0 Activate Rule Set BC Sets for Access Risk Analysis
Unit 15: Learning Assessment
534 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
7. At what point do you move from Realization to Final Preparation?Choose the correct answers.
X A When you conduct the Business Process Definition workshop
X B After you test the implementation
X C When you load the rule set
X D When you promote the solution design from development to testing
8. During the Run phase, you assess operation standards in order to optimize solution operation and system performance.Determine whether this statement is true or false.
X True
X False
Unit 15: Learning Assessment
© Copyright . All rights reserved. 535
SAP Class Week of April 30, 2012
Unit 15
Learning Assessment- Answers
1. Which of the groups below may be included on a typical project team?Choose the correct answers.
X A Business Process Experts
X B End Users
X C Security Experts
X D Senior Management
2. The most important aspect of project preparation is planning.Determine whether this statement is true or false.
X True
X False
3. What are the main tasks performed during blueprinting?Choose the correct answers.
X A Identify business requirements
X B Specify business process design
X C Identify members of the project team
X D Specify solution design, including a fit gap analysis
536 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012
4. If previous Access Control versions are involved in a migration/upgrade for multiple solutions, when must Access Control be migrated?Choose the correct answers.
X A First
X B Last
X C Before Process Control, but after Risk Management
X D After Process Control, but before Risk Management
5. Match the term on the left with the best description on the right.Match items from 1st column to the corresponding item in 2nd column.
Upgrade
Migration
New Implementation
Upgrade/Migration
Does not touch the data within the database tables
Moves data from one platform to another
No previous data will be preserved
Previous data is preserved
6. Arrange the following configuration steps in the correct sequence.Match items from 1st column to the corresponding item in 2nd column.
2 Configure common component settings
1 Perform post-installation tasks
4 Configure Access Control-Specific Settings
3 Activate Rule Set BC Sets for Access Risk Analysis
Unit 15: Learning Assessment- Answers
© Copyright . All rights reserved. 537
SAP Class Week of April 30, 2012
7. At what point do you move from Realization to Final Preparation?Choose the correct answers.
X A When you conduct the Business Process Definition workshop
X B After you test the implementation
X C When you load the rule set
X D When you promote the solution design from development to testing
8. During the Run phase, you assess operation standards in order to optimize solution operation and system performance.Determine whether this statement is true or false.
X True
X False
Unit 15: Learning Assessment- Answers
538 © Copyright . All rights reserved.
SAP Class Week of April 30, 2012