GRC300
SAP Access Control
Implementation and Configuration
.
.
EXERCISES AND SOLUTIONS
.
Course Version: 18
Course Duration: 9 Hours 25 Minutes
Material Number: 50160621
SAP Copyrights, Trademarks and Disclaimers
© 2022 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see https://www.sap.com/
corporate/en/legal/copyright.html for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials may have been machine translated and may contain grammatical errors or inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without
notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions
American English is the standard used in this handbook.
The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
User interface control
Example text
Window title
Example text
© Copyright. All rights reserved.
iii
Contents
Unit 1:
Introduction to Access Governance Using SAP Access Control
No exercises
Unit 2:
Identification and Management of Access Risk
No exercises
Unit 3:
User Experience, Security Concepts and System Architecture
1
Exercise 1: Connect to the System and Navigate the User Interface
Unit 4:
Configuration Overview
No exercises
Unit 5:
Risk Analysis
4
10
20
32
Exercise 2: Maintain Master Data and Access Control Owners
Exercise 3: Build a Rule Set and Prepare for Testing
Exercise 4: Perform Risk Analysis, Remediation, and Mitigation
Exercise 5: Review Parameter Settings for Analyze and Manage Risk
(Optional)
Unit 6:
SAP Business Rule Framework (BRFplus)
44
56
Exercise 6: Create a BRFplus Initiator Rule
Exercise 7: Create BRFplus Agent and Routing Rules
Unit 7:
Multi-Stage, Multi-Path (MSMP) Workflow
70
Exercise 8: Evaluate MSMP Workflow Configuration
Unit 8:
User Provisioning
79
82
Exercise 9: Maintain End User Personalization
Exercise 10: Prepare Roles and Owner Data for MSMP Workflow
Testing and Validation for SAP Systems
Exercise 11: Create an Access Request
Exercise 12: Create an Access Request with Risk Violations
Exercise 13: Review Parameter Settings for Provisioning and
Managing Users
89
98
109
© Copyright. All rights reserved.
iv
Unit 9:
Role Design and Management
121
123
Exercise 14: Maintain Owners for Role Management
Exercise 15: Maintain Default Owners with Condition Group
125
128
130
Exercise 16: Review Configuration Settings for Condition Groups
Exercise 17: Define Methodology Process and Steps
Exercise 18: Associate Role Methodology Process to Condition
Group
Exercise 19: Create a Single Role
Exercise 20: Create a Composite Role
Exercise 21: Create a Business Role
Exercise 22: Review Parameter Settings for Design and Manage
Roles
132
143
153
161
Unit 10:
Emergency Access Management
170
Exercise 23: Maintain EAM Owners and Controllers in Central Owner
Maintenance
Exercise 24: Assign Owners to Firefighter IDs
Exercise 25: Assign Controllers to Firefighter IDs
Exercise 26: Assign Firefighter Users to Firefighter IDs
Exercise 27: Maintain Reason Codes
Exercise 28: Execute a Firefight Session
Exercise 29: Review a Log Report
Exercise 30: Review Parameter Settings for Emergency Access
Management
173
176
179
183
186
191
193
Unit 11:
Periodic Access Review Process
200
Exercise 31: Review Parameter Settings for Periodic Access Review
Unit 12:
Appendix (Optional) Maintaining Custom Fields
203
213
Exercise 32: Add Custom Fields to Request Header
Exercise 33: Add Custom Fields to Role Definition
© Copyright. All rights reserved.
v
© Copyright. All rights reserved.
vi
Unit 3
Exercise 1
Connect to the System and Navigate the User
Interface
Business Example
You are a system administrator starting a new implementation of the SAP GRC software. You
have been asked to connect to the system and navigate to the user interface.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
1. Access SAP Access Control using the SAP Logon Pad. Log on with User ID GRC300-##
and password Welcome1.
2. Identify the customizing activities for SAP GRC.
3. Access SAP Fiori Launchpad from the SAP ABAP system. Log on with User ID GRC300-##
and password Welcome1.
Note:
It is important to note that, due to our technical environment, how we will
access the SAP Fiori Launchpad in this training system will not reflect the
SAP recommended scenario.
4. Explore the AC Home and ARA Configuration tile groups.
5. Explore the Organization hierarchy of the SAP GRC System.
© Copyright. All rights reserved.
1
Unit 3
Solution 1
Connect to the System and Navigate the User
Interface
Business Example
You are a system administrator starting a new implementation of the SAP GRC software. You
have been asked to connect to the system and navigate to the user interface.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
1. Access SAP Access Control using the SAP Logon Pad. Log on with User ID GRC300-##
and password Welcome1.
a) In the classroom environment, choose Start → SAP Logon.
b) In the SAP Logon box, select the TGT system and choose Log On.
c) On the log on screen, enter the data from the table.
Field
Value
Client
001
User
GRC300-##
Password
Welcome1
Logon Language
Course Language
2. Identify the customizing activities for SAP GRC.
a) On the SAP Easy Access screen, in the command box, enter /nSPRO and choose Enter.
b) On the Customizing: Execute Project screen, choose SAP Reference IMG.
c) On the Display IMG screen, expand the Governance, Risk and Compliance node using
the icon on the left.
d) Take note of the nodes under Governance, Risk and Compliance.
Result: This is where customizing activities and configuration settings are performed
for the SAP GRC solution. Note that there are nodes for shared configuration settings,
as well as for solution-specific configuration, such as Access Control.
e) In the command box, enter /n and choose Enter.
Result: The SAP Easy Access screen appear. Remain on this screen for the next step.
3. Access SAP Fiori Launchpad from the SAP ABAP system. Log on with User ID GRC300-##
and password Welcome1.
© Copyright. All rights reserved.
2
Solution 1: Connect to the System and Navigate the User Interface
Note:
It is important to note that, due to our technical environment, how we will
access the SAP Fiori Launchpad in this training system will not reflect the
SAP recommended scenario.
a) On the SAP Easy Access screen, under the folder User Menu for Training GRC300-##,
double click SAP Fiori Launchpad
Result: The log on page for SAP Fiori will appear.
b) On the SAP Fiori Logon page, enter the data from the table.
Table 1:
Field
Value
User
GRC300-##
Password
Welcome1
Language
Course Language
c) Choose Log On.
Result: The SAP Fiori Launchpad homepage appears.
d) Take note of the Fiori Tile Groups that are shown.
e) Remain on this page for the next step.
4. Explore the AC Home and ARA Configuration tile groups.
a) On the SAP Fiori Launchpad homepage, in the AC Home tile group, choose Work Inbox.
Result: Your work inbox appears. This is where you can access the requests that have
been assigned to you and process the task needed.
b) Choose Back to return to the SAP Fiori Launchpad.
c) Choose the ARA Configuration tile group.
d) Take note of the tiles shown. Choose a few tiles and look at the screens displayed.
When done reviewing a screen, choose Back to return to the SAP Fiori Launchpad
homepage.
5. Explore the Organization hierarchy of the SAP GRC System.
a) On the SAP Fiori Launchpad homepage, in the ARA Configuration tile group, choose
Organizations.
b) On the Organization Hierarchy screen, locate the node ##_CRG GLB INTL.
c) Expand the ##_CRG GLB INTL node by choosing the arrow to the left. Continue to
expand as needed to view all of the organizations reporting to ##_CRG GLB INTL.
d) Choose Back to return to the SAP Fiori Launchpad homepage.
© Copyright. All rights reserved.
3
Unit 5
Exercise 2
Maintain Master Data and Access Control
Owners
Business Example
You are preparing to set up your access control rule sets and mitigating controls. To support
this, create an organization and assign Access Control Owners to that organization.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
1. In the ##-CRG GLB INTL Organizational Hierarchy, define an organizational structure
named ##-GROUP HQ.
2. Create a suborganization for ##-GROUP HQ called ##-FINANCE.
3. Create the following two business process and subprocess IDs in the SAP Reference IMG
for SAP Access Control.
Note:
##S1 should be the Subprocess to ##B1
.
##S2 should be the Subprocess for ##B2.
Process Type
Process Name
Process Description
Business Process
##B1
Group ## Business
Process 1
Business Process
##B2
Group ## Business
Process 2
Business Subprocess
##S1
Group ## Subprocess 1
Business Subprocess
##S2
Group ## Subprocess 2
4. Create the Business Subprocess.
© Copyright. All rights reserved.
4
Exercise 2: Maintain Master Data and Access Control Owners
5. Assign the Access Control Owner Type to the corresponding Access Control Owner ID,
and assign all Access Control Owner types to your GRC300-## ID.
Access Control Owner Name
Access Control Owner Type
ACRISKOWN##
Risk Owner
ACMITAPP##
Mitigation Approver
ACMITMON##
Mitigation Monitor
Note:
Your log on user IDGRC300-## is assigned to all selections in the training
system. You are not allowed to assign yourself as an a Central Owner.
6. Assign your Access Control Owners to your organization ##-FINANCE that you previously
created.
© Copyright. All rights reserved.
5
Unit 5
Solution 2
Maintain Master Data and Access Control
Owners
Business Example
You are preparing to set up your access control rule sets and mitigating controls. To support
this, create an organization and assign Access Control Owners to that organization.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
1. In the ##-CRG GLB INTL Organizational Hierarchy, define an organizational structure
named ##-GROUP HQ.
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Organizations.
b) On the Organization Hierarchy screen, choose Advanced at the end of the Date line.
c) In the Advanced Options dialog box, choose Default Selection Method as Date and
Default Date as Fixed Date. In the Date field, enter January 1, CY.
d) Choose OK.
e) On the Organizations screen, choose ##-CRG GLB INTL Org.
f) On the Organizations screen, choose Add.
g) On the Add Organization dialog box, select Create New Organization.
h) Choose OK.
i) On the Organization screen, in the Name field, enter ##-GROUP HQ.
j) Choose Save.
2. Create a suborganization for ##-GROUP HQ called ##-FINANCE.
a) On the Organization Hierarchy screen, choose ##-GROUP HQ.
b) Choose Add.
© Copyright. All rights reserved.
6
Solution 2: Maintain Master Data and Access Control Owners
c) On the Add Organization dialog box, select Create New Organization.
d) Choose OK.
e) On the Organization screen, in the Name field, enter ##-FINANCE.
f) Choose Save.
g) Choose the Home icon to return to the SAP Fiori Launchpad home page.
3. Create the following two business process and subprocess IDs in the SAP Reference IMG
for SAP Access Control.
Note:
##S1 should be the Subprocess to ##B1
.
##S2 should be the Subprocess for ##B2.
Process Type
Process Name
Process Description
Business Process
##B1
Group ## Business
Process 1
Business Process
##B2
Group ## Business
Process 2
Business Subprocess
##S1
Group ## Subprocess 1
Business Subprocess
##S2
Group ## Subprocess 2
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter SPRO.
b) Choose Enter.
c) On the Customizing: Execute Project screen, on the toolbar, choose SAP Reference
IMG.
d) On the Display IMG screen, choose SAP Customizing Implementation
Guide → Governance Risk and Compliance → Access Control → Maintain Business
Processes and Subprocesses.
e) On the Change View “Business Process”: Overview screen, choose New Entries.
f) In the Business Process table, enter the two new business processes from the table at
the beginning of this step.
g) Choose Save.
h) Remain on this screen for the next step.
4. Create the Business Subprocess.
a) Select the Business Process ##B1 so that the row is highlighted.
b) In the navigation panel, double-click Business Subprocess subfolder.
© Copyright. All rights reserved.
7
Unit 5: Risk Analysis
c) On the Change View “Business Subprocess”: Overview screen, choose New Entries.
d) In the Business Subprocess table, enter the subprocess ##S1 with the data from the
table.
e) In the navigation panel, double-click Business Process subfolder.
f) In the Business Process table, select ##B2.
g) In the navigation panel, double-click the Business Subprocess subfolder.
h) On the Change View “Business Subprocess”: Overview screen, choose New Entries.
i) In the Business Subprocess table, enter the subprocess ##S2 with the data from the
table.
j) Choose Save.
k) Choose Back until you return to the SAP Easy Access — User Menu for Training
GRC300-## screen.
5. Assign the Access Control Owner Type to the corresponding Access Control Owner ID,
and assign all Access Control Owner types to your GRC300-## ID.
Access Control Owner Name
Access Control Owner Type
ACRISKOWN##
Risk Owner
ACMITAPP##
Mitigation Approver
ACMITMON##
Mitigation Monitor
Note:
Your log on user IDGRC300-## is assigned to all selections in the training
system. You are not allowed to assign yourself as an a Central Owner.
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Access Control Owners.
b) On the Owner Assignment: New screen, choose Create.
c) In the Owner field, choose Search.
d) On the Select User screen, in the Find field, enter AC*##.
e) Choose Go.
f) In the Available table, choose ACRISKOWN##.
g) Choose OK.
h) On the Owner Assignment: New screen, in the Owner Type section, choose Risk Owner.
i) In the Comment Column enter ARA Owner Maintenance for GRC Training
Course Group ##.
j) Choose Save.
© Copyright. All rights reserved.
8
Solution 2: Maintain Master Data and Access Control Owners
k) Choose Close. If your entry does not appear, choose Refresh at the bottom of the data
table.
l) Repeat steps b - k for the other owners using the data in the table.
m) Close the Central Owner browser tab.
6. Assign your Access Control Owners to your organization ##-FINANCE that you previously
created.
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Organizations.
b) On the Organization screen, expand ##-CRG GLB INTL → ##-GROUP HQ. Choose ##FINANCE.
c) Choose Open.
d) On the Organization window, select the Owners tab.
Note:
You may need to maximize the window to see the Owners tab or use the
Navigation icons at the end of the tab row to locate the Owners tab.
e) In the AC Owners section, choose Add Row.
f) In the Name field, choose Search.
g) In the Search: Name dialog box, in the Full Name field, enter Group ##.
h) Choose Go.
i) Select ACMITAPP## that you assigned as an Access Control Owner.
j) Repeat the steps e - i to add the ACMITMON## and GRC300-## users. For GRC300##, use GRC300 as the search criteria.
k) Choose Save.
l) Close the Organization Hierarchy browser tab.
© Copyright. All rights reserved.
9
Unit 5
Exercise 3
Build a Rule Set and Prepare for Testing
Business Example
You are a system administrator and have been asked to run a validation of access risks. The
validation of access risks in a crucial task for the success of the SAP Access Control project.
An incorrect access risk destroys the credibility of the whole set of access risks. You want to
be certain this is not an issue in your system. You will use simple ABAP Roles in the back-end
system to validate the access risks (SoD).
In this exercise, when values include ##, replace the characters with the participant number
your instructor assigned to you.
This exercise uses the data created in the exercise Maintain Master Data and Access Control
Owners.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create and Build a Rule Set
1. Create a rule set using the data from the table:
Field
Value
Rule Set ID
##RS
Description
Group ## Rule Set
2. Create the functions using the data from the following table.
Function
ID
Function
Description
Business System
Process
##F1
Payments
Procure ZMGCLNT FB10
to Pay
800 ECC ERP
F_BKPF_ ACTVT
BUK
01
##F2
Vendor
Procure ZMGCLNT XK01
Mainte- to Pay
800 nance
ECC ERP
F_LFA1_ ACTVT
APP
01
##F3
MainProcure ZMGCLNT ME21N
tain PO to Pay
800 ECC ERP
M_BEST_ ACTVT
BSA
01
© Copyright. All rights reserved.
Action
Permission
Field
Field Value
10
Exercise 3: Build a Rule Set and Prepare for Testing
Function
ID
Function
Description
Business System
Process
Action
Permission
Field
Field Value
##F4
Invoice Procure ZMGCLNT MIRO
Procto Pay
800 essing
ECC ERP
M_RECH_ ACTVT
WRK
01
##F5
Table
Basis
Maintenance
ZMGCLNT SM30
800 ECC ERP
S_TABU_ ACTVT
DIS
02
##F6
Table
Basis
Maintenance
Permission
ZMGCLNT
800 ECC ERP
S_TABU_ ACTVT
DIS
02
3. Create two SoD Risks using the data in the following table.
Access Risk
ID
Description
Risk Type
Business
Process
##R1
Payment
Fraud
Segregation of
Duties
Procure to High
Pay
##F1
Unauthorized Purchasing
Segregation of
Duties
Procure to High
Pay
##F3
##R2
Risk Level
Functions
##F2
##F4
Hint:
Be sure to include the rule set ID you created previously on the Rule Set tab
for each risk you create.
4. Create a critical action risk using the data in the following table.
Risk ID
Risk Descrip- Risk Type
tion
Business
Process
Risk Level
Function
##R3
Table
Maintenance
Basis
High
##F5
Critical
Action
5. Create a Critical Permission Risk using the data in the following table.
© Copyright. All rights reserved.
11
Unit 5: Risk Analysis
Risk ID
Risk Descrip- Risk Type
tion
Business
Process
##R4
Table
Critical
Basis
MaintePermission
nance Permission
Risk Level
Function
High
##F6
6. Generate rules for your risks.
7. Run the Access Rule Summary Report for your rule set ##RS and review the results.
Confirm that all the Risk IDs from your rule set ##RS are listed. If not, please correct your
ruleset configuration from the previous steps.
8. Run the Access Rule Detail Report for the Global rule set and review the Access Rules for
Risk P001.
What is the Access Rule ID for the combination of actions FB10 and XK01
What is the field value for Permission Object M_LFM1_EKO field ACTVT?
What is the status of permission M_LFM1_EKO?
How will the status of Permission Object M_LFM1_EKO impact the results of a Risk
Analysis?
© Copyright. All rights reserved.
12
Unit 5
Solution 3
Build a Rule Set and Prepare for Testing
Business Example
You are a system administrator and have been asked to run a validation of access risks. The
validation of access risks in a crucial task for the success of the SAP Access Control project.
An incorrect access risk destroys the credibility of the whole set of access risks. You want to
be certain this is not an issue in your system. You will use simple ABAP Roles in the back-end
system to validate the access risks (SoD).
In this exercise, when values include ##, replace the characters with the participant number
your instructor assigned to you.
This exercise uses the data created in the exercise Maintain Master Data and Access Control
Owners.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create and Build a Rule Set
1. Create a rule set using the data from the table:
Field
Value
Rule Set ID
##RS
Description
Group ## Rule Set
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
the Rule Sets tile.
b) On the Sod Rule Set screen, choose Create.
c) In the Ruleset: New dialog box, enter the data from the table.
d) Choose Save.
e) Choose Close.
f) Close the SOD Rule Set browser window to return to the SAP Fiori Launchpad home
page.
2. Create the functions using the data from the following table.
© Copyright. All rights reserved.
13
Unit 5: Risk Analysis
Function
ID
Function
Description
Business System
Process
Action
Permission
Field
Field Value
##F1
Payments
Procure ZMGCLNT FB10
to Pay
800 ECC ERP
F_BKPF_ ACTVT
BUK
01
##F2
Vendor
Procure ZMGCLNT XK01
Mainte- to Pay
800 nance
ECC ERP
F_LFA1_ ACTVT
APP
01
##F3
MainProcure ZMGCLNT ME21N
tain PO to Pay
800 ECC ERP
M_BEST_ ACTVT
BSA
01
##F4
Invoice Procure ZMGCLNT MIRO
Procto Pay
800 essing
ECC ERP
M_RECH_ ACTVT
WRK
01
##F5
Table
Basis
Maintenance
ZMGCLNT SM30
800 ECC ERP
S_TABU_ ACTVT
DIS
02
##F6
Table
Basis
Maintenance
Permission
ZMGCLNT
800 ECC ERP
S_TABU_ ACTVT
DIS
02
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Functions.
b) On the SOD FUNCTION screen, choose Create.
c) In the Function: New dialog box, enter the data from the table at the beginning of this
step.
d) Enter the Function ID and Business Process data from the table.
e) Select Analysis Scope → Single System.
f) On the Action tab, choose Add.
g) In the open row, enter the data from the table for System and Action.
h) Choose Enter.
i) Select the Permission tab.
j) On the Permission tab, enter the data from the table for Permission, Field, and Field
Value.
k) Set the status to Active for each object configured in the table. Leave all others as
Inactive
l) Choose Save.
© Copyright. All rights reserved.
14
Solution 3: Build a Rule Set and Prepare for Testing
m) Choose Close.
n) Repeat steps b - m for the remaining functions in the table except for ##F6.
o) For ##F6, do not add anything to the table on the Actions tab.
p) Select the Permission tab.
q) Choose Add.
r) In the System field, choose ZMGCLNT800-ECC ERP.
s) In the Permission Group field, enter S_TABU_DIS.
t) Add the rest of the entries indicated in the last line of the table at the beginning of this
step, use the search functionality if necessary.
u) Choose Save.
v) Choose Close.
w) Close the SOD FUNCTION browser tab.
3. Create two SoD Risks using the data in the following table.
Access Risk
ID
Description
Risk Type
Business
Process
##R1
Payment
Fraud
Segregation of
Duties
Procure to High
Pay
##F1
Unauthorized Purchasing
Segregation of
Duties
Procure to High
Pay
##F3
##R2
Risk Level
Functions
##F2
##F4
Hint:
Be sure to include the rule set ID you created previously on the Rule Set tab
for each risk you create.
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Access Risks.
b) On the SOD Risk screen, choose Create.
c) On the Access Risk: New dialog box, enter the data from the table.
d) Select the Functions tab and choose Add.
e) In the Function ID field, choose Search.
f) In the Select Functions dialog box, in the Find field, enter ##*. Choose Go.
g) In the Available column, choose ##F1 and ##F2.
h) Use the single arrow button to move the functions to the Selected column.
i) Choose OK.
© Copyright. All rights reserved.
15
Unit 5: Risk Analysis
j) On the Access Risk: New screen, select the Rule Sets tab.
k) Choose Add.
l) In the Rule Set ID field, choose Search.
m) In the Select Rulesets dialog box, choose ##RS.
n) Use the single arrow button to move the functions to the Selected column.
o) Choose OK.
p) Choose the Risk Owners tab.
q) Choose Add.
r) In the Owner ID field, choose Search.
s) In the Select Risk Owners dialog box, choose GRC300-## and ACRISKOWN##.
t) Use the single arrow button to move the functions to the Selected column.
u) Choose OK.
v) Choose Save.
w) Choose Close.
x) Repeat steps b - w to add the remaining risks.
y) Remain on this screen for the next step.
4. Create a critical action risk using the data in the following table.
Risk ID
Risk Descrip- Risk Type
tion
Business
Process
Risk Level
Function
##R3
Table
Maintenance
Basis
High
##F5
Critical
Action
a) on the SOD Risk screen, choose Create.
b) In the Access Risk: New dialog box, enter the data from the table.
c) On the Function tab, choose Add.
d) In the Function ID field, choose Search.
e) On the Select Functions dialog box, in the Available column, choose ##F5.
f) Use the single arrow button to move the functions to the Selected column.
g) Choose OK.
h) On the Access Risk: New dialog box, select the Rule Sets tab.
i) Choose Add.
j) In the Rule Set ID field, choose Search.
k) In the Select Rulesets dialog box, choose your rule set.
© Copyright. All rights reserved.
16
Solution 3: Build a Rule Set and Prepare for Testing
l) Use the single arrow button to move the functions to the Selected column.
m) Choose OK.
n) On the Access Risk: New dialog box, select the Risk Owners tab.
o) Choose Add.
p) In the Owner ID field, choose Search.
q) In the Select Risk Owners dialog box, choose GRC300-## and ACRISKOWN##.
r) Use the single arrow button to move the functions to the Selected column.
s) Choose OK.
t) Choose Save.
u) Choose Close.
v) Remain on this screen for the next step.
5. Create a Critical Permission Risk using the data in the following table.
Risk ID
Risk Descrip- Risk Type
tion
Business
Process
##R4
Table
Critical
Basis
MaintePermission
nance Permission
Risk Level
Function
High
##F6
a) In the SOD Risk dialog box, choose Create.
b) In the Access Risk: New dialog box, enter the data from the table.
c) On the Function tab, choose Add.
d) In the Function ID column, choose Search.
e) On the Select Functions dialog box, in the Available column, choose ##F6.
f) Use the single arrow button to move the functions to the Selected column.
g) Choose OK.
h) On the Access Risk: New dialog box, select the Rule Sets tab.
i) Choose Add.
j) In the Rule Set ID field, choose Search.
k) In the Select Rulesets dialog box, choose your rule set.
l) Use the single arrow button to move the functions to the Selected column.
m) Choose OK.
n) On the Access Risk: New dialog box, select the Risk Owners tab.
o) In the Owner ID field, choose Search.
© Copyright. All rights reserved.
17
Unit 5: Risk Analysis
p) Choose Add.
q) In the Select Risk Owners dialog box, choose your training ID and Risk Owner Training
ID.
r) Use the single arrow button to move the functions to the Selected column.
s) Choose OK.
t) Choose Save.
u) Choose Close.
v) Remain on this screen for the next step.
6. Generate rules for your risks.
a) On the SOD Risk screen, choose your first Risk ID.
b) On the SOD Risk dialog box, choose Generate Rules → Foreground.
c) In the Risks dialog box, choose Confirm.
d) In the dialog box, choose the link View Action Rules.
e) In the Action Rules dialog box, view your action rules.
f) Choose Back.
g) In the dialog box, choose the link View Permission Rules.
h) In the Permission Rules dialog box, view your permission rules.
i) Choose Back.
j) Choose Close to return to the SOD Risk dialog box.
k) Deselect the risk just generated.
l) Repeat steps a - j for the remaining risks you created.
m) After all your rules have been generated, close the SOD Risk browser tab.
7. Run the Access Rule Summary Report for your rule set ##RS and review the results.
Confirm that all the Risk IDs from your rule set ##RS are listed. If not, please correct your
ruleset configuration from the previous steps.
a) On the SAP Fiori Launchpad homepage, in the ARA Configuration tile group, choose
Access Rule Summary.
b) Under Analysis Criteria, use the Rule Set drop down to select Group ## Rule Set
(##RS). Leave all other Analysis Criteria drop downs unchanged.
c) Choose Run in Foreground.
d) In the Information regarding huge data dialog box, choose No.
Result: The results from the data query appear and can be reviewed.
e) Close the Results / Multiple Selection window.
f) Choose the Home icon to return to the SAP Fiori Launchpad home page.
8. Run the Access Rule Detail Report for the Global rule set and review the Access Rules for
Risk P001.
© Copyright. All rights reserved.
18
Solution 3: Build a Rule Set and Prepare for Testing
What is the Access Rule ID for the combination of actions FB10 and XK01
0001
What is the field value for Permission Object M_LFM1_EKO field ACTVT?
01
What is the status of permission M_LFM1_EKO?
InActive
How will the status of Permission Object M_LFM1_EKO impact the results of a Risk
Analysis?
Object will not be analyzed because it is not active.
a) On the SAP Fiori Launchpad homepage, in the ARA Configuration tile group, choose
Access Rule Detail.
b) Under Analysis Criteria, use the Rule Set drop down to select Group ## Rule Set
(##RS).
c) Under Analysis Criteria, use the Access Risk ID Search.
d) In the Search: Choose a value for this criterion window, enter ##R1.
e) Choose Go and select the line for ##R1.
f) Choose Run in Foreground.
Result: The results from the data query appear and can be reviewed.
g) Close the Results / Multiple Selection window.
h) Choose the Home icon to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
19
Unit 5
Exercise 4
Perform Risk Analysis, Remediation, and
Mitigation
Business Example
You are the access risk specialist within the internal control group. You have been asked to
evaluate a rule set that you created earlier against the users and rules you created using Ad
Hoc Risk Analysis in Access Control. You have been asked to validate that our rule set function
as designed and to successfully identify risks at the user and role levels.
In this exercise, when values include ##, replace the characters with the participant number
your instructor assigned to you.
This exercise uses the data created in the exercises Maintain Master Data and Access Control
Owners and Build a Rule Set and Prepare for Testing.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Task 1: Analyze Users for SoD and Critical Action Violations
1. Analyze your users for SoD and CA violations, and save the report criteria as variant
##_USER_01.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
Users
##_USER_01, ##_USER_02,
##_USER_03 (HINT: Add additional criteria
rows for User or use Multiple Selections)
Rule Set
Group ## Rule Set
Report Options: Format
Detail / Technical View
Report Options: Type
Select the following elements:
Access Risk Analysis
© Copyright. All rights reserved.
●
Action Level
●
Permission Level
●
Critical Action
●
Critical Permission
20
Exercise 4: Perform Risk Analysis, Remediation, and Mitigation
Field
Value
Additional Criteria
Select the following elements:
Save Variant as
●
Include Mitigated Risks
●
Show All Objects
##_USER_01
2. Using Simulation, evaluate the possibilities for remediating the risks identified during your
User-Level Analysis.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
User
##_USER_02
Rule Set
Group ## Rule Set
Report Options: Format
Detail / Technical View
Report Options: Type
Select the following elements:
Access Risk Analysis
Additional Criteria
Save Variant as
●
Action Level
●
Permission Level
●
Critical Action
Select the following elements:
●
Include Mitigated Risks
●
Show All Objects
##_USER_02
3. Simulate what happens when you exclude the value MIRO from the Composite role.
4. Simulate what happens when you exclude the technical role Z:RISK_##R2.
Task 2: Analyze Roles for SoD and Critical Action Violations
1. Using Simulation, evaluate the possibilities for remediating the risks identified during RoleLevel Analysis. Use Composite role Z:COMP_RULE_GRC300, which contains the Single
roles Z:RISK_00R1 and Z:RISK_00R2 from system ZMGCLNT800.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
Role Type
Technical Role
Role
Z:COMP_ROLE_GRC300
Rule Set
Group ## Rule Set
© Copyright. All rights reserved.
21
Unit 5: Risk Analysis
Field
Value
Report Options: Format
Detail / Technical View
Report Options: Type
Select the following elements:
Access Risk Analysis
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Select the following elements:
●
Include Mitigated Risks
2. Simulate what happens when you exclude the value MIRO from the Composite role.
3. Simulate what happens when you exclude the technical role Z:RISK_002.
4. Simulate what happens when you add a transaction to the composite role.
Task 3: Create a Mitigating Control
1. Create a Mitigating Control to mitigate one of your risks.
Tab
Field
Value
Mitigating Control ID
GRCMCT##
Name
Group ## Mitigating
Control
Organization
##-Finance
Process
Group ## Business
Process 1
Subprocess
Group ## Subprocess 1
Risk ID
##R1 and P001
Rule ID
*
General
Access Risks
Owners
Name
●
●
© Copyright. All rights reserved.
Group ## AC Mitigation Monitor Training ID (ACMITMON##)
Group ## AC Mitigation Approver
22
Exercise 4: Perform Risk Analysis, Remediation, and Mitigation
Tab
Field
Value
Training ID (ACMITAPP##)
●
Assignment Type
●
●
●
Training GRC300-##
(GRC300-##)
Assignment Type for
Group ## AC Mitigation
Approver Training ID:
Approver
Assignment Type for
Group ## AC Mitigation
Monitor Training ID:
Monitor
Assignment Type for
Training GRC300-## ID:
Monitor
2. Assign the new mitigating control to the risk identified earlier in this exercise. Use saved
variant ##_USER_01.
3. Run a risk analysis including mitigated risks.
4. Run the risk analysis excluding mitigated risks.
© Copyright. All rights reserved.
23
Unit 5
Solution 4
Perform Risk Analysis, Remediation, and
Mitigation
Business Example
You are the access risk specialist within the internal control group. You have been asked to
evaluate a rule set that you created earlier against the users and rules you created using Ad
Hoc Risk Analysis in Access Control. You have been asked to validate that our rule set function
as designed and to successfully identify risks at the user and role levels.
In this exercise, when values include ##, replace the characters with the participant number
your instructor assigned to you.
This exercise uses the data created in the exercises Maintain Master Data and Access Control
Owners and Build a Rule Set and Prepare for Testing.
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Task 1: Analyze Users for SoD and Critical Action Violations
1. Analyze your users for SoD and CA violations, and save the report criteria as variant
##_USER_01.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
Users
##_USER_01, ##_USER_02,
##_USER_03 (HINT: Add additional criteria
rows for User or use Multiple Selections)
Rule Set
Group ## Rule Set
Report Options: Format
Detail / Technical View
Report Options: Type
Select the following elements:
Access Risk Analysis
© Copyright. All rights reserved.
●
Action Level
●
Permission Level
●
Critical Action
●
Critical Permission
24
Solution 4: Perform Risk Analysis, Remediation, and Mitigation
Field
Value
Additional Criteria
Select the following elements:
Save Variant as
●
Include Mitigated Risks
●
Show All Objects
##_USER_01
a) On the SAP Fiori Launchpad home page, in the ARA Monitoring & Analysis tile group,
choose User Level Risk Analysis.
b) On the Risk Analysis: User Level screen, enter the data from the table.
Note:
To add additional Users criteria rows, choose Add at the end of the
respective row or select Multiple Selections in the boolean field..
c) After entering data in Save Variant as field, choose Save.
d) Choose Run in Foreground.
e) In the Multiple Selection dialog box, in the Result table, view the SoD violations and
roles.
Note:
The SoD violations are listed by code in the Function column.
f) Use the Type drop-down menu to view the different types of results for each type of
risk analysis. Review the data for each report type.
g) Choose OK.
h) Close the browser window to return to the SAP Fiori Launchpad home page.
2. Using Simulation, evaluate the possibilities for remediating the risks identified during your
User-Level Analysis.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
User
##_USER_02
Rule Set
Group ## Rule Set
Report Options: Format
Detail / Technical View
© Copyright. All rights reserved.
25
Unit 5: Risk Analysis
Field
Value
Report Options: Type
Select the following elements:
Access Risk Analysis
Additional Criteria
Save Variant as
●
Action Level
●
Permission Level
●
Critical Action
Select the following elements:
●
Include Mitigated Risks
●
Show All Objects
##_USER_02
a) On the SAP Fiori Launchpad home page, in the ARA Monitoring & Analysis tile group,
choose User Level Simulation.
b) On the Simulation: User Level, Step 1 (Define Analysis Criteria) screen, enter the data
from the table.
c) After entering data in Save Variant as field, choose Save.
d) Choose Next.
e) On the Risk Analysis: User Level, Step 2 (Define Simulation Criteria) screen, choose
Run in Foreground.
f) On the Risk Analysis: User Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose
Detail.
g) Remain on this screen for the next step.
3. Simulate what happens when you exclude the value MIRO from the Composite role.
a) On the Risk Analysis: User Level, Step 3 (Confirmation) screen, in the navigation
ribbon, choose Previous.
b) On the Risk Analysis: User Level, Step 2 (Define Simulation Criteria) screen, in the
Actions table, choose Add.
c) In the table, in the System column, choose ZMGCLNT800 (ZMGCLNT800-ECC ERP).
d) in the Action From column enter MIRO.
e) In the Actions column, choose Exclude from the drop-down list.
f) Choose Run in Foreground.
g) On the Risk Analysis: User Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose
Detail.
By excluding the value MIRO, there are no longer any SoD violations.
© Copyright. All rights reserved.
26
Solution 4: Perform Risk Analysis, Remediation, and Mitigation
h) Remain on this screen for the next step.
4. Simulate what happens when you exclude the technical role Z:RISK_##R2.
a) On the Risk Analysis: User Level, Step 3 (Confirmation) screen, choose Previous.
b) Select the Actions tab, select the entry for MIRO, and choose Remove.
c) Select the Roles tab and choose Add.
d) In the table, in the Role Type column, select Technical Role.
e) In the System column, choose ZMGCLNT800 (ZMGCLNT800-ECC ERP).
f) in the Role From column enter Z:RISK_##R2.
g) In the Actions column, choose Exclude from the drop-down list
h) Choose Run in Foreground.
i) On the Risk Analysis: User Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose
Detail.
By excluding the role Z:RISK_##R2, there are no longer any SoD violations.
j) Close the User Level, Step 3 (Confirmation) browser window to return to the SAP Fiori
Launchpad home page.
Task 2: Analyze Roles for SoD and Critical Action Violations
1. Using Simulation, evaluate the possibilities for remediating the risks identified during RoleLevel Analysis. Use Composite role Z:COMP_RULE_GRC300, which contains the Single
roles Z:RISK_00R1 and Z:RISK_00R2 from system ZMGCLNT800.
Field
Value
System
ZMGCLNT800 (ZMGCLNT800-ECC ERP)
Role Type
Technical Role
Role
Z:COMP_ROLE_GRC300
Rule Set
Group ## Rule Set
Report Options: Format
Detail / Technical View
Report Options: Type
Select the following elements:
Access Risk Analysis
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Select the following elements:
●
© Copyright. All rights reserved.
Include Mitigated Risks
27
Unit 5: Risk Analysis
a) On the SAP Fiori Launchpad home page, in the ARA Monitoring & Analysis tile group,
choose Role Level Simulation.
b) On the Simulation: Role Level, Step 1 (Define Analysis Criteria) screen, enter the data
from the table.
c) Choose Next.
d) On the Simulation: Role Level, Step 2 (Define Simulation Criteria) screen, choose Run in
Foreground.
e) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose Detail
f) Remain on this screen for the next step.
2. Simulate what happens when you exclude the value MIRO from the Composite role.
a) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, choose Previous.
b) On the Risk Analysis: Role Level, Step 2 (Define Simulation Criteria) screen, choose the
Actions tab, then choose Add.
c) In the table, in the System field, choose ZMGCLNT800-ECC ERP.
d) In the Action From field, enter MIRO.
e) In the Actions field, choose Exclude from the drop-down list.
f) Choose Run in Foreground.
g) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose
Detail.
By excluding the value MIRO, you will no longer see the ##R2 SoD violation between
ME21N and MIRO.
h) Remain on this screen for the next step.
3. Simulate what happens when you exclude the technical role Z:RISK_002.
a) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, choose Previous.
b) Select the Actions tab, select the entry for MIRO. Choose Remove.
c) Select the Roles tab and choose Add.
d) In the table, in the Role Type column, select Technical Role.
e) In the System field, choose ZMGCLNT800-ECC ERP.
f) in the Role From field enter Z:RISK_00R2.
g) In the Actions field, choose Exclude from the drop-down list.
h) Choose Run in Foreground.
i) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, view the results for
each type of risk analysis. For a more detailed look, in the Format field, choose Detail
After excluding the role Z:RISK_00R2, there are no longer see the ##R2 SoD violation.
j) Remain on this screen for the next step.
© Copyright. All rights reserved.
28
Solution 4: Perform Risk Analysis, Remediation, and Mitigation
4. Simulate what happens when you add a transaction to the composite role.
a) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, choose Previous.
b) On the Roles tab, select any remaining entries, and choose Remove.
c) Select the Actions tab and choose Add.
d) In the table, in the System column, choose ZMGCLNT800-ECC ERP.
e) In the Action From column enter SM30.
f) In the Actions column, choose Include from the drop-down list.
g) Choose Run in Foreground.
h) On the Risk Analysis: Role Level, Step 3 (Confirmation) screen, in the Type drop-down
menu, choose Critical Action.
i) In the Result table, deselect all entries in the Results table.
After adding SM30, you will see a critical action violation. Note that the line is shaded
in a color. This indicates that this risk is due to the simulation that you just performed.
j) Close the Simulation: Role Level, Step 3 (Confirmation) browser tab, and return to the
SAP Fiori Launchpad home page.
Task 3: Create a Mitigating Control
1. Create a Mitigating Control to mitigate one of your risks.
Tab
Field
Value
Mitigating Control ID
GRCMCT##
Name
Group ## Mitigating
Control
Organization
##-Finance
Process
Group ## Business
Process 1
Subprocess
Group ## Subprocess 1
Risk ID
##R1 and P001
Rule ID
*
General
Access Risks
Owners
Name
●
●
© Copyright. All rights reserved.
Group ## AC Mitigation Monitor Training ID (ACMITMON##)
Group ## AC Mitigation Approver
29
Unit 5: Risk Analysis
Tab
Field
Value
Training ID (ACMITAPP##)
●
Assignment Type
●
●
●
Training GRC300-##
(GRC300-##)
Assignment Type for
Group ## AC Mitigation
Approver Training ID:
Approver
Assignment Type for
Group ## AC Mitigation
Monitor Training ID:
Monitor
Assignment Type for
Training GRC300-## ID:
Monitor
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Mitigating Controls.
b) On the AC Mitigating Control screen, in the Mitigating Controls table, choose Create.
c) In the Control dialog box, choose the General tab. Enter the data from the table for the
General tab.
d) Select the Access Risks tab.
e) On the Access Risks tab, choose Add Row twice.
f) Enter the data from the table for the Access Risks tab.
g) Choose Enter.
h) Select the Owners tab.
i) On the Owners tab, choose Add Row.
j) Enter the data from the table for the Owners tab.
k) Choose Add as needed for each AC Owner.
l) Choose Save. If an warning message appears, chose Save again.
m) Choose Cancel to return to the AC Mitigating Control screen.
n) Close the browser window to return to the SAP Fiori Launchpad home page.
2. Assign the new mitigating control to the risk identified earlier in this exercise. Use saved
variant ##_USER_01.
a) On the SAP Fiori Launchpad home page, in the ARA Monitoring & Analysis tile group,
choose User Level Risk Analysis.
© Copyright. All rights reserved.
30
Solution 4: Perform Risk Analysis, Remediation, and Mitigation
b) On the Risk Analysis: User Level screen, in the Saved Variants drop-down menu,
choose ##_USER_01.
c) In the Additional Criteria section, select Include Mitigated Risks if not already selected.
d) Choose Run in Foreground.
e) On the Multiple Selection dialog box, in the Result table, select a row with access risk
##R1.
Hint:
The risk analysis type needs to be Permission Level.
f) Choose Mitigate Risk.
g) Review data on the screen. The Control ID field should be populated with your
Mitigating Control information created earlier. In the Monitor field, choose Search and
choose GRC300-##.
Note:
If the Control ID column is blank, then your mitigation control is not
configured correctly. Go back to the beginning of this exercise and verify
that all information has been entered correctly.
h) On the Mitigation dialog box, choose Save.
The risk should not show a Control and Monitor in the Result area.
i) Choose OK.
j) Remain on this screen for the next step.
3. Run a risk analysis including mitigated risks.
a) On the Risk Analysis: User Level screen, choose Run in Foreground.
b) On the Multiple Selection dialog box, verify that risk ##R1 has been mitigated by noting
that the Control and the Monitor appears for risk ##R1 for the user ##_USER_01.
c) Choose OK.
d)
e) Remain on this screen for the next step.
4. Run the risk analysis excluding mitigated risks.
a) On the Risk Analysis: User Level screen, deselect Include Mitigated Risks.
b) Choose Run in Foreground.
c) On the Multiple Selection dialog box, view the results. Note that ##_USER_01 now
shows as having No Violations.
d) Choose OK.
e) Close the browser window to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
31
Unit 5
Exercise 5
Review Parameter Settings for Analyze and
Manage Risk (Optional)
Business Example
You are a system administrator. You have been asked to review configuration settings for
Analyze and Manage Risk functionality.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Note:
Do not make any changes in this configuration unless directed to.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
1001 - Enable Function Change Log
●
1002 - Enable Risk Change Log
●
1003 - Enable Organization Rule Log
●
1004 - Enable Supplementary Rule Log
●
1005 - Enable Critical Role Log
●
1006 - Enable Critical Profile Log
●
1007 - Enable Rule Set Change Log
3. List the settings that are set and their values for Parameter Group 2 - Mitigation:
●
1011 - Default expiration time for mitigating control assignments (in days)
●
1012 - Consider Rule Id also for mitigation assignment
●
1013 - Consider System for mitigation assignment
●
1014 - Enable separate authorization check for Mitigation from Access Request
●
1015 - Enable Invalid Mitigation Report from management summary
© Copyright. All rights reserved.
32
Exercise 5: Review Parameter Settings for Analyze and Manage Risk (Optional)
●
1016 - Specify number of days to exclude from Invalid Mitigation Cleanup
4. List the settings that are set and their values for Parameter Group 3 - Risk Analysis:
●
1021 - Consider Org Rules for other applications
●
1022 - Connector for which Object Ids may be maintained case sensitive
●
1023 - Default report type for risk analysis
●
1024 - Default risk level for risk analysis
●
1025 - Default rule set for risk analysis
●
1026 - Default user type for risk analysis
●
1027 - Enable Offline Risk Analysis
●
1028 -Include Expired Users
●
1029 - Include Locked Users
●
1030 -Include Mitigated Risks
●
1031 - Ignore Critical Roles & Profiles
●
1032 - Include Reference user when doing user analysis
●
1033 - Include Role/Profile Mitigating Controls in Risk Analysis
●
1034 - Max number of objects in a package for parallel processing
●
1035 - Send email notification to the monitor of the updated mitigated object
●
1036 - Show All Objects in Risk Analysis
●
1037 - Use SoD Supplementary Table for Analysis
●
1038 - Consider FF Assignments in Risk Analysis
●
1039 - Include Role assignment for Risk Analysis
●
1046 - Extended objects enabled connector
●
1048 - Business View for Risk Analysis is enabled
●
1050 - Default Report View for Risk Analysis
5. List the settings that are set and their values for Parameter Group 4 - Risk Analysis Spool:
●
1051 - Max number of objects in a file or database record
●
1052 - Spool File Location
●
1053 - Spool Type Workflow
●
1054 - Max number of violations supported in Organizational Rule Analysis
6. List the settings that are set and their values for Parameter Group 5 - Workflow relevant
for risk analysis functionality:
© Copyright. All rights reserved.
33
Unit 5: Risk Analysis
●
1061 - Mitigating Control Maintenance
●
1062 - Mitigation Assignment
●
1063 - Risk Maintenance
●
1064 - Function Maintenance
●
1101 - Create Request for Risk Approval
●
1102 - Change Request for Risk Approval
●
1103 - Delete Request for Risk Approval
●
1104 - Create Request for Function Approval
●
1105 - Change Request for Function Approval
●
1106 - Delete Request for Function Approval
●
1107 - Create Request for Mitigation Assignment Approval
●
1108 - Change Request for Mitigation Assignment Approval
●
1109 - Delete Request for Mitigation Assignment Approval
●
1110 - Default workflow request priority for Updating and Creating Risks
●
1111 - Default workflow request priority for Creating and Updating Functions
●
1112 - Default workflow request priority for Mitigation Control Assignments
7. List the settings that are set and their values for Parameter Group 8 - Performance:
●
1120 - Batch size for Batch Risk Analysis
●
1121 - Batch size for User sync
●
1122 - Batch size for Role sync
●
1123 - Batch size for Profile sync
●
1124 - Batch size for Authorization Synchronization
●
1125 - Pre-Aggregate Access Risk Information
●
1126 - Number of background jobs created for one Ad hoc Risk Analysis job
●
●
1127 - Minimum number of objects for splitting into multiple background jobs in Ad hoc
Risk Analysis
2060 - Organization Rules Maximum allowed in Foreground
8. List which settings are set and their values for Parameter Group 11 Risk Analysis - Risk
Terminator:
●
1080 - Connector Enabled for Risk Terminator
●
1081 - Enable Risk Terminator for PFCG Role Generation
© Copyright. All rights reserved.
34
Exercise 5: Review Parameter Settings for Analyze and Manage Risk (Optional)
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 Multiple User Assignment
●
1085 - Stop Role Generation if Violations Exist
●
1086- Comments Are Required in Case of Violations
●
1087 - Send Notification in Case of Violations
●
1088 - Default Report Type for Risk Terminator
9. List which settings are set and their values for Parameter Group 21 Management
Dashboard Reports:
●
1047 - Default Management Report Violation Count
●
1049 - Default Management Report Risk Type
10. Exit the Configuration Settings screen.
11. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
12. List the settings that are set and their values for the ZMG system:
●
1000 - Please maintain Plug-in Connector
●
1001 - Please maintain GRC Connector
●
1002 - Please maintain Ruleset
●
1003 - Enable HR Trigger
●
1004 - User Lock Type to be excluded in Repository Sync
●
1081 - Enable Risk Terminator for PFCG Role Generation
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 multiple User Assignment
●
1085 - Stop role generation if violation exists
●
1086 - Comments are required in case of violations
●
1087 - Send Notification in case of violations
●
1088 - Default report type for Risk Terminator
13. In the command field, enter /nEX to log off from this system.
14. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
15. List the settings that are set and their values for the T41 system:
© Copyright. All rights reserved.
35
Unit 5: Risk Analysis
●
1000 - Please maintain Plug-in Connector
●
1001 - Please maintain GRC Connector
●
1002 - Please maintain Ruleset
●
1003 - Enable HR Trigger
●
1004 - User Lock Type to be excluded in Repository Sync
●
1081 - Enable Risk Terminator for PFCG Role Generation
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 multiple User Assignment
●
1085 - Stop role generation if violation exists
●
1086 - Comments are required in case of violations
●
1087 - Send Notification in case of violations
●
1088 - Default report type for Risk Terminator
16. In the command field, enter /nEX to log off from this system.
© Copyright. All rights reserved.
36
Unit 5
Solution 5
Review Parameter Settings for Analyze and
Manage Risk (Optional)
Business Example
You are a system administrator. You have been asked to review configuration settings for
Analyze and Manage Risk functionality.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Note:
Do not make any changes in this configuration unless directed to.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
a) Log on to the main GRC system TGT ABAP client with user ID GRC300–##.
b) Execute transaction /nSPRO, then choose SAP Reference IMG .
c) Choose Governance, Risk and Compliance → Access Control → Maintain Configuration
Settings.
The AC Configuration Settings screen is displayed. These are the parameters that are
configured for this particular instance of SAP Access Control. Remember, that some
parameters do have a coded default in the GRACCONFIG table. If a parameter is not
entered here, then the default will be applied.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
1001 - Enable Function Change Log
●
1002 - Enable Risk Change Log
●
1003 - Enable Organization Rule Log
●
1004 - Enable Supplementary Rule Log
●
1005 - Enable Critical Role Log
●
1006 - Enable Critical Profile Log
●
1007 - Enable Rule Set Change Log
a) 1001 - 1007: YES
© Copyright. All rights reserved.
37
Unit 5: Risk Analysis
3. List the settings that are set and their values for Parameter Group 2 - Mitigation:
●
1011 - Default expiration time for mitigating control assignments (in days)
●
1012 - Consider Rule Id also for mitigation assignment
●
1013 - Consider System for mitigation assignment
●
1014 - Enable separate authorization check for Mitigation from Access Request
●
1015 - Enable Invalid Mitigation Report from management summary
●
1016 - Specify number of days to exclude from Invalid Mitigation Cleanup
a) 1011: 365
b) 1012: NO
c) 1013: NO
d) 1014: YES
e) 1015: NO
f) 1016: 0
4. List the settings that are set and their values for Parameter Group 3 - Risk Analysis:
●
1021 - Consider Org Rules for other applications
●
1022 - Connector for which Object Ids may be maintained case sensitive
●
1023 - Default report type for risk analysis
●
1024 - Default risk level for risk analysis
●
1025 - Default rule set for risk analysis
●
1026 - Default user type for risk analysis
●
1027 - Enable Offline Risk Analysis
●
1028 -Include Expired Users
●
1029 - Include Locked Users
●
1030 -Include Mitigated Risks
●
1031 - Ignore Critical Roles & Profiles
●
1032 - Include Reference user when doing user analysis
●
1033 - Include Role/Profile Mitigating Controls in Risk Analysis
●
1034 - Max number of objects in a package for parallel processing
●
1035 - Send email notification to the monitor of the updated mitigated object
●
1036 - Show All Objects in Risk Analysis
© Copyright. All rights reserved.
38
Solution 5: Review Parameter Settings for Analyze and Manage Risk (Optional)
●
1037 - Use SoD Supplementary Table for Analysis
●
1038 - Consider FF Assignments in Risk Analysis
●
1039 - Include Role assignment for Risk Analysis
●
1046 - Extended objects enabled connector
●
1048 - Business View for Risk Analysis is enabled
●
1050 - Default Report View for Risk Analysis
a) 1021: NO
b) 1022: SAP_S4A_LG
c) 1023: 02 (Permission Level), 03 (Critical Action)
d) 1024: * (ALL)
e) 1025: GLOBAL
f) 1026: A (Dialog)
g) 1027 - 1031: YES
h) 1032-1033: NO
i) 1034: 100
j) 1035 - 1038: NO
k) 1039: 02 (Future Dated)
l) 1046: SAP_S4A_LG
m) 1048: YES
n) 1050: 1 (Technical View)
5. List the settings that are set and their values for Parameter Group 4 - Risk Analysis Spool:
●
1051 - Max number of objects in a file or database record
●
1052 - Spool File Location
●
1053 - Spool Type Workflow
●
1054 - Max number of violations supported in Organizational Rule Analysis
a) 1051: 200000
b) 1052 - (not defined)
c) 1053: D (Database)
d) 1054: 500000
6. List the settings that are set and their values for Parameter Group 5 - Workflow relevant
for risk analysis functionality:
© Copyright. All rights reserved.
39
Unit 5: Risk Analysis
●
1061 - Mitigating Control Maintenance
●
1062 - Mitigation Assignment
●
1063 - Risk Maintenance
●
1064 - Function Maintenance
●
1101 - Create Request for Risk Approval
●
1102 - Change Request for Risk Approval
●
1103 - Delete Request for Risk Approval
●
1104 - Create Request for Function Approval
●
1105 - Change Request for Function Approval
●
1106 - Delete Request for Function Approval
●
1107 - Create Request for Mitigation Assignment Approval
●
1108 - Change Request for Mitigation Assignment Approval
●
1109 - Delete Request for Mitigation Assignment Approval
●
1110 - Default workflow request priority for Updating and Creating Risks
●
1111 - Default workflow request priority for Creating and Updating Functions
●
1112 - Default workflow request priority for Mitigation Control Assignments
a) 1061–1064: NO
b) 1101 - 1112: (not defined)
7. List the settings that are set and their values for Parameter Group 8 - Performance:
●
1120 - Batch size for Batch Risk Analysis
●
1121 - Batch size for User sync
●
1122 - Batch size for Role sync
●
1123 - Batch size for Profile sync
●
1124 - Batch size for Authorization Synchronization
●
1125 - Pre-Aggregate Access Risk Information
●
1126 - Number of background jobs created for one Ad hoc Risk Analysis job
●
●
1127 - Minimum number of objects for splitting into multiple background jobs in Ad hoc
Risk Analysis
2060 - Organization Rules Maximum allowed in Foreground
a) 1120-1124: 1000
b) 1125: YES
© Copyright. All rights reserved.
40
Solution 5: Review Parameter Settings for Analyze and Manage Risk (Optional)
c) 1126: 2
d) 1127: 1000
e) 2060: 50000
8. List which settings are set and their values for Parameter Group 11 Risk Analysis - Risk
Terminator:
●
1080 - Connector Enabled for Risk Terminator
●
1081 - Enable Risk Terminator for PFCG Role Generation
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 Multiple User Assignment
●
1085 - Stop Role Generation if Violations Exist
●
1086- Comments Are Required in Case of Violations
●
1087 - Send Notification in Case of Violations
●
1088 - Default Report Type for Risk Terminator
a) 1080: (not defined)
b) 1081-1087: NO
c) 1088: (not defined)
9. List which settings are set and their values for Parameter Group 21 Management
Dashboard Reports:
●
1047 - Default Management Report Violation Count
●
1049 - Default Management Report Risk Type
a) 1047 - P (Permission)
b) 1049 - * (All)
10. Exit the Configuration Settings screen.
a) Choose Back to return to the Display IMG screen.
11. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
a) Log on to the target system ZMG ABAP client with user ID GRC300–##.
b) Execute transaction /nSPRO, then choose SAP Reference IMG .
c) Choose Governance, Risk and Compliance (Plug-In) → Access Control → Maintain
Plug-In Configuration Settings.
The Change View "For System Details": Overview screen is displayed.
12. List the settings that are set and their values for the ZMG system:
© Copyright. All rights reserved.
41
Unit 5: Risk Analysis
●
1000 - Please maintain Plug-in Connector
●
1001 - Please maintain GRC Connector
●
1002 - Please maintain Ruleset
●
1003 - Enable HR Trigger
●
1004 - User Lock Type to be excluded in Repository Sync
●
1081 - Enable Risk Terminator for PFCG Role Generation
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 multiple User Assignment
●
1085 - Stop role generation if violation exists
●
1086 - Comments are required in case of violations
●
1087 - Send Notification in case of violations
●
1088 - Default report type for Risk Terminator
a) 1000: ZMGCLNT800
b) 1001: TGTCLNT001
c) 1002: GLOBAL
d) 1003 - 1004: (not defined)
e) 1081: (not defined)
f) 1082 - 1084: NO
g) 1085 - 1088: (not defined)
13. In the command field, enter /nEX to log off from this system.
14. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
a) Log on to the target system T41 ABAP client with user ID GRC300–##.
b) Execute transaction /nSPRO, then choose SAP Reference IMG .
c) Choose Governance, Risk and Compliance (Plug-In) → Access Control → Maintain
Plug-In Configuration Settings.
The Change View "For System Details": Overview screen is displayed.
15. List the settings that are set and their values for the T41 system:
●
1000 - Please maintain Plug-in Connector
●
1001 - Please maintain GRC Connector
●
1002 - Please maintain Ruleset
© Copyright. All rights reserved.
42
Solution 5: Review Parameter Settings for Analyze and Manage Risk (Optional)
●
1003 - Enable HR Trigger
●
1004 - User Lock Type to be excluded in Repository Sync
●
1081 - Enable Risk Terminator for PFCG Role Generation
●
1082 - Enable Risk Terminator for PFCG User Assignment
●
1083 - Enable Risk Terminator for SU01 Role Assignment
●
1084 - Enable Risk Terminator for SU10 multiple User Assignment
●
1085 - Stop role generation if violation exists
●
1086 - Comments are required in case of violations
●
1087 - Send Notification in case of violations
●
1088 - Default report type for Risk Terminator
a) 1000: T41CLNT400
b) 1001: TGTCLNT001
c) 1002: GLOBAL
d) 1003 - 1004: (not defined)
e) 1081 - 1088: (not defined)
16. In the command field, enter /nEX to log off from this system.
© Copyright. All rights reserved.
43
Unit 6
Exercise 6
Create a BRFplus Initiator Rule
Business Example
You are an SAP Access Control administrator. You have been asked to set up the Access
Request Management system so that all user requests for access are reviewed for SoD
violations before access is granted as provided by the Access Request Design team. In this
exercise, you will build the Initiator Rule that will be needed for this design and incorporate
your new BRF+ rule into the MSMP Process ID configuration.
During the access request design process, the conditions for access requests have been
decided. The request attributes that will initiate the workflow are the Request Type (from the
request header area) and the Connector (from the line items area).
The Request Types that are relevant for your system are:
●
New Account (001)
●
Change Account (002)
●
Lock Account (004)
●
Unlock Account (005)
●
Superuser Access Request (006)
The Connectors that are relevant are:
●
ZMGCLNT800
●
T41CLNT400
The types of requests expected and the processors are:
●
●
●
●
●
For Request Types New Account (001) and Change Account (002) and the Connector
ZMGCLNT800, these requests are to be processed by the North American (NA) team.
For Request Types New Account (001) and Change Account (002) and the Connector
T41CLNT400, these requests are to be processed by the European/Asia Pacific(EUAP)
team.
For Request Types Delete Account (003), Lock Account (004) and Unlock Account (005)
and ANY connector, these requests will be processed by the Security team in a LOCK path.
For Request Type Superuser Access Request (006), these request will be processed by
the Firefight ID Owner in an EAM (Emergency Access Management) path.
Also, do not forget to include a rule line that will include all possibilities as per the
recommendations stated previously. These need to be processed by the Security Team.
The details for the actual stages of the workflow will be discussed in a subsequent exercise
and are not needed at this time.
Below is the workflow diagram that the Design Team provided.
© Copyright. All rights reserved.
44
Exercise 6: Create a BRFplus Initiator Rule
Figure 1: MSMP Workflow Design
Note:
In this exercise, when values include ##, replace the character with the participant
number your instructor assigned to you.
Note:
This exercise is dependent upon the previous exercise Maintain Master Data and
Access Control Owners where the Business Processes and Subprocess were
created.
1. Create a BRFplus application with the name Z##_INITIATOR_RULE.
Field
Value
Name
Z##_INITIATOR_RULE
Short Text
Z##_INITIATOR_RULE
Development Package
ZGRAC
(Hint — Use Search)
2. Create a BRFplus Initiator Rule for the SAP_GRAC_ACCESS_REQUEST Process ID. Run
transaction GRFNMW_DEV_RULES and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
Z##_INITIATOR_RULE
Application/Func. Group Name
Z##_INITIATOR_RULE
© Copyright. All rights reserved.
45
Unit 6: SAP Business Rule Framework (BRFplus)
Field
Value
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Initiator Rule App
Override BRF+ Function Text
Access Request Initiator Rule
Function
3. Choose the table generation options Header (BRF + Flat rule) and Item (BRF + Flat rule)
and choose the following attributes:
Table 2:
Option
Field Name
Field Description
Header (BRF+ Flat rule)
REQTYPE
Request Type
Item (BRF+ Flat rule)
CONNECTOR
Application or Connector
4. Configure the decision table logic for your Initiator Rule.
5. Configure the decision table with the following decision criteria:
Request Type
Connector
Line Item Key
(use Search)
Trigger Value (RULE_RESULT)
001 (New Account)
ZMGCLNT800
(ZMGCLNT800 ECC ERP)
ITEMNUM
AR_NA_PATH
002 (Change Account)
ZMGCLNT800
(ZMGCLNT800 ECC ERP)
ITEMNUM
AR_NA_PATH
001 (New Account)
or 002 (Change Account)
T41CLNT400
(T41CLNT400 —
S4HANA ERP)
ITEMNUM
AR_EUAP_PATH
003 (Delete Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
004 (Lock Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
005 (Unlock Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
006 (Emergency Ac- Leave open for any
value
cess)
ITEMNUM
AR_EAM_PATH
Leave open for any
value
ITEMNUM
AR_NOINIT_PATH
Leave open for any
value
6. Using the simulation functionality, test your Initiator Rule and make sure it functions as
designed using the data in the following table.
© Copyright. All rights reserved.
46
Exercise 6: Create a BRFplus Initiator Rule
Request Type
Connector
Trigger Value (RULE_RESULT)
001
ZMGCLNT800
AR_NA_PATH
002
ZMGCLNT800
AR_NA_PATH
001
T41CLNT400
AR_EUAP_PATH
002
Blank
AR_NOINIT_PATH
004
Blank
AR_LOCK_PATH
004
ZMGCLNT800
AR_LOCK_PATH
005
Blank
AR_LOCK_PATH
006
Blank
AR_EAM_PATH
006
ZMGCLNT800
AR_EAM_PATH
003
Blank
AR_LOCK_PATH
7. Find the object number of your BRFplus function and make a note of it.
My BRFplus function object number is:
© Copyright. All rights reserved.
47
Unit 6
Solution 6
Create a BRFplus Initiator Rule
Business Example
You are an SAP Access Control administrator. You have been asked to set up the Access
Request Management system so that all user requests for access are reviewed for SoD
violations before access is granted as provided by the Access Request Design team. In this
exercise, you will build the Initiator Rule that will be needed for this design and incorporate
your new BRF+ rule into the MSMP Process ID configuration.
During the access request design process, the conditions for access requests have been
decided. The request attributes that will initiate the workflow are the Request Type (from the
request header area) and the Connector (from the line items area).
The Request Types that are relevant for your system are:
●
New Account (001)
●
Change Account (002)
●
Lock Account (004)
●
Unlock Account (005)
●
Superuser Access Request (006)
The Connectors that are relevant are:
●
ZMGCLNT800
●
T41CLNT400
The types of requests expected and the processors are:
●
●
●
●
●
For Request Types New Account (001) and Change Account (002) and the Connector
ZMGCLNT800, these requests are to be processed by the North American (NA) team.
For Request Types New Account (001) and Change Account (002) and the Connector
T41CLNT400, these requests are to be processed by the European/Asia Pacific(EUAP)
team.
For Request Types Delete Account (003), Lock Account (004) and Unlock Account (005)
and ANY connector, these requests will be processed by the Security team in a LOCK path.
For Request Type Superuser Access Request (006), these request will be processed by
the Firefight ID Owner in an EAM (Emergency Access Management) path.
Also, do not forget to include a rule line that will include all possibilities as per the
recommendations stated previously. These need to be processed by the Security Team.
The details for the actual stages of the workflow will be discussed in a subsequent exercise
and are not needed at this time.
Below is the workflow diagram that the Design Team provided.
© Copyright. All rights reserved.
48
Solution 6: Create a BRFplus Initiator Rule
Figure 1: MSMP Workflow Design
Note:
In this exercise, when values include ##, replace the character with the participant
number your instructor assigned to you.
Note:
This exercise is dependent upon the previous exercise Maintain Master Data and
Access Control Owners where the Business Processes and Subprocess were
created.
1. Create a BRFplus application with the name Z##_INITIATOR_RULE.
Field
Value
Name
Z##_INITIATOR_RULE
Short Text
Z##_INITIATOR_RULE
Development Package
ZGRAC
(Hint — Use Search)
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##,
access the BRFplus application by executing transaction /nBRF+.
b) On the Business Rule Framework plus screen, choose Create Application.
c) In the Create Application dialog box, enter the data from the table. Do not change any
other fields.
d) Choose Create And Navigate To Object.
© Copyright. All rights reserved.
49
Unit 6: SAP Business Rule Framework (BRFplus)
e) In the left navigation panel, select the new application created. Choose Save, then
Activate.
Result: In the Navigation panel, you will now see the status of the application as Active
(shown as a green square).
f) Close the BRFplus Workbench window.
2. Create a BRFplus Initiator Rule for the SAP_GRAC_ACCESS_REQUEST Process ID. Run
transaction GRFNMW_DEV_RULES and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
Z##_INITIATOR_RULE
Application/Func. Group Name
Z##_INITIATOR_RULE
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Initiator Rule App
Override BRF+ Function Text
Access Request Initiator Rule
Function
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen,in the command field, enter /nGRFNMW_DEV_RULES.
b) Choose Enter.
c) On the Generate MSMP Rule for Process screen, enter the data from the table.
d) Choose Enter.
Caution:
Do note choose Execute.
e) Remain on this screen for the next step.
3. Choose the table generation options Header (BRF + Flat rule) and Item (BRF + Flat rule)
and choose the following attributes:
Table 2:
Option
Field Name
Field Description
Header (BRF+ Flat rule)
REQTYPE
Request Type
Item (BRF+ Flat rule)
CONNECTOR
Application or Connector
a) On the Generate MSMP Rule for Process screen, select the Header (BRF+ Flat rule)
checkbox.
© Copyright. All rights reserved.
50
Solution 6: Create a BRFplus Initiator Rule
b) On the Header (BRF+ Flat rule) screen, select the header attributes from the table.
c) Choose Enter.
d) On the Generate MSMP Rule for Process screen, select the Item (BRF+ Flat rule)
checkbox.
e) On the Item (BRF+ Flat rule) screen, select the header attributes from the table.
f) Choose Enter.
g) On the Generate MSMP Rule for Process screen, choose Execute.
h) On the Display Logs screen, check the log for errors.
Note:
A warning message will appear stating that Name Z##_INITIATOR_RULE
has already been used. This is expected since this was created in a
previous step. If you find errors in your log, ask your instructor for
assistance.
i) Choose Back until you return to the SAP Easy Access — User Menu for Training
GRC300-## screen.
4. Configure the decision table logic for your Initiator Rule.
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter /nBRF+.
b) Choose Enter.
c) On the Business Rule Framework plus screen, in the Show drop-down menu, choose
My Applications.
d) On the Business Rule Framework plus screen, in the My Applications navigation panel,
choose Z##_INITIATOR_RULE → Expression → Decision
Table → Z##_INITIATOR_RULE - Decision Table.
e) Remain on this screen for the next step.
5. Configure the decision table with the following decision criteria:
Request Type
Connector
Line Item Key
(use Search)
Trigger Value (RULE_RESULT)
001 (New Account)
ZMGCLNT800
(ZMGCLNT800 ECC ERP)
ITEMNUM
AR_NA_PATH
002 (Change Account)
ZMGCLNT800
(ZMGCLNT800 ECC ERP)
ITEMNUM
AR_NA_PATH
001 (New Account)
or 002 (Change Account)
T41CLNT400
(T41CLNT400 —
S4HANA ERP)
ITEMNUM
AR_EUAP_PATH
© Copyright. All rights reserved.
51
Unit 6: SAP Business Rule Framework (BRFplus)
Request Type
Connector
Line Item Key
(use Search)
Trigger Value (RULE_RESULT)
003 (Delete Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
004 (Lock Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
005 (Unlock Account)
Leave open for any
value
ITEMNUM
AR_LOCK_PATH
006 (Emergency Ac- Leave open for any
value
cess)
ITEMNUM
AR_EAM_PATH
Leave open for any
value
ITEMNUM
AR_NOINIT_PATH
Leave open for any
value
a) On the Business Rule Framework plus screen, verify that you are in Edit Mode. If not in
Edit Mode, choose Edit in the top menu bar.
b) In the Table Contents section, choose
(Insert New Row).
Note:
When editing a row, you can either choose the drop-down icon in the field,
or you can use the Row Editor to edit all fields in a row in one screen. To
open the Row Editor, select the row, and choose Row Editor from the Table
Contents menu.
c) In theRequest Type column, in the drop-down menu, choose Direct Value Input, or in
the Row Editor, choose Direct Value Input.
Note:
Use the correct Boolean value to achieve the required results. For example,
if the condition is to apply to request type 001. use value "is equal to". You
can modify the Boolean value by using the drop-down list. For example, "is
between" or "is not equal to".
Note:
Remember, this is a Initiator rule type, you must consider the order of the
condition lines. HINT: The table above indicates the correct order.
d) In the Request Type field, choose the appropriate Boolean value in the first box using
the drop-down list.
e) In the Request Type field, enter request type ID (001), or use search to choose
from the request type list in the second box.
© Copyright. All rights reserved.
52
Solution 6: Create a BRFplus Initiator Rule
f) If multiple entries are needed, choose Change after the second box, and choose Insert
Include Condition to add additional entries.
g) If editing directly in the field, choose OK to save and configure next field. If using Row
Editor, complete this process for each field except for Line Item.
h) In the Line Item Key column, from the drop-down menu, choose Context → More. If
using the Row Editor, choose Other operations → Select Context Parameter.
i) In the Context Query dialog box, in the Search Criteria section, in the Name row, in the
third column, enter ITEMNUM.
j) Choose Search.
k) In the Result List, select ITEMNUM.
Hint:
If you did not change your profile to the EXPERT mode, this may be listed
as Line Item Key.
l) Repeat steps d - k for the remaining table entries.
m) Choose Save.
n) Choose Check.
o) Choose Activate, then choose Yes.
p) Remain on this screen for the next step.
6. Using the simulation functionality, test your Initiator Rule and make sure it functions as
designed using the data in the following table.
Request Type
Connector
Trigger Value (RULE_RESULT)
001
ZMGCLNT800
AR_NA_PATH
002
ZMGCLNT800
AR_NA_PATH
001
T41CLNT400
AR_EUAP_PATH
002
Blank
AR_NOINIT_PATH
004
Blank
AR_LOCK_PATH
004
ZMGCLNT800
AR_LOCK_PATH
005
Blank
AR_LOCK_PATH
006
Blank
AR_EAM_PATH
006
ZMGCLNT800
AR_EAM_PATH
003
Blank
AR_LOCK_PATH
a) On the Business Rule Framework plus screen, in the Detail section, choose Start
Simulation.
© Copyright. All rights reserved.
53
Unit 6: SAP Business Rule Framework (BRFplus)
b) On the Business Rule Framework plus — Simulation screen, choose Continue.
c) On the next screen, enter the data from the table.
d) Choose Execute.
Note:
You can also choose Execute and Display Processing Steps as this will
display the Simulation Results and the Processing Logic. This can be a
troubleshooting tool when you do not get the expected results.
e) On the next screen, verify that the result matches the Trigger Value column in the table
at the beginning of this task.
f) Choose Back to Simulation.
g) Repeat steps c - e to complete the simulation for the remaining rules.
h) Choose Back to Workbench.
i) In the My Applications navigation panel, choose
Z##_INITIATOR_RULE → Function → Z##_INITATOR_RULE - Function
j) Choose Save.
k) Choose Check.
Note:
Warning will appear, this is expected for this scenario.
l) Choose Activate, then choose Yes.
m) In the My Applications navigation panel, choose Z##_INITATOR_RULE - Application.
n) Choose Save.
o) Choose Check.
p) Choose Activate.
q) Remain on this screen for the next step.
7. Find the object number of your BRFplus function and make a note of it.
My BRFplus function object number is:
a) On the Business Rule Framework plus screen, in the My Application navigation panel,
choose Z##_INITIATOR_RULE → Function → Z##_INITATOR_RULE - Function.
b) In the General section, at the end of the line, choose
© Copyright. All rights reserved.
(Expand Tray).
54
Solution 6: Create a BRFplus Initiator Rule
c) In the ID field, find your BRFplus object number and note it in the space provided.
d) Remain on this screen for the next exercise.
© Copyright. All rights reserved.
55
Unit 6
Exercise 7
Create BRFplus Agent and Routing Rules
Business Example
You are an SAP Access Control administrator. You have been asked to create a custom
approver determinator rule and a detour to another path based upon criteria from the
security team responsible for Access Request Workflow. To complete this task, you need to
create an Agents Rule and a Routing Rule.
The design team as decided that a special routing during the European/Asia Pacific (EUAP)
path is required based upon the attributes Business Process and Subprocess of the Role
requested.
If the role requested is assigned ##B1 as the Business Process and ##S1 as the Subprocess,
these roles need additional approval.
The design team also decided that if during the North American (NA) path, when a user has a
Segregation of Duties (SOD) issue then the approver is assigned by the Business Process and
Subprocess of the role. If the role is assigned ##B1 as the Business Process, then the SOD
needs to be approved by user GRC300–## should be the approver. If any other Business
Process assigned to the role, then the SOD needs to be approved by user GRC300–99.
As a refresher, below is the MSMP Workflow Design from the Access Request Design Team.
Figure 2: MSMP Workflow Design
Note:
This exercise uses the Business Process and Subprocess data created previously
in the exercise Maintain Master Data and the data assigned in the exercise Access
Control Owners.
© Copyright. All rights reserved.
56
Exercise 7: Create BRFplus Agent and Routing Rules
Note:
In this exercise, when values include ##, replace the character with the participant
number your instructor assigned to you.
1. Create BRF+ application Z##_AGENTS_RULE and assign to package to allow transport.
Field
Value
Name
Z##_AGENTS_RULE
Short Text
Z##_AGENTS_RULE
Development Package
ZGRAC
(Hint — Use Search)
2. Create a BRFplus Agents Rule for the SAP_GRAC_ACCESS_REQUEST MSMP Process ID
using transaction code GRFNMW_DEV_RULES, and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Agents Rule
Rule ID
Z##_AGENTS_RULE
Application/Func. Group Name
Z##_AGENTS_RULE
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Agents Rule App
Override BRF+ Function Text
Access Request Agents Rule Function
3. Choose the table generation options Item (BRF+ Flat rule), and choose the following
attributes:
Option
Field Names
Field Description
Item (BRF+ Flat rule)
BPROC
Business Process
4. Configure the decision table logic for your Agents Rule.
5. Configure the decision table with the following decision criteria:
Business Process
Line Item Key
User ID
##B1 (Group ## Business
Process 1)
ITEMNUM
GRC300-##
not equal to ##B1
ITEMNUM
GRC300-99
6. Using the simulation functionality, test your Agents Rule and make sure it functions as
designed using the data in the following table:
© Copyright. All rights reserved.
57
Unit 6: SAP Business Rule Framework (BRFplus)
Business Process
User ID
##B1
GRC300-##
FI00
GRC300-99
MM00
GRC300-99
7. Find the object number for your BRFplus function and make note of it.
My BRFplus function object number is:
8. Create BRFplus application Z##_ROUTING_RULE and assign to package to allow
transport.
Field
Value
Name
Z##_ROUTING_RULE
Short Text
Z##_ROUTING_RULE
Development Package
ZGRAC (Hint — Use Search)
Note:
Refer to the Business Example at the beginning of the exercise for details if
needed.
9. Create a BRFplus Routing Rule for the SAP_GRAC_ACCESS_REQUEST Process ID. Run
transaction /nGRFNMW_DEV_RULES and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Routing Rule
Rule ID
Z##_ROUTING_RULE
Application/Func. Group Name
Z##_ROUTING_RULE
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Routing Rule App
Override BRF+ Function Text
Access Request Routing Rule Function
10. Choose the table generation option Item (BRF+ Flat rule), and choose the following
attributes:
© Copyright. All rights reserved.
58
Exercise 7: Create BRFplus Agent and Routing Rules
Option
Field Name
Field Description
Item (BRF+ Flat rule)
BPROC
Business Process
Item (BRF+ Flat rule)
BSUBPROC
Subprocess
11. Configure the decision table logic for your Routing rule.
12. Configure the decision table with the following decision criteria:
Business Process
Subprocess
Line Item Key
Trigger Value
(RULE_RESULT)
##B1
##S1
ITEMNUM
SP_ROUTE_PATH
13. Using the simulation functionality, test your Routing Rule and make sure it functions as
designed using the data in the following table:
Business Process
Subprocess
Trigger Value (RULE_RESULT)
##B1
##S1
SP_ROUTE_PATH
##B2
##S1
No Value Returned
BLANK
##S1
No Value Returned
##B1
BLANK
No Value Returned
14. Find the object number for your BRFplus function and make note of it.
My BRFplus function object number is:
© Copyright. All rights reserved.
59
Unit 6
Solution 7
Create BRFplus Agent and Routing Rules
Business Example
You are an SAP Access Control administrator. You have been asked to create a custom
approver determinator rule and a detour to another path based upon criteria from the
security team responsible for Access Request Workflow. To complete this task, you need to
create an Agents Rule and a Routing Rule.
The design team as decided that a special routing during the European/Asia Pacific (EUAP)
path is required based upon the attributes Business Process and Subprocess of the Role
requested.
If the role requested is assigned ##B1 as the Business Process and ##S1 as the Subprocess,
these roles need additional approval.
The design team also decided that if during the North American (NA) path, when a user has a
Segregation of Duties (SOD) issue then the approver is assigned by the Business Process and
Subprocess of the role. If the role is assigned ##B1 as the Business Process, then the SOD
needs to be approved by user GRC300–## should be the approver. If any other Business
Process assigned to the role, then the SOD needs to be approved by user GRC300–99.
As a refresher, below is the MSMP Workflow Design from the Access Request Design Team.
Figure 2: MSMP Workflow Design
Note:
This exercise uses the Business Process and Subprocess data created previously
in the exercise Maintain Master Data and the data assigned in the exercise Access
Control Owners.
© Copyright. All rights reserved.
60
Solution 7: Create BRFplus Agent and Routing Rules
Note:
In this exercise, when values include ##, replace the character with the participant
number your instructor assigned to you.
1. Create BRF+ application Z##_AGENTS_RULE and assign to package to allow transport.
Field
Value
Name
Z##_AGENTS_RULE
Short Text
Z##_AGENTS_RULE
Development Package
ZGRAC
(Hint — Use Search)
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##,
access the BRF+ application by executing transaction /nBRFplus.
b) Choose Create Application.
c) In the Create Application dialog box, enter the data from the table. Do not change any
other fields.
d) Choose Create And Navigate To Object.
e) In the left navigation panel, select the new application created. Choose Save, then
Activate.
As a result, in the Navigation panel, you will now see the status of the application as
Active (shown as a green square)
f) Close the BRFplus Workbench window.
2. Create a BRFplus Agents Rule for the SAP_GRAC_ACCESS_REQUEST MSMP Process ID
using transaction code GRFNMW_DEV_RULES, and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Agents Rule
Rule ID
Z##_AGENTS_RULE
Application/Func. Group Name
Z##_AGENTS_RULE
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Agents Rule App
Override BRF+ Function Text
Access Request Agents Rule Function
© Copyright. All rights reserved.
61
Unit 6: SAP Business Rule Framework (BRFplus)
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter /nGRFNMW_DEV_RULES.
b) Choose Enter.
c) On the Generate MSMP Rule for Process screen, enter the data from the table.
d) Choose Enter.
Note:
Do not choose Execute.
e) Remain on this screen for the next step
3. Choose the table generation options Item (BRF+ Flat rule), and choose the following
attributes:
Option
Field Names
Field Description
Item (BRF+ Flat rule)
BPROC
Business Process
a) On the Generate MSMP Rule for Process screen, select the Item (BRF + Flat rule)
checkbox.
b) On the Generate MSMP Rule for Process screen, select the Item(BRF+ Flat Rule)
checkbox.
c) On the Item(BRF+ Flat Rule) dialog box, select the item attributes from the table.
d) Choose Enter.
e) On the Generate MSMP Rule for Process screen, choose Execute.
f) On the Display Logs screen, check the log for errors.
Note:
A warning message will appear stating that Name Z##_AGENTS_RULE has
already been used. This is expected since this was created in a previous
step. If you find errors in your log, ask your instructor for assistance.
g) Choose Back until you return to the SAP Easy Access — User Menu for Training
GRC300-## screen.
4. Configure the decision table logic for your Agents Rule.
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter /nBRF+.
b) Choose Enter.
c) On the Business Rule Framework plus screen, in the Show dropdown menu, choose My
Applications.
© Copyright. All rights reserved.
62
Solution 7: Create BRFplus Agent and Routing Rules
d) On the Business Rule Framework plus screen, in the My Applications navigation panel,
choose Z##_AGENTS_RULE → Expression → Decision Table → Z##_AGENTS_RULE Decision Table.
e) Remain on this screen for the next step.
5. Configure the decision table with the following decision criteria:
Business Process
Line Item Key
User ID
##B1 (Group ## Business
Process 1)
ITEMNUM
GRC300-##
not equal to ##B1
ITEMNUM
GRC300-99
a) On the Business Rule Framework plus screen, verify that you are in Edit Mode. If not in
Edit Mode, choose Edit in the top menu bar.
b) In the Table Contents table, choose
(Insert New Row).
Note:
When editing a row, you can either choose the dropdown icon in the field,
or you can use the Row Editor to edit all fields in a row in one screen. To
open the Row Editor, select the row, and choose Row Editor from the Table
Contents menu.
c) In the BPROC (Business Process) column, in the dropdown menu, choose Direct Value
input or in the Row Editor, choose Direct Value Input.
d) In the BPROC (Business Process) field, choose the appropriate Boolean value in the
first box using the dropdown list.
e) In the BPROC (Business Process) field, enter ##B1, or choose from the Business
Process list in the second box.
f) If multiple entries are needed, choose Change after the second box. Choose Insert
Include Condition to add additional entries.
g) If editing directly in the field, choose OK to save and configure the next field. If using
the Row Editor, complete this process for each field except for Line Item.
h) In the Line Item column, in the dropdown menu, choose Context → More. If using the
Row Editor, choose Other operations → Select Context Parameter.
i) In the Context Query dialog box, in the Search Criteria section, in the Name row, in the
third column, enter ITEMNUM.
j) Choose Search.
k) In the Result List, select ITEMNUM.
l) Repeat steps b - k for the remaining table entries.
m) Choose Save.
© Copyright. All rights reserved.
63
Unit 6: SAP Business Rule Framework (BRFplus)
n) Choose Check.
o) Choose Activate, then choose Yes.
p) Remain on this screen for the next step.
6. Using the simulation functionality, test your Agents Rule and make sure it functions as
designed using the data in the following table:
Business Process
User ID
##B1
GRC300-##
FI00
GRC300-99
MM00
GRC300-99
a) On the Business Rule Framework plus screen, in Detail section, choose Start
Simulation.
b) On the Business Rule Framework plus — Simulation screen, choose Continue.
c) On the next screen, enter the data for the first line from the table from the table.
d) Choose Execute.
Note:
You can also choose Execute and Display Processing Steps as this will
display the Simulation Results and the Processing Logic. This can be a
troubleshooting tool when you do not get the expected results.
e) On the next screen, verify that the result matches the User ID column in the table at
the beginning of this task.
f) Choose Back to Simulation.
g) Repeat the simulation for the remaining rules.
h) Choose Back to Workbench.
i) In the My Applications navigation panel, choose
Z##_AGENTS_RULE → Function → Z##_AGENTS_RULE-Function.
j) Choose Save.
k) Choose Check.
l) Choose Activate, then choose Yes.
m) In the My Applications navigation panel, choose Z##_AGENTS_RULE-Application.
n) Choose Save.
o) Choose Check.
p) Choose Activate.
q) Remain on this screen for the next step.
7. Find the object number for your BRFplus function and make note of it.
© Copyright. All rights reserved.
64
Solution 7: Create BRFplus Agent and Routing Rules
My BRFplus function object number is:
a) On the Business Rule Framework plus screen, in the My applications navigation panel,
choose Z##_AGENTS_RULE → Function → Z##_AGENTS_RULE-Function.
b) In the General section, at the end of the line, choose Expand Tray.
c) In the ID field, find your BRFplus object number and note it in the space provided.
d) Remain on this screen for the next step.
8. Create BRFplus application Z##_ROUTING_RULE and assign to package to allow
transport.
Field
Value
Name
Z##_ROUTING_RULE
Short Text
Z##_ROUTING_RULE
Development Package
ZGRAC (Hint — Use Search)
Note:
Refer to the Business Example at the beginning of the exercise for details if
needed.
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##,
access the BRF+ application by executing transaction /nBRF+.
b) On the Business Rule Framework plus screen, choose Create Application.
c) In the Create Application dialog box, enter the data from the table. Do not change any
other fields.
d) Choose Create And Navigate To Object.
e) In the left navigation panel, select the new application created. Choose Save, then
Activate.
As a result, in the Navigation panel, you will now see the status of the application as
Active (shown as a green square)
f) Close the BRFplus Workbench window.
9. Create a BRFplus Routing Rule for the SAP_GRAC_ACCESS_REQUEST Process ID. Run
transaction /nGRFNMW_DEV_RULES and enter the following values:
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Routing Rule
Rule ID
Z##_ROUTING_RULE
© Copyright. All rights reserved.
65
Unit 6: SAP Business Rule Framework (BRFplus)
Field
Value
Application/Func. Group Name
Z##_ROUTING_RULE
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
Override BRF+ Application Text
Access Request Routing Rule App
Override BRF+ Function Text
Access Request Routing Rule Function
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter /nGRFNMW_DEV_RULES.
b) Choose Enter.
c) On the Generate MSMP Rule for Process screen, enter the data from the table.
d) Choose Enter.
Note:
Do not choose Execute.
10. Choose the table generation option Item (BRF+ Flat rule), and choose the following
attributes:
Option
Field Name
Field Description
Item (BRF+ Flat rule)
BPROC
Business Process
Item (BRF+ Flat rule)
BSUBPROC
Subprocess
a) On the Generate MSMP Rule for Process screen, select the Item (BRF+ Flat rule)
checkbox.
b) On the Item (BRF+ Flat rule) dialog box, select the item attributes from the table.
c) Choose Enter.
d) On the Generate MSMP Rule for Process screen, choose Execute.
e) On the Display Logs screen, check the logs for errors.
Note:
A warning message will appear stating that Name Z##_ROUTING_RULE
has already been used. This is expected since this was created in a previous
step. If you find errors in your log, ask your instructor for assistance.
f) Choose Back until you return to the SAP Easy Access — User Menu for Training
GRC300-## screen.
11. Configure the decision table logic for your Routing rule.
© Copyright. All rights reserved.
66
Solution 7: Create BRFplus Agent and Routing Rules
a) In the TGT system, on the SAP Easy Access — User Menu for Training GRC300-##
screen, in the command field, enter /nBRF+.
b) Choose Enter.
c) On the Business Rule Framework plus screen, in the Show dropdown menu, choose My
Applications.
d) On the Business Rule Framework plus screen, in the My Applications navigation panel,
choose Z##_ROUTING_RULE → Expression → Decision
Table → Z##_ROUTING_RULE-Decision Table.
e) Remain on this screen for the next step.
12. Configure the decision table with the following decision criteria:
Business Process
Subprocess
Line Item Key
Trigger Value
(RULE_RESULT)
##B1
##S1
ITEMNUM
SP_ROUTE_PATH
a) Verify that you are in Edit Mode. If not in Edit Mode, choose Edit from the top menu bar.
b) In the Table Contents table, choose
(Insert New Row).
c) In the Business Process Column, in the dropdown menu, choose Direct Value Input, or
in the Row Editor, choose Direct Value Input.
d) In the Business Process field, choose the appropriate Boolean value in the first box
using the dropdown list.
e) In the Business Process column, enter business process ID ##B1, or use search to
choose from the Business Process list in the second box.
f) If multiple entries are needed, choose Change after the second box. Choose Insert
Include Condition to add additional entries.
g) If editing directly in the field, choose OK to save and configure the next field. If using
Row Editor, complete this process for each field except for Line Item.
h) In the Line Item Key column, in the dropdown menu, choose Context → More. If using
the Row Editor, choose Other operations → Select Context Parameter.
i) In the Context Query dialog box, in the Search Criteria section, in the Name row, in the
third column, enter ITEMNUM.
j) Choose Search.
k) In the Result List, choose ITEMNUM.
Hint:
If you did not change your profile to the EXPERT mode, this may be listed
as Line Item Key.
l) Choose Save.
© Copyright. All rights reserved.
67
Unit 6: SAP Business Rule Framework (BRFplus)
m) Choose Check.
n) Choose Activate, then choose Yes.
o) Remain on this screen for the next step.
13. Using the simulation functionality, test your Routing Rule and make sure it functions as
designed using the data in the following table:
Business Process
Subprocess
Trigger Value (RULE_RESULT)
##B1
##S1
SP_ROUTE_PATH
##B2
##S1
No Value Returned
BLANK
##S1
No Value Returned
##B1
BLANK
No Value Returned
a) On the Business Rule Framework plus screen, in the Detail section, choose Start
Simulation.
b) On the Business Rule Framework plus -- Simulation screen, choose Continue.
c) On the next screen, enter the data for the first line from the table.
d) Choose Execute.
e) On the next screen, verify that the result matches the Trigger Value column in the table
at the beginning of this task.
f) Choose Back to Simulation.
g) Repeat the simulation for the remaining rules.
h) Choose Back to Workbench.
i) In the My Applications navigation panel, choose
Z##_ROUTING_RULE → Function → Z##_ROUTING_RULE-Function.
j) Choose Save.
k) Choose Check.
l) Choose Activate, then choose Yes.
m) In the My Applications navigation panel, choose Z##_ROUTING_RULE-Application.
n) Choose Save.
o) Choose Check.
p) Choose Activate, then choose Yes.
q) Remain on this screen for the next step.
14. Find the object number for your BRFplus function and make note of it.
© Copyright. All rights reserved.
68
Solution 7: Create BRFplus Agent and Routing Rules
My BRFplus function object number is:
a) On the Business Rule Framework plus screen, in the My applications navigation panel,
choose Z##_ROUTING_RULE → Function → Z##_ROUTING_RULE-Function.
b) In the General section, at the end of the line, choose Expand Tray.
c) In the ID field, find your BRFplus object number and note it in the space provided.
d) Close BRFplus by clicking the X in the upper right hand corner of the BRFplus window.
© Copyright. All rights reserved.
69
Unit 7
Exercise 8
Evaluate MSMP Workflow Configuration
Business Example
Your organization is implementing SAP Access Control to handle all access requests within
one process including new user ID requests and adding more authorizations. The
implementation team has configured the Access Request Approval Workflow based upon the
blueprint provided by the Access Request Design, which is outlined in the diagram below.
Figure 3: MSMP Workflow Design
The request attributes that will initiate the workflow are the Request Type (from the request
header area) and the Connector (from the line items area).
The Request Types that are relevant for your system are:
●
New Account (001)
●
Change Account (002)
●
Delete Account (003)
●
Lock Account (004)
●
Unlock Account (005)
●
Emergency Access (006)
The connectors that are relevant are:
●
ZMGCLNT800
●
T41CLNT400
© Copyright. All rights reserved.
70
Exercise 8: Evaluate MSMP Workflow Configuration
North America Access Requests
The approvals required for the North American (NA) requests, types 001 and 002, are
Manager, Role Approver (defined on the Role Master Data), and the Security Team. The
design team also decided that for the North American (NA) path, if a user has a Segregation
of Duties (SOD) issue at the Role Owner Stage, then the approver is assigned by the Business
Process of the role. If the role is assigned 00BP as the Business Process, then the SOD needs
to be approved by user GRC300–00. If any other Business Process assigned to the role, then
the SOD needs to be approved by user GRC300–99.
Europe and Asia Pacific Access Requests
The approvals required for the European/Asia Pacific (EUAP) requests, types 001 and 002,
are Role Approver (defined on the Role Master Data). For request that are part of the
European/Asia Pacific (EUAP) path, if the role requested is assigned 00BP as the Business
Process, these roles need additional approval by the Security Team.
Administration Requests
For Request Types Delete Account (003), Lock Account (004) and Unlock Account (005) for
ANY connector, these requests will be processed using a LOCK path with a Security Team
member as the approver.
For Request Type Emergency Access (006), these requests will be processed using an EAM
(Emergency Access Management) path with the Firefight ID Owners as the approver.
Note:
In this exercise, you will be evaluating the MSMP Workflow Configuration that has
been created by the implementation team. DO NOT MAKE ANY CHANGES TO
THE CONFIGURATION.
1. Execute transaction /nGRFNMW_CONFIGURE_WD to open MSMP Workflow
Configuration and answer the following question:
How many workflow Process ID’s are delivered by SAP for MSMP Workflow?
2. For Process ID SAP_GRAC_ACCESS_REQUEST, what will happen to an Access Request in
the event auto provisioning fails?
Describe what will happen to an Access Request in the event auto provisioning fails.
3. Identify the available Initiator Rules for access requests.
© Copyright. All rights reserved.
71
Unit 7: Multi-Stage, Multi-Path (MSMP) Workflow
List available Initiator Rules for SAP_GRAC_ACCESS_REQUEST.
4. For MSMP Workflow, each Process ID may have only one (1) Initiator Rule active at any
given time as the Process Initiator. The Process Initiator determines which Initiator Rule
will be evaluated when an Access Request is submitted. What is the Process Initiator for
Process ID SAP_GRAC_ACCESS_REQUEST?
What is the Process Initiator for Process ID SAP_GRAC_ACCESS_REQUEST?
5. For the AR_NA_PATH, answer the following questions when processing the
GRAC_MANAGER stage.
How is the approver of the request determined?
If the requester who submitted the Access Request forgot to include a critical role, can the
Manager add that role to the request?
If the Manager approves the Access Request, are comments mandatory?
6. For the AR_NA_PATH, answer the following questions when processing the
GRAC_ROLEOWNER stage.
Has a routing rule been enabled in the GRAC_ROLEOWNER stage?
© Copyright. All rights reserved.
72
Exercise 8: Evaluate MSMP Workflow Configuration
Is the approver at the GRAC_ROLEOWNER stage required to run a Risk Analysis before
they can submit the Access Request?
7. For the AR_EUAP_PATH, answer the following questions when processing the
GRAC_ROLEOWNER stage.
Is the same routing rule configured for the GRAC_ROLEOWNER stage in both the
AR_EUAP_PATH and the AR_NA_PATH?
How can you determine the conditions that will trigger the custom routing rule for the
GRAC_ROLE_OWNER stage?
© Copyright. All rights reserved.
73
Unit 7
Solution 8
Evaluate MSMP Workflow Configuration
Business Example
Your organization is implementing SAP Access Control to handle all access requests within
one process including new user ID requests and adding more authorizations. The
implementation team has configured the Access Request Approval Workflow based upon the
blueprint provided by the Access Request Design, which is outlined in the diagram below.
Figure 3: MSMP Workflow Design
The request attributes that will initiate the workflow are the Request Type (from the request
header area) and the Connector (from the line items area).
The Request Types that are relevant for your system are:
●
New Account (001)
●
Change Account (002)
●
Delete Account (003)
●
Lock Account (004)
●
Unlock Account (005)
●
Emergency Access (006)
The connectors that are relevant are:
●
ZMGCLNT800
●
T41CLNT400
© Copyright. All rights reserved.
74
Solution 8: Evaluate MSMP Workflow Configuration
North America Access Requests
The approvals required for the North American (NA) requests, types 001 and 002, are
Manager, Role Approver (defined on the Role Master Data), and the Security Team. The
design team also decided that for the North American (NA) path, if a user has a Segregation
of Duties (SOD) issue at the Role Owner Stage, then the approver is assigned by the Business
Process of the role. If the role is assigned 00BP as the Business Process, then the SOD needs
to be approved by user GRC300–00. If any other Business Process assigned to the role, then
the SOD needs to be approved by user GRC300–99.
Europe and Asia Pacific Access Requests
The approvals required for the European/Asia Pacific (EUAP) requests, types 001 and 002,
are Role Approver (defined on the Role Master Data). For request that are part of the
European/Asia Pacific (EUAP) path, if the role requested is assigned 00BP as the Business
Process, these roles need additional approval by the Security Team.
Administration Requests
For Request Types Delete Account (003), Lock Account (004) and Unlock Account (005) for
ANY connector, these requests will be processed using a LOCK path with a Security Team
member as the approver.
For Request Type Emergency Access (006), these requests will be processed using an EAM
(Emergency Access Management) path with the Firefight ID Owners as the approver.
Note:
In this exercise, you will be evaluating the MSMP Workflow Configuration that has
been created by the implementation team. DO NOT MAKE ANY CHANGES TO
THE CONFIGURATION.
1. Execute transaction /nGRFNMW_CONFIGURE_WD to open MSMP Workflow
Configuration and answer the following question:
How many workflow Process ID’s are delivered by SAP for MSMP Workflow?
11
a) On the SAP Easy Access screen, in the command field, enter /
nGRFNMW_CONFIGURE_WD.
b) Choose Enter.
Result: A browser page will open and display the MSMP Workflow Configuration
screen.
c) Remain on this screen for the next step.
2. For Process ID SAP_GRAC_ACCESS_REQUEST, what will happen to an Access Request in
the event auto provisioning fails?
© Copyright. All rights reserved.
75
Unit 7: Multi-Stage, Multi-Path (MSMP) Workflow
Describe what will happen to an Access Request in the event auto provisioning fails.
In the case that auto provisioning of an Access Request should fail, the request will be
routed down an Escape Routing (Escape Condition) and travel down the Escape Path
ARESC_PRV_FAIL_PATH.
a) On the MSMP Workflow Configuration screen, select the line for Process ID
SAP_GRAC_ACCESS_REQUEST.
b) In the Guided Step area, choose 1-Process Global Settings.
c) In the Escape Conditions section, review the data for the Auto Provisioning Failure
Escape Condition.
d) Remain on this screen for the next step.
3. Identify the available Initiator Rules for access requests.
List available Initiator Rules for SAP_GRAC_ACCESS_REQUEST.
The initiator rules available are Default Initiator Rule (Process Type: SAP_GRAC_AR) and
Z_INTIATOR_RULE.
a) On the MSMP Workflow Configuration screen, in the Guided Step area, choose 2Maintain Rules.
b) In the List of Rules section, click on the column Rule Kind.
c) In the drop-down menu, choose Initiator Rule to filter.
d) Remain on this screen for the next step.
4. For MSMP Workflow, each Process ID may have only one (1) Initiator Rule active at any
given time as the Process Initiator. The Process Initiator determines which Initiator Rule
will be evaluated when an Access Request is submitted. What is the Process Initiator for
Process ID SAP_GRAC_ACCESS_REQUEST?
What is the Process Initiator for Process ID SAP_GRAC_ACCESS_REQUEST?
The Process Initiator for SAP_GRAC_ACCESS_REQUEST is Z_INITIATOR_RULE.
a) On the MSMP Workflow Configuration screen, in the 2- Maintain Rules Guided Step,
review the data in the Global Rules section.
b) Remain on this screen for the next step.
5. For the AR_NA_PATH, answer the following questions when processing the
GRAC_MANAGER stage.
© Copyright. All rights reserved.
76
Solution 8: Evaluate MSMP Workflow Configuration
How is the approver of the request determined?
The Agent ID displayed in the Maintain Stages section is GRAC_MANAGER. This agent
looks to the Manager field value on the Access Request Approval Workflow to determine
the approver.
If the requester who submitted the Access Request forgot to include a critical role, can the
Manager add that role to the request?
No. The stage option Add Assignment is not selected so the approver cannot add line
items to the Access Request.
If the Manager approves the Access Request, are comments mandatory?
No. Comments are mandatory only upon rejection.
a) On the MSMP Workflow Configuration screen, in the Guided Step area, choose 5Maintain Paths.
b) In the Maintain Paths section, choose the line for Path ID AR_NA_PATH.
c) In the Maintain Stages section, choose the line for Stage ID GRAC_MANAGER.
Result: In the Stage line, under the column Agent ID, the GRAC_MANAGER is displayed
for this stage.
d) Choose Display Task Settings.
e) On the Stage Definition screen, in the Task Settings section, review the data for Add
Assignment and Comments Mandatory.
Result: For this stage, the Add Assignment checkbox is not selected, therefore the
Manager cannot add any roles.
Result: For this stage, the Comments Mandatory field displays Rejection.
f) Close the Stage Definition window by choosing the X in the upper right corner.
g) Remain on this screen for the next step.
6. For the AR_NA_PATH, answer the following questions when processing the
GRAC_ROLEOWNER stage.
Has a routing rule been enabled in the GRAC_ROLEOWNER stage?
Yes. The GRAC_MSMP_DETOUR_SODVIOL routing rule has been configured.
© Copyright. All rights reserved.
77
Unit 7: Multi-Stage, Multi-Path (MSMP) Workflow
Is the approver at the GRAC_ROLEOWNER stage required to run a Risk Analysis before
they can submit the Access Request?
Yes. The RA Mandatory setting is set to Risk Analysis is mandatory.
a) In the Maintain Stages section, choose the line for Stage ID GRAC_ROLEOWNER.
Result: In the Stage line, the Routing Enabled column is set to Yes, and the Rule ID
configured is GRAC_MSMP_DETOUR_SODVIOL for this stage.
b) Choose Display Task Settings.
c) On the Stage Definition screen, in the Task Settings section, review the data for RA
Mandatory.
Result: For this stage, the RA Mandatory field display Yes, Risk Analysis is mandatory.
d) Close the Stage Definition window by choosing the X in the upper right corner.
e) Remain on this screen for the next step.
7. For the AR_EUAP_PATH, answer the following questions when processing the
GRAC_ROLEOWNER stage.
Is the same routing rule configured for the GRAC_ROLEOWNER stage in both the
AR_EUAP_PATH and the AR_NA_PATH?
No. In the AR_EUAP_PATH, a custom routing rule is enabled.
How can you determine the conditions that will trigger the custom routing rule for the
GRAC_ROLE_OWNER stage?
Since the custom routing rule for the stage is a BRFplus Flat Rule, in order to determine
the specific condition that will trigger the routing rule, take the Rule ID number and search
for the function in BRFplus. Review the Decision Table for the rule to identify the condition
that will trigger the routing rule.
a) On the MSMP Workflow Configuration screen, in the 5-Maintain Paths Guided Step, in
the Maintain Paths section, choose the line for the AR_EUAP_PATH path.
b) On the MSMP Workflow Configuration screen, in the 5-Maintain Paths Guided Step, in
the Maintain Stages section, choose the line for the GRAC_ROLEOWNER stage.
Result: The routing rule for the GRAC_ROLEOWNER stage in the AR_EUAP_PATH is a
custom routing rule and is different from the GRAC_ROLEOWNER stage in the
AR_NA_PATH.
c) Close the MSMP Workflow Configuration window by choosing the X in the upper right
corner.
© Copyright. All rights reserved.
78
Unit 8
Exercise 9
Maintain End User Personalization
Business Example
You are a system administrator. You have been asked to maintain end user personalization to
control what is displayed on a request.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review and maintain the Default End User Personalization (999) to match the default
settings that are required for your request process..
2. Create a new customized End User Personalization.
© Copyright. All rights reserved.
79
Unit 8
Solution 9
Maintain End User Personalization
Business Example
You are a system administrator. You have been asked to maintain end user personalization to
control what is displayed on a request.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review and maintain the Default End User Personalization (999) to match the default
settings that are required for your request process..
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG
c) On the Display IMG screen, choose Governance, Risk and Compliance → Access
Control → User Provisioning → Maintain End User Personalization. .
d) On the Change View "Create EUP": Overview screen, in the Create EUP section, choose
EUP ID 999 Default.
e) In the Dialog Structure navigation panel, double-click Maintain EUP Fields.
f) Review the settings displayed.
g) Change the following fields to align with request workflow needs:
i. Manager - Mandatory, Editable, Visible
ii. Job - NOT Mandatory, NOT Editable, NOT Visible
h) Choose Save.
2. Create a new customized End User Personalization.
a) Choose Create EUP in the left navigation panel.
b) Choose New Entries.
c) Enter EUP ID: 7##.
d) Enter EUP Config Name:##_EUP_TRAINING.
e) Choose Save.
f) Choose your new EUP ID.
g) In the Dialog Structure navigation panel, double-click Maintain EUP Fields.
© Copyright. All rights reserved.
80
Solution 9: Maintain End User Personalization
h) Choose Save.
i) Review settings and adjust as needed.
Note:
This exercise is for instructional purposes only. The new EUP will not be
used in any subsequent exercises. You can make any changes you want.
j) Choose Back until you return to the SAP Easy Access — User Menu for Training
GRC300-##.
© Copyright. All rights reserved.
81
Unit 8
Exercise 10
Prepare Roles and Owner Data for MSMP
Workflow Testing and Validation for SAP
Systems
Business Example
The roles in the target systems need to be prepared so that users can request them in the
Access Request Management application.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Task 1: Prepare Roles and Owner Data for ZMG Landscape
1. Import your roles into SAP AC using the data in the following table:
Field
Value
Role Type
Technical Role
Role Attribute Source
User Input
Role Authorization Source
Backend System
Application Type
SAP
Landscape
ZMG 800 Landscape
Overwrite Existing Role
Yes
Source System
ZMGCLNT800–ECC ERP
Role From
Z:RISK_##*
Methodology Status
Complete
2. Maintain role attributes using the data in the following table:
Field
Value
Critical Level
High
Project Release
ZMG PRD ROLE
Role Status
In Productive Use
Business Process
Group ## Business Process 1
Subprocess
Group ## Subprocess 1
© Copyright. All rights reserved.
82
Exercise 10: Prepare Roles and Owner Data for MSMP Workflow Testing and Validation for SAP Systems
Field
Value
Role Owner
GRC300–##
Assignment Approver
Select
Role Content Approver
Select
3. Review all of your roles and then submit the roles.
Task 2: Prepare Roles and Owner Data for T41 Landscape
1. Import your roles into SAP AC using the data in the following table:
Field
Value
Role Type
Technical Role
Role Attribute Source
User Input
Role Authorization Source
Backend System
Application Type
SAP
Landscape
T41 400 Landscape
Overwrite Existing Role
Yes
Source System
T41CLNT400 — S/4HANA ERP
Role From
Z:*##
Methodology Status
Complete
2. Maintain role attributes using the data in the following table:
Field
Value
Critical Level
High
Project Release
T41 PRD ROLE
Role Status
In Productive Use
Business Process
Group ## Business Process 1
Subprocess
Group ## Subprocess 1
Role Owner
GRC300–##
Assignment Approver
Select
Role Content Approver
Select
3. Review all of your roles and then submit the roles.
© Copyright. All rights reserved.
83
Unit 8
Solution 10
Prepare Roles and Owner Data for MSMP
Workflow Testing and Validation for SAP
Systems
Business Example
The roles in the target systems need to be prepared so that users can request them in the
Access Request Management application.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Task 1: Prepare Roles and Owner Data for ZMG Landscape
1. Import your roles into SAP AC using the data in the following table:
Field
Value
Role Type
Technical Role
Role Attribute Source
User Input
Role Authorization Source
Backend System
Application Type
SAP
Landscape
ZMG 800 Landscape
Overwrite Existing Role
Yes
Source System
ZMGCLNT800–ECC ERP
Role From
Z:RISK_##*
Methodology Status
Complete
a) In the TGT system, on the SAP Easy Access - User Menu for Training GRC300-##
screen, choose SAP Fiori Launchpad from menu list.
b) Log on on with your GRC300-## user ID.
c) On the Fiori Launchpad home page, in the BRM Administration tile group, choose Role
Import.
d) On the Role Import: Step 1 (Define Criteria) screen, enter the data from the table.
e) Choose Next.
© Copyright. All rights reserved.
84
Solution 10: Prepare Roles and Owner Data for MSMP Workflow Testing and Validation for SAP Systems
f) Remain on this screen for the next step.
2. Maintain role attributes using the data in the following table:
Field
Value
Critical Level
High
Project Release
ZMG PRD ROLE
Role Status
In Productive Use
Business Process
Group ## Business Process 1
Subprocess
Group ## Subprocess 1
Role Owner
GRC300–##
Assignment Approver
Select
Role Content Approver
Select
a) On the Role Import: Step 2 (Select Role Data) screen, enter the data from the table.
b) In the Role Attributes section, enter the data from the table for the following:
●
Critical Level
●
Project Release
●
Role Status
●
Business Process
●
Subprocess
c) Choose the Owners/Approvers tab.
d) In the List of Approvers section, choose Add.
e) In the open row, in the User field, choose Search.
f) On the Search: User dialog box, in the Owner ID field, and enter *##*. Choose Go.
g) Choose Search.
h) Select the Role Owner ID from the table.
i) In the List of Approvers section, select the Assignment Approver and Role Content
Approver checkboxes.
j) Choose Next.
k) Remain on this screen for the next step.
3. Review all of your roles and then submit the roles.
a) On the Role Import: Step 3 (Review) screen, select Preview All Roles.
b) Choose Show Preview.
c) In the Role List, review your roles.
© Copyright. All rights reserved.
85
Unit 8: User Provisioning
Note:
You should see 4 roles in the preview.
d) Choose Next.
e) On the Role Import: Step 4 (Schedule) screen, choose Foreground.
f) Choose Submit.
g) On the Role Import screen, review your report and verify that in the Details section. The
Status column should be set to Success.
h) Close the Role Import browser window to return to the SAP Fiori Launchpad home
page.
Task 2: Prepare Roles and Owner Data for T41 Landscape
1. Import your roles into SAP AC using the data in the following table:
Field
Value
Role Type
Technical Role
Role Attribute Source
User Input
Role Authorization Source
Backend System
Application Type
SAP
Landscape
T41 400 Landscape
Overwrite Existing Role
Yes
Source System
T41CLNT400 — S/4HANA ERP
Role From
Z:*##
Methodology Status
Complete
a) On the Fiori Launchpad home page, in the BRM Administration tile group, choose Role
Import.
b) On the Role Import: Step 1 (Define Criteria) screen, enter the data from the table.
c) Choose Next.
d) Remain on this screen for the next step.
2. Maintain role attributes using the data in the following table:
Field
Value
Critical Level
High
Project Release
T41 PRD ROLE
Role Status
In Productive Use
Business Process
Group ## Business Process 1
© Copyright. All rights reserved.
86
Solution 10: Prepare Roles and Owner Data for MSMP Workflow Testing and Validation for SAP Systems
Field
Value
Subprocess
Group ## Subprocess 1
Role Owner
GRC300–##
Assignment Approver
Select
Role Content Approver
Select
a) On the Role Import: Step 2 (Select Role Data) screen, enter the data from the table.
b) In the Role Attributes section, enter the data from the table for the following:
●
Critical Level
●
Project Release
●
Role Status
●
Business Process
●
Subprocess
c) Choose the Owners/Approvers tab.
d) In the List of Approvers screen, choose Add.
e) In the open row, in the User field, choose Search.
f) On the Search: User dialog box, in the Owner ID field, and enter *##*. Choose Go.
g) Choose Search.
h) Choose the Role Owner ID from the table.
i) In the List of Approvers section, select the Assignment Approver and Role Content
Approver checkboxes.
j) Choose Next.
k) Remain on this screen for the next step.
3. Review all of your roles and then submit the roles.
a) On the Role Import: Step 3 (Review) screen, select Preview All Roles.
b) Choose Show Preview.
c) In the Role List, review your roles.
Note:
You should see 2 roles in the preview.
d) Choose Next.
e) On the Role Import: Step 4 (Schedule) screen, choose Foreground.
f) Choose Submit.
© Copyright. All rights reserved.
87
Unit 8: User Provisioning
g) On the Role Import screen, review your report and verify that in the Details table, the
Status column is set to Success.
h) Close the browser window to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
88
Unit 8
Exercise 11
Create an Access Request
Business Example
You are a system administrator, and you have been asked to validate the configuration and
workflow for access requests to ensure that they are functioning properly. You will use
various access request test cases to validate several MSMP path configurations. To validate
the Access Request workflow design, you will need to submit multiple access requests and
verify that each request flows down the correct path and that at each stage the configuration
options are functioning as designed.
Note:
Read this exercise completely before you begin.
Figure 4: MSMP Workflow Design
In this exercise, you will undertake several roles and approve Access Requests as various
approvers:
●
Manager
●
Role Owner
●
Security Team Member
●
Workflow Administrator
© Copyright. All rights reserved.
89
Unit 8: User Provisioning
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create an Access Request
1. Create an access request using the data from the following table.
Table 3:
Field
Value
Description
Group ## Request
Request Type
New Account
Request For
Other
User
##_User_10
Priority
Low – Access Request
2. Add a role to the request using the data from the following table.
Table 4:
Field
Value
Role Type
Single Role
Role Name
Z:RISK_##*
3. Add user details and system details to the access request. Select the User Details tab and
enter the data from the following table.
Table 5:
Field
Value
First Name
User 10
Last Name
Group ##
Manager
GRC300-##
Email
Train-##@educ.corp
User Type
Dialog
Password/Confirm Password
Welcome1
Note:
If needed, choose Home to return to the Fiori Launchpad home page.
4. Search for your Access Request and view its status.
© Copyright. All rights reserved.
90
Exercise 11: Create an Access Request
5. As Manager, view the access request in your Work Inbox. View the Audit Log.
6. As Manager, view the Risk Violations for your Access Request using the data in the
following table. Make sure you run Risk Analysis against your rule set ##RS.
Table 6:
Field
Value
Analysis Type
Risk Analysis
Rule Set
##RS
Type
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Include Mitigated Risks
7. As Role Approver, review the request in your inbox. Update the assignment according to
the table and submit your request to the next stage.
8. As Security Lead, review the request and approve.
9. Search for your access request and view its status.
© Copyright. All rights reserved.
91
Unit 8
Solution 11
Create an Access Request
Business Example
You are a system administrator, and you have been asked to validate the configuration and
workflow for access requests to ensure that they are functioning properly. You will use
various access request test cases to validate several MSMP path configurations. To validate
the Access Request workflow design, you will need to submit multiple access requests and
verify that each request flows down the correct path and that at each stage the configuration
options are functioning as designed.
Note:
Read this exercise completely before you begin.
Figure 4: MSMP Workflow Design
In this exercise, you will undertake several roles and approve Access Requests as various
approvers:
●
Manager
●
Role Owner
●
Security Team Member
●
Workflow Administrator
© Copyright. All rights reserved.
92
Solution 11: Create an Access Request
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create an Access Request
1. Create an access request using the data from the following table.
Table 3:
Field
Value
Description
Group ## Request
Request Type
New Account
Request For
Other
User
##_User_10
Priority
Low – Access Request
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Access
Request.
b) On the Access Request screen, enter the data from the table for the Reason for
Request and Request Details sections.
c) Remain on this screen for the next step
2. Add a role to the request using the data from the following table.
Table 4:
Field
Value
Role Type
Single Role
Role Name
Z:RISK_##*
a) On the Access Request screen, on the User Access tab, choose Add → Role.
b) In the Select Roles dialog box, in the Search Criteria section, remove all search criteria
except Role Type and Role/Profile Name.
c) In the Search Criteria section, enter the data from the table.
d) Choose Search.
e) Under the Available section, choose Add All.
Result: This moves selected roles from the Available section to the Selected section.
There should be 4 roles in the Selected section.
f) Choose OK.
g) Remain on this screen for the next step
© Copyright. All rights reserved.
93
Unit 8: User Provisioning
3. Add user details and system details to the access request. Select the User Details tab and
enter the data from the following table.
Table 5:
Field
Value
First Name
User 10
Last Name
Group ##
Manager
GRC300-##
Email
Train-##@educ.corp
User Type
Dialog
Password/Confirm Password
Welcome1
a) On the Access Request screen, select the User Details tab.
b) On the User Details tab, enter the data from the table for First Name, Last Name,
Manager, Company, Email and User Type.
c) Select the User System Details tab.
d) In the System row with the system ZMGCLNT800, in the Password / Confirm
Password fields, enter the password information from the table.
e) Choose Submit.
f) In the bottom left corner, messages will appear. Using your mouse pointer, widen the
Message Box.
Result: Make note of your request number: ________________________
g) Choose Close to return to the SAP Fiori Launchpad home page.
Note:
If needed, choose Home to return to the Fiori Launchpad home page.
4. Search for your Access Request and view its status.
a) On the SAP Fiori Launchpad home page, in the ARQ Administration tile group, choose
Search Requests.
b) On the Search Requests screen, choose Search.
c) In the Results section, select the checkbox to choose your request.
d) Choose Instance Status. Review the displayed data.
Result: The resulting dialog box displays the information related to this particular work
item. You can see the MSMP Process ID and Process version, the Path and Stage the
request is active in, the request approvers that currently have the request in their work
inbox, and the detailed Audit Log for the request. Verify that GRC300-## is the current
approver as Manager
© Copyright. All rights reserved.
94
Solution 11: Create an Access Request
e) Choose X in the upper right corner to close the dialog box.
f) Close the Search Request browser tab or choose Home to return to the SAP Fiori
Launchpad home page.
5. As Manager, view the access request in your Work Inbox. View the Audit Log.
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
b) On the My Home screen, in the Work Inbox section, choose Work Inbox.
c) In the Work Inbox dialog box, click on the subject line of the request to choose your
access request.
d) On the Access Request, select the Audit Log tab and review the data.
e) Remain on this screen for the next step.
6. As Manager, view the Risk Violations for your Access Request using the data in the
following table. Make sure you run Risk Analysis against your rule set ##RS.
Table 6:
Field
Value
Analysis Type
Risk Analysis
Rule Set
##RS
Type
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Include Mitigated Risks
a) On the Access Request: <Access Request Number> dialog box, select the Risk
Violations tab.
b) On the Risk Violations tab, in the Rule Set field, choose Search.
c) On the Search Rulesets dialog box, in the Available table, select your rule set and move
it to the Selected table.
d) In the Selected table, select Global and move it to the Available section.
Note:
This step is for training only. In actual practice, the rule set should not be
changed from the Default that has been configured in the Access Control
Parameters.
e) Choose OK.
f) On the Access Request: <Access Request Number> dialog box, enter the data from the
table.
© Copyright. All rights reserved.
95
Unit 8: User Provisioning
g) Choose Run Risk Analysis.
h) In the Results table, view your results.
Result: The user should have 2 SOD risk violations and 1 Critical Action violation:
●
##R1-Payment Fraud
●
##R2-Unauthorized Purchasing
●
##R3-Table Maintenance
i) Choose Submit to confirm your approval as Manager.
Hint:
You may need to scroll to the right to see the button in the bottom right of
the screen.
j) If needed, in the Confirmation dialog box, choose Yes.
k) Choose Close to return to the Work Inbox screen.
7. As Role Approver, review the request in your inbox. Update the assignment according to
the table and submit your request to the next stage.
a) In the Work Inbox dialog box, click on the subject line of the request to choose your
access request.
Hint:
If the access request does not appear automatically, choose Refresh in
the lower right corner.
b) Choose Submit.
Did the system allow you to approve the request?
No, Risk Analysis is Mandatory
c) On the Access Request in request details, reject the assignments listed in the table.
Table 7:
Role Assignment
Approval Status
Z:RISK_##R1
Reject
Z:RISK_##R2
Reject
Z:RISK_##R3_##R4
Reject
Z:RISK_##_DISPLAY
Approve
d) Choose the Risk Violations tab.
e) In the Rule Set field, choose ##RS.
© Copyright. All rights reserved.
96
Solution 11: Create an Access Request
f) To update the SOD risk analysis, choose Run Risk Analysis.
g) Select the Risk Violations tab.
h) On the Risk Violations tab, scroll down to the Analysis Criteria table.
Result: You should not see any Risk Violations.
i) Choose the Comments tab.
j) On the Comments tab, in the Notes text box, enter the following note: Approved as
changed.
k) Choose the User Access tab and review the Risk Violations and Mitigation Control
columns.
Result: Notice that a Green Light indicates there is no Risk Violation.
l) Choose Submit to approve the request as Role Approver.
m) In the Confirmation dialog box, choose Yes.
n) Choose Close to return to the Work Inbox screen.
8. As Security Lead, review the request and approve.
a) In the Work Inbox dialog box, click on the subject of the request to choose your access
request.
Caution:
Since all participants are Security Leads in the Access Control Owners
table, you may have additional requests in your inbox so please choose
only your request.
b) Review the data.
c) Choose Submit to approve the request as Security Administrator.
d) Choose Close.
e) Close the Work Inbox tab.
9. Search for your access request and view its status.
a) On the SAP Fiori launchpad home page, in the ARQ Administration tile group, choose
the Search Requests tile.
b) On the Search Request dialog box, choose Search.
c) In the Results table, select your new access request.
d) Choose Instance Status.
Result: The Instance Status dialog box displays the request in Finished status. The
Audit Log has a detailed description of the events for this request, including that a user
has been created and 2 roles were provisioned as per the request.
e) Close the Search Request dialog box.
f) Choose Home to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
97
Unit 8
Exercise 12
Create an Access Request with Risk Violations
Business Example
You are a system administrator, and you have been asked to validate the configuration and
workflow for access requests to ensure that they are functioning properly. You will use
various access request test cases to validate several MSMP path configurations. To validate
the Access Request workflow design, you will need to submit multiple access requests and
verify that each request flows down the correct path and that at each stage the configuration
options are functioning as designed.
Note:
Read this exercise completely before you begin.
Figure 5: MSMP Workflow Design
In this exercise, you will undertake several roles and approve Access Requests as various
approvers:
●
Manager
●
Role Owner
●
Security Team Member
●
Workflow Administrator
© Copyright. All rights reserved.
98
Exercise 12: Create an Access Request with Risk Violations
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create an Access Request with Access Risk Violation
1. Create an access request using the data from the following table.
Table 8:
Field
Value
Description
Group ## Request
Request Type
New Account
Request For
Other
User
##_User_11
Priority
High – Access Request
2. Add a role to the request using the data from the following table.
Table 9:
Field
Value
Role Type
Single Role
Role Name
Z:RISK_##*
3. Add user details and system details to the access request. Select the User Details tab and
enter the data from the following table.
Table 10:
Field
Value
First Name
User 11
Last Name
Group ##
Manager
GRC300-##
Email
Train-##@educ.corp
User Type
Dialog
Password/Confirm Password
Welcome1
Note:
If needed, choose Home to return to the Fiori Launchpad home page.
4. Search for your Access Request and view its status.
© Copyright. All rights reserved.
99
Unit 8: User Provisioning
5. As Manager, view the access request in your Work Inbox. View the Audit Log.
6. As Manager, view the Risk Violations for your Access Request using the data in the
following table. Make sure you run Risk Analysis against your ruleset ##RS.
Table 11:
Field
Value
Analysis Type
Risk Analysis
Rule Set
##RS
Type
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Include Mitigated Risks
7. As Role Approver, review the request in your inbox. Update the assignment according to
the table and submit your request to the next stage.
Table 12:
Role Assignment
Approval Status
Z:RISK_##R1
Approve
Z:RISK_##R2
Reject
Z:RISK_##R3_##R4
Reject
Z:RISK_##_DISPLAY
Approve
8. Search for your access request and view its status.
9. As Workflow Administrator, review the request and approve it.
.
10. As Security Lead, review the request and approve.
11. Search for your access request and view its status.
© Copyright. All rights reserved.
100
Unit 8
Solution 12
Create an Access Request with Risk Violations
Business Example
You are a system administrator, and you have been asked to validate the configuration and
workflow for access requests to ensure that they are functioning properly. You will use
various access request test cases to validate several MSMP path configurations. To validate
the Access Request workflow design, you will need to submit multiple access requests and
verify that each request flows down the correct path and that at each stage the configuration
options are functioning as designed.
Note:
Read this exercise completely before you begin.
Figure 5: MSMP Workflow Design
In this exercise, you will undertake several roles and approve Access Requests as various
approvers:
●
Manager
●
Role Owner
●
Security Team Member
●
Workflow Administrator
© Copyright. All rights reserved.
101
Unit 8: User Provisioning
Note:
In this exercise, whenever a value includes ##, replace ## with the number which
your instructor has assigned you.
Create an Access Request with Access Risk Violation
1. Create an access request using the data from the following table.
Table 8:
Field
Value
Description
Group ## Request
Request Type
New Account
Request For
Other
User
##_User_11
Priority
High – Access Request
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Access
Request.
b) On the Access Request screen, enter the data from the table for the Reason for
Request and Request Details sections.
c) Remain on this screen for the next step
2. Add a role to the request using the data from the following table.
Table 9:
Field
Value
Role Type
Single Role
Role Name
Z:RISK_##*
a) On the Access Request screen, on the User Access tab, choose Add → Role.
b) In the Select Roles dialog box, in the Search Criteria section, remove all search criteria
except Role Type and Role/Profile Name.
c) In the Search Criteria section, enter the data from the table.
d) Choose Search.
e) Under the Available section, choose Add All.
Result: This moves selected roles from the Available section to the Selected section.
f) Choose OK.
g) Remain on this screen for the next step
3. Add user details and system details to the access request. Select the User Details tab and
enter the data from the following table.
© Copyright. All rights reserved.
102
Solution 12: Create an Access Request with Risk Violations
Table 10:
Field
Value
First Name
User 11
Last Name
Group ##
Manager
GRC300-##
Email
Train-##@educ.corp
User Type
Dialog
Password/Confirm Password
Welcome1
a) On the Access Request screen, select the User Details tab.
b) On the User Details tab, enter the data from the table for First Name, Last Name,
Manager, Company, Email and User Type.
c) Select the User System Details tab.
d) In the System row with the system ZMGCLNT800, in the Password / Confirm
Password fields, enter the password information from the table.
e) Choose Submit.
f) In the bottom left corner, messages will appear. Using your mouse pointer, widen the
Message Box.
Result: Make note of your request number: ________________________
g) Choose Close to return to the SAP Fiori Launchpad home page.
Note:
If needed, choose Home to return to the Fiori Launchpad home page.
4. Search for your Access Request and view its status.
a) On the SAP Fiori Launchpad home page, in the ARQ Administration tile group, choose
Search Requests.
b) On the Search Requests screen, choose Search.
c) In the Results section, select the checkbox to choose your request.
d) Choose Instance Status. Review the displayed data.
Result: The resulting dialog box displays the information related to this particular work
item. You can see the MSMP Process ID and Process version, the Path and Stage the
request is active in, the request approvers that currently have the request in their work
inbox, and the detailed Audit Log for the request. Verify that GRC300-## is the current
approver as Manager
e) Choose X in the upper right corner to close the dialog box.
f) Close the Search Request browser tab or choose Home to return to the SAP Fiori
Launchpad home page.
© Copyright. All rights reserved.
103
Unit 8: User Provisioning
5. As Manager, view the access request in your Work Inbox. View the Audit Log.
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
b) On the My Home screen, in the Work Inbox section, choose Work Inbox.
c) In the Work Inbox dialog box, click on the subject line of the request to choose your
access request.
d) On the Access Request, select the Audit Log tab and review the data.
e) Remain on this screen for the next step.
6. As Manager, view the Risk Violations for your Access Request using the data in the
following table. Make sure you run Risk Analysis against your ruleset ##RS.
Table 11:
Field
Value
Analysis Type
Risk Analysis
Rule Set
##RS
Type
Additional Criteria
●
Action Level
●
Permission Level
●
Critical Action
Include Mitigated Risks
a) On the Access Request: <Access Request Number> dialog box, select the Risk
Violations tab.
b) On the Risk Violations tab, in the Rule Set field, choose Search.
c) On the Search Rulesets dialog box, in the Available table, select your rule set and move
it to the Selected table.
d) In the Selected table, select Global and move it to the Available section.
Note:
This step is for training only. In actual practice, the rule set should not be
changed from the Default that has been configured in the Access Control
Parameters.
e) Choose OK.
f) On the Access Request: <Access Request Number> dialog box, enter the data from the
table.
g) Choose Run Risk Analysis.
h) In the Results table, view your results.
Result: The user should have 2 SOD risk violations and 1 Critical Action violation:
© Copyright. All rights reserved.
104
Solution 12: Create an Access Request with Risk Violations
●
##R1-Payment Fraud
●
##R2-Unauthorized Purchasing
●
##R3-Table Maintenance
i) Choose Submit to confirm your approval as Manager.
Hint:
You may need to scroll to the right to see the button in the bottom right of
the screen.
j) If needed, in the Confirmation dialog box, choose Yes.
k) Choose Close to return to the Work Inbox screen.
7. As Role Approver, review the request in your inbox. Update the assignment according to
the table and submit your request to the next stage.
Table 12:
Role Assignment
Approval Status
Z:RISK_##R1
Approve
Z:RISK_##R2
Reject
Z:RISK_##R3_##R4
Reject
Z:RISK_##_DISPLAY
Approve
a) In the Work Inbox dialog box, click on the subject line of the request to choose your
access request.
Hint:
If the access request does not appear automatically, choose Refresh in
the lower right corner.
b) On the Access Request in request details, reject the assignments listed in the table.
c) Choose the Risk Violations tab.
d) In the Rule Set field, choose ##RS.
e) To update the SOD risk analysis, choose Run Risk Analysis.
f) Select the Risk Violations tab.
g) On the Risk Violations tab, scroll down to the Analysis Criteria table.
h) DO NOT apply mitigating controls to risks at this stage.
i) Choose the Comments tab.
© Copyright. All rights reserved.
105
Unit 8: User Provisioning
j) On the Comments tab, in the Notes text box, enter the following note: Approved as
changed.
k) Choose the User Access tab and review the Risk Violations and Mitigation Control
columns.
Result: Notice that a Red Light indicates there are Risk Violations.
l) Choose Submit to approve the request as Role Approver.
m) If needed, in the Confirmation dialog box, choose Yes.
n) Choose Close to return to the Work Inbox screen.
o) Choose Home to return to the SAP Fiori Launchpad.
8. Search for your access request and view its status.
a) On the SAP Fiori Launchpad home page, in the ARQ Administration tile group, choose
the Search Requests tile.
b) On the Search Request dialog box, choose Search.
c) In the Results table, select your new access request and choose the Instance Status
button.
On what path and at what stage is your access request awaiting approval?
The request is on path SOD Review Path (AR_SOD_PATH) for requests with SOD
Violations and is at the SOX Team stage for approval. Notice that the approver for the
SOX Team is GRC300-99.
d) Close the Instance Status dialog and remain in Search Request for the next step.
9. As Workflow Administrator, review the request and approve it.
.
a) From the Search Request Results, select the line that contains your new access
request. The line should highlight blue.
b) Select the Administration button and click the path hyperlink (AR_SOD_PATH) to open
the request for Administrator approval.
c) On the Comments tab, in the Notes text box, enter the following note: Approved as
changed.
d) Choose the Risk Violations tab.
e) In the Rule Set field, choose ##RS.
f) To update the SOD risk analysis, choose Run Risk Analysis.
g) On the Risk Violations tab, scroll down to the Analysis Criteria table.
h) Choose the Submit button in the bottom right-hand corner of the screen to approve
the request.
i) In the Confirmation Dialog box, choose Yes. Do not exit this tab.
© Copyright. All rights reserved.
106
Solution 12: Create an Access Request with Risk Violations
Did the system let you approve the request?
No, the request contains risk violations that have not been mitigated.
j) Select the Risk Violations tab and scroll down to the Analysis Criteria table to view the
results.
Note:
If needed, repeat steps d - h to refresh the violations results.
k) In the Result area, select a line with the risk to mitigate and choose the Mitigate Risk
button.
l) In the Mitigation dialog box, in the Control ID field, search for and select your mitigating
control GRCMCT##.
Note:
This may already be populated. If so, verify the Control ID.
m) In the Monitor field, choose Search, then Go.
n) Select GRC300-## as the monitor, then choose Save.
o) Choose Save.
p) On the Access Request run the Risk Analysis again using rule set ##RS.
q) Choose the User Access tab and review the Risk Violations and Mitigation Control
columns. Notice that a Green Light in the Mitigation Control column, indicates there
are no unmitigated risk violations.
r) Choose Submit to approve the request as Administrator.
s) If prompted, enter a comment in the Comments pop up box describing why you
approved the request as an administrator.
t) In the Confirmation Dialog box, choose Yes. Do not exit this tab.
u) Choose Close.
v) Choose Home to return to the SAP Fiori Launchpad home page.
10. As Security Lead, review the request and approve.
a) In the Work Inbox dialog box, click on the subject of the request to choose your access
request.
Caution:
Since all participants are Security Leads in the Access Control Owners
table, you may have additional requests in your inbox so please choose
only your request.
© Copyright. All rights reserved.
107
Unit 8: User Provisioning
b) Review the data.
c) Choose Submit to approve the request as Security Administrator.
d) Choose Close.
e) Choose Home to return to the SAP Fiori Launchpad home page.
11. Search for your access request and view its status.
a) On the SAP Fiori Launchpad home page, in the ARQ Administration tile group, choose
the Search Requests tile.
b) On the Search Request dialog box, choose Search.
c) In the Results table, select your new access request.
d) Choose Instance Status.
Result: The Instance Status dialog box displays the request in Finished status. The
Audit Log has a detailed description of the events for this request, including that a user
has been created and 2 roles were provisioned as per the request.
e) Close the Search Request dialog box.
f) Choose Home to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
108
Unit 8
Exercise 13
Review Parameter Settings for Provisioning
and Managing Users
Business Example
You are a system administrator. You have been asked to review configuration settings for
Provisioning and Managing Users functionality.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Do not make any changes in this configuration unless directed to.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to User Provisioning.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
5001 - SLG1 Log Level for HR Triggers
3. List the settings that are set and their values for Parameter Group 5 - Workflow:
●
2051 - Enable User ID Validation in Access Request against Search Data Sources
4. List the settings that are set and their values for Parameter Group 8 - Performance:
●
2050 - Enable Real Time LDAP Search for Access Request User
5. List the settings that are set and their values for Parameter Group 9 - Risk Analysis Access Request:
●
1071 - Enable Risk Analysis upon request submission
●
1072 - Mitigation of critical risk required before approving the request
●
1073 - Enable SoD violations detour on risks from existing roles
●
1074 - Save Mitigation Control in temporary table
●
1075 - Select Management Summary as default view in Access Request
6. List the settings that are set and their values for Parameter Group 12 - Access Request
Role Selection:
●
2031 - Allow All Roles for Approver
●
2032 - Approver Role Restriction Attribute
© Copyright. All rights reserved.
109
Unit 8: User Provisioning
●
2033 - Allow All Roles for Requester
●
2034 - Requester Role Restriction Attribute
●
2035 - Allow Role Comments
●
2036 - Role Comments Mandatory
●
2037 - Display expired roles for existing roles
●
2038 - Auto Approve Roels without Approvers
●
2039 - Search Role by Transactions from Backend System
●
2040 - Assignment Comments mandatory on rejection
●
2042 - Visibility of Valid from/valid to for profiles
●
2043 - Authorization object for Role search - Provisioning
●
2044 - Display profiles in Existing assignments, My Profile and Model user
●
2045 - Default provisioning action after adding roles/profiles/FFID from Existing
assignments and My Profile
●
2046 - Field type for business process and system fields in access request role search
●
2047 - Filter Business Process and systems based upon application area
●
2048 - Default Provisioning Environment for Business Role while creating Access
Request
7. List the settings that are set and their values for Parameter Group 13 - Access Request
Default Roles:
●
1302 - Add only roles for chick system entry in present in request
●
2009 - Consider Default Roles
●
2010 - Request Type for Default Roles
●
2011 - Default Role Level
●
2012 - Role Attributes
●
2013 - Request Attributes
8. List the settings that are set and their values for Parameter Group 14 - Access Request
Role Mapping:
●
2014 - Enable Role Mapping
●
2015 - Applicable to Role Removals
9. List the settings that are set and their values for Parameter Group 16 - LDAP:
●
2052 - Use LDAP Domain Forest
10. List the settings that are set and their values for Parameter Group 17 - Assignment Expiry:
●
2041- Duration for assignment expiry in days
© Copyright. All rights reserved.
110
Exercise 13: Review Parameter Settings for Provisioning and Managing Users
11. List the settings that are set and their values for Parameter Group 18 - Access Request
Training Verification:
●
2024- Training and Verification
12. List the settings that are set and their values for Parameter Group 20 - Access Request
Business Roles:
●
4011- Delete the Technical Roles if part of the Business Role
●
4016 - Consider only the approved/completed version of business role for provisioning
●
4019 - Do not copy manual role assignment changes during repository sync
●
4022 - Future dated assignments sync is mandatory
13. List the settings that are set and their values for Parameter Group 22 - Access Request
Validations:
●
5021 - Check manager value against the user ID in current system
●
5022 - Consider the password change in access request
●
●
●
5023 - Consider details from multiple data sources for missing user details in access
request
5024 - Enable in-line editing for User group and Parameter in Access request
5026 - Make system and provisioning actions visible for filtering user assignments for
model users
●
5027 - Default value for filtering by System
●
5028 - Default value for filtering by provisioning action
14. List the settings that are set and their values for Parameter Group 23 - Simplified Access
Request:
●
5031 - Enable "Open in Advanced Mode" option
●
5032 - Disable Type-ahead search in Simplified Access Request
15. Review additional configuration areas for Provisioning and Managing Users under the User
Provisioning Node in IMG.
●
Maintain Service Level Agreements
What Service Level Agreements (SLAs) are configured?
What are the options for determining the SLA time frame?
●
Define Request Types
How many request types are configured?
To which MSMP process is the request type Role Approval assigned?
●
Maintain Priority Configuration
How many priorities have been configured?
© Copyright. All rights reserved.
111
Unit 8: User Provisioning
To which MSMP process have they been assigned?
●
Define Number Range for Provisioning Requests
What is the end number for the first number range?
●
Maintain Provisioning Settings
What are the options for Password Expiry for ORAAPPS?
What are the fields available for System Provisioning Configuration?
Review other areas of the User Provisioning node:
●
Maintain Settings for HR Trigger
●
Define Employee Types
●
Maintain Number Range Intervals for Provisioning Requests
●
Maintain User Defaults
●
Maintain Password Self Service
●
Maintain CUA Settings
●
Activate End User Logon
Note:
For the Steps below, choose the IMG Activity listed and review the items. When
finished with the review choose Back. Do not change any values.
© Copyright. All rights reserved.
112
Unit 8
Solution 13
Review Parameter Settings for Provisioning
and Managing Users
Business Example
You are a system administrator. You have been asked to review configuration settings for
Provisioning and Managing Users functionality.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
Do not make any changes in this configuration unless directed to.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to User Provisioning.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG
c) Choose Governance, Risk and Compliance → Access Control → Maintain Configuration
Settings..
The AC Configuration Settings screen is displayed. These are the parameters that are
configured for this particular instance of SAP Access Control. Remember, that some
parameters do have a coded default in the GRACCONFIG table. If a parameter is not
entered here, then the default will be applied.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
5001 - SLG1 Log Level for HR Triggers
a) 5001: HIGH
3. List the settings that are set and their values for Parameter Group 5 - Workflow:
●
2051 - Enable User ID Validation in Access Request against Search Data Sources
a) 2051: NO
4. List the settings that are set and their values for Parameter Group 8 - Performance:
●
2050 - Enable Real Time LDAP Search for Access Request User
a) 2050: NO
5. List the settings that are set and their values for Parameter Group 9 - Risk Analysis Access Request:
© Copyright. All rights reserved.
113
Unit 8: User Provisioning
●
1071 - Enable Risk Analysis upon request submission
●
1072 - Mitigation of critical risk required before approving the request
●
1073 - Enable SoD violations detour on risks from existing roles
●
1074 - Save Mitigation Control in temporary table
●
1075 - Select Management Summary as default view in Access Request
a) 1071 - 1073: NO
b) 1074: YES
c) 1075: NO
6. List the settings that are set and their values for Parameter Group 12 - Access Request
Role Selection:
●
2031 - Allow All Roles for Approver
●
2032 - Approver Role Restriction Attribute
●
2033 - Allow All Roles for Requester
●
2034 - Requester Role Restriction Attribute
●
2035 - Allow Role Comments
●
2036 - Role Comments Mandatory
●
2037 - Display expired roles for existing roles
●
2038 - Auto Approve Roels without Approvers
●
2039 - Search Role by Transactions from Backend System
●
2040 - Assignment Comments mandatory on rejection
●
2042 - Visibility of Valid from/valid to for profiles
●
2043 - Authorization object for Role search - Provisioning
●
2044 - Display profiles in Existing assignments, My Profile and Model user
●
2045 - Default provisioning action after adding roles/profiles/FFID from Existing
assignments and My Profile
●
2046 - Field type for business process and system fields in access request role search
●
2047 - Filter Business Process and systems based upon application area
●
2048 - Default Provisioning Environment for Business Role while creating Access
Request
a) 2031: YES
b) 2032: (not defined)
c) 2033: YES
© Copyright. All rights reserved.
114
Solution 13: Review Parameter Settings for Provisioning and Managing Users
d) 2034: (not defined)
e) 2035: YES
f) 2036: NO
g) 2037: YES
h) 2038: NO
i) 2039: YES
j) 2040: NO
k) 2042: 0
l) 2043: GRAC_ROLED
m) 2044: NO
n) 2045: 010 (Retain)
o) 2046: 3 (Display both as drop down)
p) 2047: (not defined)
q) 2048: PRD (Production)
7. List the settings that are set and their values for Parameter Group 13 - Access Request
Default Roles:
●
1302 - Add only roles for chick system entry in present in request
●
2009 - Consider Default Roles
●
2010 - Request Type for Default Roles
●
2011 - Default Role Level
●
2012 - Role Attributes
●
2013 - Request Attributes
a) 1302: NO
b) 2009: YES
c) 2010: 001 (New Account), 002 (Change Account)
d) 2011: REQUEST
e) 2012: (not defined)
f) 2013: SYSTEM
8. List the settings that are set and their values for Parameter Group 14 - Access Request
Role Mapping:
●
2014 - Enable Role Mapping
●
2015 - Applicable to Role Removals
© Copyright. All rights reserved.
115
Unit 8: User Provisioning
a) 2014: YES
b) 2015: NO
9. List the settings that are set and their values for Parameter Group 16 - LDAP:
●
2052 - Use LDAP Domain Forest
a) 2052: NO
10. List the settings that are set and their values for Parameter Group 17 - Assignment Expiry:
●
2041- Duration for assignment expiry in days
a) 2041: 10
11. List the settings that are set and their values for Parameter Group 18 - Access Request
Training Verification:
●
2024- Training and Verification
a) 2024: (not defined)
12. List the settings that are set and their values for Parameter Group 20 - Access Request
Business Roles:
●
4011- Delete the Technical Roles if part of the Business Role
●
4016 - Consider only the approved/completed version of business role for provisioning
●
4019 - Do not copy manual role assignment changes during repository sync
●
4022 - Future dated assignments sync is mandatory
a) 4011: NO
b) 4016: YES
c) 4019: NO
d) 4022: YES
13. List the settings that are set and their values for Parameter Group 22 - Access Request
Validations:
●
5021 - Check manager value against the user ID in current system
●
5022 - Consider the password change in access request
●
●
●
5023 - Consider details from multiple data sources for missing user details in access
request
5024 - Enable in-line editing for User group and Parameter in Access request
5026 - Make system and provisioning actions visible for filtering user assignments for
model users
●
5027 - Default value for filtering by System
●
5028 - Default value for filtering by provisioning action
© Copyright. All rights reserved.
116
Solution 13: Review Parameter Settings for Provisioning and Managing Users
a) 5021: YES
b) 5022: NO
c) 5023: YES
d) 5024: NO
e) 5026: NO
f) 5027 - 5028: (not defined)
14. List the settings that are set and their values for Parameter Group 23 - Simplified Access
Request:
●
5031 - Enable "Open in Advanced Mode" option
●
5032 - Disable Type-ahead search in Simplified Access Request
a) 5031: YES
b) 5032: NO
15. Review additional configuration areas for Provisioning and Managing Users under the User
Provisioning Node in IMG.
●
Maintain Service Level Agreements
What Service Level Agreements (SLAs) are configured?
What are the options for determining the SLA time frame?
●
Define Request Types
How many request types are configured?
To which MSMP process is the request type Role Approval assigned?
●
Maintain Priority Configuration
How many priorities have been configured?
To which MSMP process have they been assigned?
●
Define Number Range for Provisioning Requests
What is the end number for the first number range?
●
Maintain Provisioning Settings
What are the options for Password Expiry for ORAAPPS?
What are the fields available for System Provisioning Configuration?
Review other areas of the User Provisioning node:
●
Maintain Settings for HR Trigger
●
Define Employee Types
●
Maintain Number Range Intervals for Provisioning Requests
●
Maintain User Defaults
© Copyright. All rights reserved.
117
Unit 8: User Provisioning
●
Maintain Password Self Service
●
Maintain CUA Settings
●
Activate End User Logon
Note:
For the Steps below, choose the IMG Activity listed and review the items. When
finished with the review choose Back. Do not change any values.
a) Maintain Service Level Agreements:
No Service Level Agreements (SLAs) are configured.
SLA time frame options are:
●
Fixed by number of days
●
Fixed by Date
●
Formula
b) Define Request Types:
There are 20 request types configured:
●
1 - New Account
●
2 - Change Account
●
3 - Delete Account
●
4 - Lock Account
●
5 - Unlock Account
●
6 - Emergency Access
●
9 - Role Reaffirm
●
10 - SOD Review
●
11 - UAR Review
●
12 - Create Risk
●
13 - Update Risk
●
14 - Delete Risk
●
15 - Create Function
●
16 - Update Function
●
17 - Delete Function
●
18 - Create Mitigation Assignment
© Copyright. All rights reserved.
118
Solution 13: Review Parameter Settings for Provisioning and Managing Users
●
19 - Update Mitigation Assignment
●
20 - Delete Mitigation Assignment
●
21 - Role Approval
●
22 - Information
The request type Role Approval is assigned to the SAP_GRAC_ROLE_APPR MSMP
process.
c) Maintain Priority Configuration:
10 Priorities have been configured:
●
1 - Control Maintenance
●
2 - High - Risk Approval
●
3 - High - Function Maintenance
●
4 - High - Control Assignment
●
5 - High - Role Approval
●
6 - High - UAR
●
7 - High - SOD Review
●
8 - High - Firefight ID Review
●
9 - Low - Access Request
●
10 - Medium - Access Request
●
11 - High - Access Request
MSMP process assignments are:
●
1 - SAP_GRAC_CONTROL_MAINT
●
2 - SAP_GRAC_RISK_APPR
●
3 - SAP_GRAC_FUNC_APPR
●
4 - SAP_GRAC_CONTROL_ASGN
●
5 - SAP_GRAC_ROLE_APPR
●
6-8 - SAP_GRAC_ACCESS_REQUEST
●
9 - SAP_GRAC_USER_ACCESS_REVIEW
●
10 - SAP_GRAC_SOD_RISK_REVIEW
d) Define Number Range for Provisioning Requests:
The end number for the first number range is 9999999999.
e) Maintain Provisioning Settings:
Password Expiry for ORAAPPS options are as follows:
© Copyright. All rights reserved.
119
Unit 8: User Provisioning
●
ACSS - Accesses
●
DAYS - Days
●
NONE - None
Available System Provisioning Configuration fields include the following:
●
Target Connector - Specific Connector for Settings
●
Auto Prov - Auto Provisioning
●
Ind Prov - Indirect Provisioning Type
●
Role Prov - Role Provisioning Type
●
Pwd Expire - Password Expiry for ORAAPPS
●
Password Expiration Value - Value for Expiry for ORAAPPS
●
ImmProvisn - Provisioning Effective Immediately
●
Role Delim (1) - Role Delimit Years
●
Role Delim (2) - Role Delimit Months
●
Role Delim (3) - Role Delimit Days
●
Account Va (1) - Account Validation Check
●
Account Va (2) - Account Validation
●
Role Assign - Create User for Role Assign Action
●
CreateUser - Create User for Change User Action
●
Deactivate - Deactivate Password
f) Review other areas of the User Provisioning node as you want.
g) Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
120
Unit 9
Exercise 14
Maintain Owners for Role Management
Business Example
You are a system administrator. You have been asked to create owners for roles. You have
been asked to maintain Role Owners in Central Owner Maintenance.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign users in Access Control Owners for Role Management.
Use the following data:
Owner
Type
ACROLEOWN##
Select Type Role Owner
ACROLEAPP##
Select Type Role Owner
© Copyright. All rights reserved.
121
Unit 9
Solution 14
Maintain Owners for Role Management
Business Example
You are a system administrator. You have been asked to create owners for roles. You have
been asked to maintain Role Owners in Central Owner Maintenance.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign users in Access Control Owners for Role Management.
Use the following data:
Owner
Type
ACROLEOWN##
Select Type Role Owner
ACROLEAPP##
Select Type Role Owner
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Access Control Owners.
b) On the Central Owner screen, choose Create.
c) In the Owner field, choose Search.
d) On the Select User dialog box, in the Find field, enter AC*##.
e) Choose Go.
f) In the Available table, choose ACROLEOWN##.
g) Choose OK.
h) On the Owner Assignment: New screen, in the Owner Type section, choose Role Owner.
i) In the Comment Column enter Role Owner Maintenance for GRC Training
Course Group ##.
j) Choose Save.
k) Choose Close.
l) Repeat steps b - k for the other owners.
m) Close the Central Owner browser tab.
© Copyright. All rights reserved.
122
Unit 9
Exercise 15
Maintain Default Owners with Condition Group
Business Example
You are a system administrator. You have been asked to review the default owners based on
criteria that are entered in BRFplus. The user can be the Assignment Approver, the Role
Content Approver, or both.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review the role owners that have been defined as default based upon conditions.
© Copyright. All rights reserved.
123
Unit 9
Solution 15
Maintain Default Owners with Condition Group
Business Example
You are a system administrator. You have been asked to review the default owners based on
criteria that are entered in BRFplus. The user can be the Assignment Approver, the Role
Content Approver, or both.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review the role owners that have been defined as default based upon conditions.
a) On the SAP Fiori Launchpad, in the BRM Administration tile group, choose Role
Owners.
b) Review information displayed in the query. The Condition Group IDs are the same ones
that is associated with the BRF+ Approvers Rule rule results.
Note:
In the next exercise, you will review the BRF+ application referred noted in
this step.
c) Close the Role Owner Criteria browser tab.
© Copyright. All rights reserved.
124
Unit 9
Exercise 16
Review Configuration Settings for Condition
Groups
Business Example
You are a system administrator. You have been asked to review configuration settings so that
you can assign condition groups to BRFplus function.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control configuration settings
Role Management.
2. Review the configuration in SAP Access Control for Condition Groups.
3. In the command box, execute transaction /NBRF+.
A new window will open that will show the BRFplus Workbench. BRFplus is a tool to
analyze attributes and return a result. This result is returned to the requesting program.
4. Review the BRF+ application ZBRM_METHODOLOGY_AND_APPROVER.
5. Close the BRFplus Workbench browser window that was opened.
© Copyright. All rights reserved.
125
Unit 9
Solution 16
Review Configuration Settings for Condition
Groups
Business Example
You are a system administrator. You have been asked to review configuration settings so that
you can assign condition groups to BRFplus function.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control configuration settings
Role Management.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG.
c) Choose Governance, Risk and Compliance → Access Control → Role Management
→ Assign Condition Groups to BRFplus Functions.
d) Remain on this screen for the next step.
2. Review the configuration in SAP Access Control for Condition Groups.
a) On the Change View "Condition group type to BRFplus assgnment": Overview screen,
review the data listed in the table.
The Condition Groups shown are APPROVER and METHODOLOGY. For each of the
Condition Groups, the associated BRF+ Application and Function is listed. In this case
these are listed by the NAMES of the objects in BRF+ instead of the Object ID.
3. In the command box, execute transaction /NBRF+.
A new window will open that will show the BRFplus Workbench. BRFplus is a tool to
analyze attributes and return a result. This result is returned to the requesting program.
4. Review the BRF+ application ZBRM_METHODOLOGY_AND_APPROVER.
a) In the navigation panel, choose Search.
b) In the Search dialog box, search for Application Name with is equal to with criteria
ZBRM* and Object Type with is equal to with criteria Application.
c) Choose Search.
The BRF application will now display in the navigation area.
d) On the Business Rule Framework plus screen, in the Search Results navigation panel,
choose ZBRM_METHODOLOGY_AND_APPROVER → Expression → Decision
Table → ZBRM_APPROVERS - Decision Table.
© Copyright. All rights reserved.
126
Solution 16: Review Configuration Settings for Condition Groups
e) Review the role approvers decision table that has been previously configured.
In the GRAC_CNDGP (Condition Group ID) column, you can see the Condition Groups
that you reviewed in the previous exercise for default role owners.
f) On the Business Rule Framework plus screen, in the Search Results navigation panel,
choose ZBRM_METHODOLOGY_AND_APPROVER → Expression → Decision
Table → ZBRM_METHODOLOGY - Decision Table.
g) Review the role methodology decision table that has been previously configured.
In the GRAC_CNDGP (Condition Group ID) column, you can see the Condition Groups
that you will review in an upcoming exercise for determining the role methodology
steps.
5. Close the BRFplus Workbench browser window that was opened.
© Copyright. All rights reserved.
127
Unit 9
Exercise 17
Define Methodology Process and Steps
Business Example
You are a system administrator. You have been asked to review role methodology and the
associated phases and their sequence.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control configuration settings
Design and Manage Roles.
2. Review the Role Methodology Processes that have been configured in SAP Access Control
for Role Management.
© Copyright. All rights reserved.
128
Unit 9
Solution 17
Define Methodology Process and Steps
Business Example
You are a system administrator. You have been asked to review role methodology and the
associated phases and their sequence.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control configuration settings
Design and Manage Roles.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG
c) Choose Governance, Risk and Compliance → Access Control → Role Management
→ Define Methodology Process and Steps.
2. Review the Role Methodology Processes that have been configured in SAP Access Control
for Role Management.
a) On the Change View "Define Methodology Process:" Overview screen, in the navigation
panel, double-click Define Step.
These are the steps that can be included in the Role Methodology. These are not
customizable except for the Phase Description.
b) In the navigation panel, double-click Define Methodology Process to view the
configured role maintenance methodologies and which one is the default.
These are the configured methodologies for Role Management. The Default
Methodology is delivered in a BC Set by SAP.
c) Choose the box to the left of 1 to select the line for the Default Methodology.
d) In the navigation panel, double-click Methodology Process Step.
e) In the navigation panel, double-click Define Methodology Process.
f) Repeat steps d - e to review each of the configured methodologies.
g) Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
129
Unit 9
Exercise 18
Associate Role Methodology Process to
Condition Group
Business Example
You are a system administrator. You have been asked to review settings for associating role
methodologies to condition groups.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Design and Manage Roles.
2. In a previous exercise, you reviewed the BRF+ application
ZBRM_METHODOLOGY_AND_APPROVER. In the ZBRM_METHODOLOGY decision table, a
condition group value would be returned. Review the IMG Activity Associate Methodology
Process to Condition Group to determine which methodology is triggered with each
condition group.
3. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
130
Unit 9
Solution 18
Associate Role Methodology Process to
Condition Group
Business Example
You are a system administrator. You have been asked to review settings for associating role
methodologies to condition groups.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Design and Manage Roles.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /nSPRO, then choose SAP Reference IMG.
c) Choose Governance, Risk and Compliance → Access Control → Role Management
→ Associate Methodology Process to Condition Group
2. In a previous exercise, you reviewed the BRF+ application
ZBRM_METHODOLOGY_AND_APPROVER. In the ZBRM_METHODOLOGY decision table, a
condition group value would be returned. Review the IMG Activity Associate Methodology
Process to Condition Group to determine which methodology is triggered with each
condition group.
a) On theChange View "Maintenance view for Condition Group - Methodology Assig
screen, note the Condition Group ID and assigned Methodology.
3. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
131
Unit 9
Exercise 19
Create a Single Role
Business Example
You are a system administrator. You have been asked to create a single (technical) role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application. Change the Role query to remove the 100 result
limit.
2. Create a new Single Role and enter the role definition using the data in the following table:
Field
Value
Application Type
SAP
Landscape
ZMG 800 Landscape
Business Process
Basis
Subprocess
SEC - Security
Project Release
ZMG PRD ROLE
Finalize Role Name so that it shows as
Z:S_ZMG_BS_SE_SIN_ROLE_GRP##
Description
Single Role Maintenance for GRC
Training Course Group ##
Profile Name and Description
Leave blank
3. Enter the role properties using the data from the following table:
Field
Value
Critical Level
Medium
Sensitivity
Normal
Derivation Allowed
NO
4. Apply the Functional Area BASIS to the role.
5. Apply Company 0001 to the role.
6. Apply the Role Prerequisite CERT305 to the role. Do not verify on request submission.
7. Apply the Role Owners and Role Approvers to the role using the data in the following table.
© Copyright. All rights reserved.
132
Exercise 19: Create a Single Role
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
8. Enter the additional role details.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
10. Enter Provisioning information for the role. The role status should be Under Development.
For System ZMGCLNT800, Provisioning and Auto-provisioning should be allowed.
11. Review the Role Management Change Log.
12. Save your work and proceed to the next phase - Maintain Authorizations.
13. Configure role authorization data, and assign the transactions in the following list to the
role.
XK01
XK02
XK03
FB60
MIRO
Note:
Use your user ID GRC300–## and password to log into ZMG system.
14. Synchronize PFCG role data to SAP Access Control.
15. Save your work and proceed to the next phase - Analyze Access Risks
16. Analyze the role for access risks.
17. Save your work and proceed to the next phase - Derive Role
18. Since this role is not allowed for derivation, save your work and proceed to the next phase
- Request Approval.
19. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
20. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
21. Generate role profile.
22. Save your work and proceed to the next phase - Maintain Test Cases
23. Maintain Test Case information using the following data:
© Copyright. All rights reserved.
133
Unit 9: Role Design and Management
Table 13: Test Results Data
Field
Value
(Test Case) Name:
Single Role Test Case
(Test Case) Description:
Test for GRC Training Single Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 14: Add Link Data
Field
Value
Title:
Single Test Results
Path:
www.sap.com
24. Save your work and proceed to the final phase - Complete
25. Set role to In Productive Use status.
26. Review the Role Management Change Log.
27. Review the PFCG Change Log.
Note:
Use your user ID GRC300–## and password to log into ZMG system.
© Copyright. All rights reserved.
134
Unit 9
Solution 19
Create a Single Role
Business Example
You are a system administrator. You have been asked to create a single (technical) role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application. Change the Role query to remove the 100 result
limit.
a) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
b) On the ERM Role screen, choose Change Query.
c) On the Change Query 'Role' (Object Type: Role Search) screen, in the Result rows field,
delete any entry that exists.
d) Choose Apply.
e) Remain on this screen for the next step.
2. Create a new Single Role and enter the role definition using the data in the following table:
Field
Value
Application Type
SAP
Landscape
ZMG 800 Landscape
Business Process
Basis
Subprocess
SEC - Security
Project Release
ZMG PRD ROLE
Finalize Role Name so that it shows as
Z:S_ZMG_BS_SE_SIN_ROLE_GRP##
Description
Single Role Maintenance for GRC
Training Course Group ##
Profile Name and Description
Leave blank
a) On the ERM Role screen, choose Create → Single Role.
b) On the New Single Role screen, in the Define Role tab, choose the Details sub-tab, enter
the data from the table using the drop-down lists.
© Copyright. All rights reserved.
135
Unit 9: Role Design and Management
c) After entering all other data, maintain the Role Name field as noted in the table by
replacing the hash marks.
3. Enter the role properties using the data from the following table:
Field
Value
Critical Level
Medium
Sensitivity
Normal
Derivation Allowed
NO
a) On the New Single Role screen, in the Define Role tab, choose the Properties sub-tab,
enter the data from the table using the drop-down lists.
4. Apply the Functional Area BASIS to the role.
a) On the New Single Role screen, in the Define Role tab, choose the Functional Area subtab.
b) In the List of Functional Areas section, choose Add.
c) In the open row, in the Functional Area field, choose Search.
d) In the Available section, choose the Functional Area BASIS.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
5. Apply Company 0001 to the role.
a) On the New Single Role screen, in the Define Role tab, choose the Company sub-tab.
b) In the List of Companies section, choose Add.
c) In the open row, in the Company field, choose Search.
d) In the Available section, choose Company 0001.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
6. Apply the Role Prerequisite CERT305 to the role. Do not verify on request submission.
a) On the New Single Role screen, in the Define Role tab, choose the Prerequisite sub-tab.
b) In the Role Prerequisites section, choose Add.
c) In the open row, in the Role Prerequisite Name field, choose Search.
d) In the Available section, choose CERT305.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
g) In the Verify on Request field, choose No.
h) In the Active field, select the checkbox to enable.
© Copyright. All rights reserved.
136
Solution 19: Create a Single Role
i) On the New Single Role screen, choose Save to save your work and remain in the same
phase.
Result: The screen will change from New Single Role to Single Role: <Role Name>.
7. Apply the Role Owners and Role Approvers to the role using the data in the following table.
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
a) On the Single Role: <Role Name> screen, in the Define Role tab, choose the Owners/
Approvers sub-tab.
b) In the List of Approvers section, choose Add.
c) In the open row, in the User field, choose Search.
d) In the Search: User dialog screen, in the Owner field, enter search criteria.
e) Choose Go.
f) Choose the User from the table.
g) Assign Assignment Approver and Role Content owner as noted in the table.
h) Repeat sub-steps b - g for each user in the table.
8. Enter the additional role details.
a) On the Single Role: <Role Name> screen, choose the Additional Details tab.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
a) On the Single Role: <Role Name> screen, in the Additional Details tab, choose the
Detailed Description sub-tab.
b) In the Detailed Description text box, enter This role was created by Training
Participant Group ##.
10. Enter Provisioning information for the role. The role status should be Under Development.
For System ZMGCLNT800, Provisioning and Auto-provisioning should be allowed.
a) On the Single Role: <Role Name> screen, in the Additional Details tab, choose the
Provisioning sub-tab.
b) In the Role Status field, choose Under Development from the drop down list.
c) In the Systems section, in the Provisioning Allowed and Allow Auto-provisioning fields,
choose Yes.
© Copyright. All rights reserved.
137
Unit 9: Role Design and Management
Note:
If no systems appear in the Provisioning tab, choose Save, then Close. On
the ERM Role screen, select your role and choose Open and return to
Additional Details → Provisioning.
d) Chose Save.
11. Review the Role Management Change Log.
a) On the Single Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab.
b) In the Results List, review change log entries.
12. Save your work and proceed to the next phase - Maintain Authorizations.
a) On the Single Role: <Role Name> screen, choose the Define Role tab.
b) ChooseSave & Continue to save your work and to continue to the next phase - Maintain
Authorizations.
13. Configure role authorization data, and assign the transactions in the following list to the
role.
XK01
XK02
XK03
FB60
MIRO
Note:
Use your user ID GRC300–## and password to log into ZMG system.
a) On the Single Role: <Role Name> screen, in the Maintain Authorizations tab, choose
the Maintain Authorization Data sub-tab.
b) Choose Maintain Authorization Data.
c) If an open or save Launch-PFCG.sap dialog appears, choose Open.
d) On the SAP GUI Shortcut - Logon (ZMG, 800, EN, *PFCG) screen, enter GRC300–##
and password.
e) Choose Log On.
Result: The ZMG Client 800 Role Maintenance screen displays.
f) On the Change Roles screen, choose the Menu tab.
g) Choose Transaction, and enter the transaction codes provided in the step.
h) Choose Assign Transactions.
Result: The transactions will appear in the Hierarchy section.
© Copyright. All rights reserved.
138
Solution 19: Create a Single Role
i) Choose the Authorizations tab, and choose Change Authorization Data.
Result: The Save the Role dialog appears.
j) On the Save the Role dialog , choose Yes.
k) On the Define Organizational Levels dialog, for Account Type, choose Add Values.
l) Choose Full Authorization to populate wild cards for the organizational levels.
m) On the Define Organizational Levels dialog , choose Save.
n) On the Change Role: Authorizations screen, double click the yellow triangle after the
role name. On the Assign Full Authorization for Subtree dialog, choose Enter.
o) Choose Generate, and then choose Enter.
p) Choose Back to exit Role Maintenance screens and log off the ZMG system.
14. Synchronize PFCG role data to SAP Access Control.
a) On the Single Role: <Role Name> screen, choose Sync. with PFCG.
Result: The Date/Time attributes are now displayed.
15. Save your work and proceed to the next phase - Analyze Access Risks
a) On the Single Role: <Role Name> screen, choose the Maintain Authorizations tab.
b) Choose Save & Continue to save your work and to continue to the next phase - Analyze
Access Risks.
16. Analyze the role for access risks.
a) On the Single Role: <Role Name> screen, on the Analyze Access Risks tab, in the
Analysis Criteria section, choose Analysis Type: Risk Analysis, System: ZMGCLNT800,
Rule Set: GLOBAL.
b) In the Result Options section, choose Format: Summary, Type: Action, Permission,
Critical Action.
Note:
Since this is a new role, the Impact Analysis Criteria section is grayed out as
this role cannot have been assigned.
c) Choose Foreground.
d) Review data results. Choose different Types and Formats to review additional data.
17. Save your work and proceed to the next phase - Derive Role
a) On the Single Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Derive Role.
18. Since this role is not allowed for derivation, save your work and proceed to the next phase
- Request Approval.
a) On the Single Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Request Approval.
19. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
© Copyright. All rights reserved.
139
Unit 9: Role Design and Management
a) Choose Initiate Approval Request.
b) In the Approval Request dialog screen, In the Request Reason box, enter Training
Course Group ##.
c) Choose OK.
Result: The Request Status will appear as PENDING.
d) On the Single Role: <Role Name> screen, choose Close.
e) Close the ERM Role browser tab.
20. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
b) Choose the subject Role Approval required for role <Role Name> to open the work
item.
c) On the Role Approval for <Role Name> screen, review the data, then choose Approve.
d) Click the Role Name to display the role details.
e) On the Single Role: <Role Name> screen, choose Close.
f) If requested, in the Approver Comments dialog box, enter comments Approved
Training Request Group ##.
g) Choose OK.
h) Choose Close.
i) Close the Work Inbox browser window.
j) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
Result: On the ERM Role screen, the Current Phase of your role should be Generate
Roles.
21. Generate role profile.
a) On the ERM Role screen, select the checkbox for your role, then choose Open.
b) On the Single Role: <Role Name> screen, on the Generate Roles tab, choose Generate.
c) On the Role Generation screen, in the Select System & Role step, verify the correct
default system for role generation (ZMGCLNT800).
d) Choose Next.
e) In the Schedule step screen, select Foreground.
f) In the Backend Password field, enter the password for the default system. Enter
Welcome1.
g) Choose Next.
h) On the Confirmation step screen, confirm successful role generation.
i) Choose Close.
© Copyright. All rights reserved.
140
Solution 19: Create a Single Role
22. Save your work and proceed to the next phase - Maintain Test Cases
a) On the Single Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Maintain Test Cases.
23. Maintain Test Case information using the following data:
Table 13: Test Results Data
Field
Value
(Test Case) Name:
Single Role Test Case
(Test Case) Description:
Test for GRC Training Single Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 14: Add Link Data
Field
Value
Title:
Single Test Results
Path:
www.sap.com
a) On the Single Role: <Role Name> screen, on the Maintain Test Cases tab, choose
Create.
b) On the Test Results dialog screen, enter the data provided in the table, Test Results
Data.
c) Choose Add → Add Link.
d) On the Add Link dialog screen, enter the data provided in the table, Add Link Data.
e) Choose OK.
f) Choose Save.
Result: The test case should now appear in the Test Results section.
24. Save your work and proceed to the final phase - Complete
a) On the Single Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Complete
b) Verify Complete phase is active in the guided activity ribbon.
25. Set role to In Productive Use status.
a) On the Single Role: <Role Name> screen, choose Go To Phase → Define Role.
b) Choose the Additional Details tab, then choose the Provisioning sub-tab.
c) In the Role Status field, choose In Productive Use.
d) Choose Save.
26. Review the Role Management Change Log.
© Copyright. All rights reserved.
141
Unit 9: Role Design and Management
a) On the Single Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab.
b) In the Results List, review change log entries.
27. Review the PFCG Change Log.
Note:
Use your user ID GRC300–## and password to log into ZMG system.
a) On the Single Role: <Role Name> screen, in the Additional Details tab, choose the
PFCG Change History sub-tab.
b) In the View PFCG History section, under List of Systems, choose ZMGCLNT800.
c) If an Launch-PFCG.sap dialog appears, choose Open.
Note:
This may appear in the lower left corner of the browser window.
d) On the SAP GUI Shortcut - Logon (ZMG, 800, EN, *PFCG) screen, enter the user ID and
password provided in the step.
e) Choose Log On.
f) On the Display Change Documents for Role Administration screen, choose Execute.
Note:
If no information appears, choose Back to the selection screen. Check the
From Date field and change if needed to Current Date. Choose Execute.
Note:
For additional information, you can choose a different Change Documents
category and execute the report again.
g) Review the PFCG change log.
h) In the Command box, enter /nEX.
i) On the Single Role: <Role Name> screen, choose Close.
j) Close the ERM Role browser tab.
© Copyright. All rights reserved.
142
Unit 9
Exercise 20
Create a Composite Role
Business Example
You are a system administrator. You have been asked to create a composite role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application.
2. Enter the composite role definition using the following data:
Field
Value
Application Type
SAP
Landscape
ZMG 800 Landscape
Business Process
Basis
Subprocess
SEC - Security
Project Release
ZMG PRD ROLE
Finalize Role Name so that it shows as
Z:C_ZMG_BS_SE_COM_ROLE_GRP##
Description
Composite Role Maintenance for
GRC Training Course Group ##
Profile Name and Description
Leave blank
3. Enter the role properties using the data from the following table:
Field
Value
Critical Level:
High
Sensitivity:
Restricted
Comments Mandatory:
Enabled
4. Apply the Functional Area BASIS to the role.
5. Apply Company 0001 to the role.
6. Add single roles to composite role. Add the role Z:S_ZMG_BS_SE_SIN_ROLE_GRP## to
this composite role.
7. Apply the role Owners / Approvers using the data in the following table:
© Copyright. All rights reserved.
143
Unit 9: Role Design and Management
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
8. Enter the additional role details.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
10. Enter Provisioning information for the role. The role status should be Under Development.
For System ZMGCLNT800, Provisioning and Auto-provisioning should be allowed.
11. Review the Role Management Change Log.
12. Save your work and proceed to the next phase - Analyze Access Risks
13. Analyze the role for access risks.
14. Save your work and proceed to the next phase - Request Approval.
15. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
16. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
17. Use the Generate Roles phase to push data for the Composite Role to the target system.
18. Maintain Test Case information using the following data:
Table 15: Test Results Data
Field
Value
(Test Case) Name:
Composite Role Test Case
(Test Case) Description:
Test for GRC Training Composite
Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 16: Add Link Data
Field
Value
Title:
Composite Test Results
Path:
www.sap.com
19. Save your work and proceed to the final phase - Complete
20. Set role to In Productive Use status.
© Copyright. All rights reserved.
144
Exercise 20: Create a Composite Role
21. Review the Role Management Change Log.
22. Review the PFCG Change Log.
Note:
Use your user ID GRC300–## and password to log into ZMG system.
© Copyright. All rights reserved.
145
Unit 9
Solution 20
Create a Composite Role
Business Example
You are a system administrator. You have been asked to create a composite role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application.
a) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
b) On the ERM Role screen, choose Create → Composite Role.
2. Enter the composite role definition using the following data:
Field
Value
Application Type
SAP
Landscape
ZMG 800 Landscape
Business Process
Basis
Subprocess
SEC - Security
Project Release
ZMG PRD ROLE
Finalize Role Name so that it shows as
Z:C_ZMG_BS_SE_COM_ROLE_GRP##
Description
Composite Role Maintenance for
GRC Training Course Group ##
Profile Name and Description
Leave blank
a) On the New Composite Role screen, in the Define Role tab, choose the Details sub-tab,
enter the data from the table using the drop-down lists when available.
b) After entering all other data, enter the Role Name field as noted in the table by
replacing the hash marks.
c) Remain on this screen for the next step.
3. Enter the role properties using the data from the following table:
Field
Value
Critical Level:
High
© Copyright. All rights reserved.
146
Solution 20: Create a Composite Role
Field
Value
Sensitivity:
Restricted
Comments Mandatory:
Enabled
a) On the New Composite Role screen, in the Define Role tab, choose the Properties subtab, enter the data from the table using the drop-down lists.
b) Remain on this screen for the next step.
4. Apply the Functional Area BASIS to the role.
a) On the New Composite Role screen, in the Define Role tab, choose the Functional Area
sub-tab.
b) In the List of Functional Areas section, choose Add.
c) In the open row, in the Functional Area field, choose Search.
d) In the Available section, choose the Functional Area BASIS.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
g) Remain on this screen for the next step.
5. Apply Company 0001 to the role.
a) On the New Composite Role screen, in the Define Role tab, choose the Company subtab.
b) In the List of Companies section, choose Add.
c) In the open row, in the Company field, choose Search.
d) In the Available section, choose Company 0001.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
g) On the New Composite Role screen, choose Save to save your work and remain in the
same phase.
The screen will change from New Composite Role to Composite Role: <Role Name>.
h) Remain on this screen for the next step.
6. Add single roles to composite role. Add the role Z:S_ZMG_BS_SE_SIN_ROLE_GRP## to
this composite role.
a) On the Composite Role: <Role Name> screen, in the Define Role tab, choose the Roles
sub-tab.
b) In the List of Roles section, choose Add.
c) In the Select Roles screen, enter Z:S_ZMG*## in the Role Name field, and then choose
Search.
© Copyright. All rights reserved.
147
Unit 9: Role Design and Management
d) In the Available section, choose Z:S_ZMG_BS_SE_SIN_ROLE_GRP##, then choose
Add(single down arrow) to move the role to the Selected section.
e) Choose OK.
f) Remain on this screen for the next step.
7. Apply the role Owners / Approvers using the data in the following table:
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
a) On the Composite Role: <Role Name> screen, in the Define Role tab, choose the
Owners/Approvers sub-tab.
b) In the List of Approvers section, choose Add.
c) In the open row, in the User field, choose Search.
d) In the Search: User dialog, in the Owner field, enter AC*##.
e) Choose Search.
f) Choose the User from the data provided in the table.
g) Assign Assignment Approver and Role Content owner from the data provided in the
table.
h) Repeat steps b - g for each user in the table.
i) Remain on this screen for the next step.
8. Enter the additional role details.
a) On the Composite Role: <Role Name> screen, choose the Additional Details tab.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
a) On the Composite Role: <Role Name> screen, in the Additional Details tab, choose the
Detailed Description sub-tab.
b) In the Detailed Description text box, enter This role was created by Training
Participant Group ##.
c) Remain on this screen for the next step.
10. Enter Provisioning information for the role. The role status should be Under Development.
For System ZMGCLNT800, Provisioning and Auto-provisioning should be allowed.
a) On the Composite Role: <Role Name> screen, in the Additional Details tab, choose the
Provisioning sub-tab.
b) In the Role Status field, choose Under Development from the drop-down list.
c) In the Systems section, in the Provisioning Allowed and Allow Auto-provisioning fields,
choose Yes.
© Copyright. All rights reserved.
148
Solution 20: Create a Composite Role
Note:
If no systems appear in the Provisioning tab, choose Save, then Close. On
the ERM Role screen, select your role and choose Open.
d) Chose Save to save your work and remain in the same phase.
e) Remain on this screen for the next step.
11. Review the Role Management Change Log.
a) On the Composite Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab
b) In the Results List, review change log entries.
c) Remain on this screen for the next step.
12. Save your work and proceed to the next phase - Analyze Access Risks
a) On the Composite Role: <Role Name> screen, choose the Define Role tab.
b) Choose Save & Continue to save your work and to continue to the next phase - Analyze
Access Risks.
c) Remain on this screen for the next step.
13. Analyze the role for access risks.
a) On the Composite Role: <Role Name> screen, on the Analyze Access Risks tab, in the
Analysis Criteria section, choose Analysis Type: Risk Analysis, System: ZMGCLNT800,
Rule Set: GLOBAL.
b) In the Result Options section, choose Format: Summary, Type: Permission, Critical
Action.
Note:
Since this is a new role, the Impact Analysis Criteria section is grayed out as
this role cannot have been assigned.
c) Choose Foreground.
d) Review data results. In the Result area, choose different Types and Formats to review
additional data.
14. Save your work and proceed to the next phase - Request Approval.
a) On the Composite Role: <Role Name> screen, choose Save & Continue to save your
work and to continue to the next phase - Request Approval.
b) Remain on this screen for the next step.
15. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
a) Choose Initiate Approval Request.
© Copyright. All rights reserved.
149
Unit 9: Role Design and Management
b) In the Approval Request dialog screen, In the Request Reason box, enter Training
Course Group ##.
c) Choose OK.
Result: The Request Status will appear as PENDING.
d) Choose Close.
e) Choose Home to return to the SAP Fiori Launchpad home page.
16. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
b) Choose the subject Role Approval required for role <Role Name> to open the work
item.
c) On the Role Approval for <Role Name> screen, review the data, then choose Approve.
d) Click the Role Name to display the role details.
e) On the Composite Role: <Role Name> screen, choose Close.
f) On the Role Approval for <Role Name> screen, choose the Approve.
g) Choose Close.
h) Choose Home to return to the SAP Fiori Launchpad home page.
i) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
Result: On the ERM Role screen, the Current Phase of your role should be Generate
Roles.
17. Use the Generate Roles phase to push data for the Composite Role to the target system.
a) On the ERM Role screen, select the checkbox for your role, then choose Open.
b) On the Composite Role: <Role Name> screen, on the Generate Roles tab, choose
Generate.
c) On the Role Generation screen, in the Select System & Role step, verify the correct
default system for role generation (ZMGCLNT800).
d) Choose Next.
e) In the Schedule step screen, select Foreground.
f) In the Backend Password field, enter the password for the default system. Enter
Welcome1.
g) Choose Next.
h) On the Confirmation step screen, confirm successful role generation.
i) Choose Close.
j) On the Composite Role: <Role Name> screen, choose Save & Continue to save your
work and to continue to the next phase - Maintain Test Cases.
© Copyright. All rights reserved.
150
Solution 20: Create a Composite Role
k) Remain on this screen for the next step.
18. Maintain Test Case information using the following data:
Table 15: Test Results Data
Field
Value
(Test Case) Name:
Composite Role Test Case
(Test Case) Description:
Test for GRC Training Composite
Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 16: Add Link Data
Field
Value
Title:
Composite Test Results
Path:
www.sap.com
a) On the Composite Role: <Role Name> screen, on the Maintain Test Cases tab, choose
Create.
b) On the Test Results dialog screen, enter the data provided in the table, Test Results
Data.
c) Choose Add → Add Link.
d) On the Add Link dialog screen, enter the data provided in the table, Add Link Data.
e) Choose OK.
f) Choose Save.
Result: The test case should now appear in the Test Results section.
g) Remain on this screen for the next step.
19. Save your work and proceed to the final phase - Complete
a) On the Composite Role: <Role Name> screen, choose Save & Continue to save your
work and to continue to the next phase - Complete.
Result: Your role should now be in the Complete phase.
b) Remain on this screen for the next step.
20. Set role to In Productive Use status.
a) On the Composite Role: <Role Name> screen, choose Go To Phase → Define Role.
b) Choose the Additional Details tab, then choose the Provisioning sub-tab.
c) In the Role Status field, choose In Productive Use.
d) Choose Save.
© Copyright. All rights reserved.
151
Unit 9: Role Design and Management
e) Choose Close.
f) Remain on this screen for the next step.
21. Review the Role Management Change Log.
a) On the Composite Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab.
b) In the Results List, review change log entries.
c) Remain on this screen for the next step.
22. Review the PFCG Change Log.
Note:
Use your user ID GRC300–## and password to log into ZMG system.
a) On the Composite Role: <Role Name> screen, in the Additional Details tab, choose the
PFCG Change History sub-tab.
b) In the View PFCG History area, under List of Systems, choose ZMGCLNT800.
c) If an Launch-PFCG.sap dialog appears, choose Open.
Note:
This may appear in the lower left corner of the browser window.
d) On the SAP GUI Shortcut - Logon (ZMG, 800, EN, *PFCG) screen, enter ID GRC300–##
and password.
e) Choose Log On.
f) On the Display Change Documents for Role Administration screen, choose Execute.
Note:
If no information appears, choose Back to the selection screen. Check the
From Date field and change if needed to Current Date. Choose Execute.
Note:
For additional information, you can choose a different Change Documents
category and execute the report again.
g) Review the PFCG change log.
h) In the Command box, enter /nEX.
i) On the Composite Role: <Role Name> screen, choose Close.
j) Choose Home to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
152
Unit 9
Exercise 21
Create a Business Role
Business Example
You are a system administrator. You have been asked to create a business role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application.
2. Enter the business role definition using the following data:
Field
Value
Application Type
Business Roles
Landscape
Business Roles
Business Process
Basis
Subprocess
SEC - Security
Project Release
Business Roles
Finalize Role Name so that it shows as
Z:B_BUS_BS_SE_BUS_ROLE_GRP##
Description
Business Role Maintenance for GRC
Training Course Group ##
3. Enter the role properties using the data from the following table.
Field
Value (same as Single Role exercise)
Critical Level
Medium
Sensitivity
Normal
4. Apply the Functional Area BASIS to the role.
5. Apply Company 0001 to the role.
6. Add roles to business role. Add the roles Z:S_ZMG_BS_SE_SIN_ROLE_GRP##,
Z:FIN_ANALIQUIDITYPLAN_APP_## and Z:C_ZMG_BS_SE_COM_ROLE_GRP## to this
business role.
7. Apply the Role Owners and Role Approvers to the role using the data in the following table.
© Copyright. All rights reserved.
153
Unit 9: Role Design and Management
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
8. Enter the additional role details.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
10. Enter Provisioning information for the role.
11. Review the Role Management Change Log.
12. Save your work and proceed to the next phase - Analyze Access Risks.
13. Analyze the role for access risks.
14. Save your work and proceed to the next phase - Request Approval.
15. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
16. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
17. Maintain Test Case information using the following data:
Table 17: Test Results Data
Field
Value
(Test Case) Name:
Business Role Test Case
(Test Case) Description:
Test for GRC Training Business
Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 18: Add Link Data
Field
Value
Title:
Business Test Results
Path:
www.sap.com
18. Save your work and proceed to the final phase - Complete.
19. Set role to In Productive Use status.
20. Review the Role Management Change Log.
© Copyright. All rights reserved.
154
Unit 9
Solution 21
Create a Business Role
Business Example
You are a system administrator. You have been asked to create a business role.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the Role Maintenance application.
a) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
b) On the ERM Role screen, choose Create → Business Role.
2. Enter the business role definition using the following data:
Field
Value
Application Type
Business Roles
Landscape
Business Roles
Business Process
Basis
Subprocess
SEC - Security
Project Release
Business Roles
Finalize Role Name so that it shows as
Z:B_BUS_BS_SE_BUS_ROLE_GRP##
Description
Business Role Maintenance for GRC
Training Course Group ##
a) On the New Business Role screen, in the Define Role tab, choose the Details sub-tab,
enter the data from the table using the drop-down lists.
b) After entering all other data, maintain the Role Name field as noted in the table by
replacing the hash marks.
c) Remain on this screen for the next step.
3. Enter the role properties using the data from the following table.
Field
Value (same as Single Role exercise)
Critical Level
Medium
© Copyright. All rights reserved.
155
Unit 9: Role Design and Management
Field
Value (same as Single Role exercise)
Sensitivity
Normal
a) On the New Business Role screen, in the Define Role tab, choose the Properties subtab, enter the data from the table using the drop-down lists.
b) Remain on this screen for the next step.
4. Apply the Functional Area BASIS to the role.
a) On the New Business Role screen, in the Define Role tab, choose the Functional Area
sub-tab.
b) In the List of Functional Areas section, choose Add.
c) In the open row, in the Functional Area field, choose Search.
d) In the Available section, choose the Functional Area BASIS.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
g) Remain on this screen for the next step.
5. Apply Company 0001 to the role.
a) On the New Business Role screen, in the Define Role tab, choose the Company sub-tab.
b) In the List of Companies section, choose Add.
c) In the open row, in the Company field, choose Search.
d) In the Available section, choose Company 0001.
e) Choose Add (single right arrow) to move it to the Selected section.
f) Choose OK.
g) Chose Save to save the data and remain in the current phase.
h) Remain on this screen for the next step.
6. Add roles to business role. Add the roles Z:S_ZMG_BS_SE_SIN_ROLE_GRP##,
Z:FIN_ANALIQUIDITYPLAN_APP_## and Z:C_ZMG_BS_SE_COM_ROLE_GRP## to this
business role.
a) On the Business Role: <Role Name> screen, in the Define Role tab, choose the Roles
sub-tab.
b) In the List of Roles section, choose Add.
c) In the Select Roles screen, enter Z*## in the Role Name field, then choose Search
d) In the Available section, choose Z:S_ZMG_BS_SE_SIN_ROLE_GRP##,
Z:FIN_ANALIQUIDITYPLAN_APP_## and Z:C_ZMG_BS_SE_COM_ROLE_GRP##, then
choose Add(single down arrow) to move the roles to the Selected section.
e) Choose OK.
f) Remain on this screen for the next step.
© Copyright. All rights reserved.
156
Solution 21: Create a Business Role
7. Apply the Role Owners and Role Approvers to the role using the data in the following table.
User
Assignment Approver
Role Content Approver
ACROLEOWN##
Enabled
Enabled
ACROLEAPP##
Enabled
NOT Enabled
GRC300-##
Enabled
Enabled
a) On the Business Role: <Role Name> screen, in the Define Role tab, choose the Owners/
Approvers sub-tab.
b) In the List of Approvers section, choose Add.
c) In the open row, in the User field, choose Search.
d) In the Search: User dialog screen, in the Owner field, enter search criteria.
e) Choose Go.
f) Choose the User from the table.
g) Assign Assignment Approver and Role Content owner as noted in the table.
h) Repeat sub-steps b - g for each user in the table.
i) Remain on this screen for the next step.
8. Enter the additional role details.
a) On the Business Role: <Role Name> screen, choose the Additional Details tab.
9. Enter Detailed Description for the role: This role was created by Training Participant Group
##.
a) On the Business Role: <Role Name> screen, in the Additional Details tab, choose the
Detailed Description sub-tab.
b) In the Detailed Description text box, enter This role was created by Training
Participant Group ##.
c) Remain on this screen for the next step.
10. Enter Provisioning information for the role.
a) On the Business Role: <Role Name> screen, in the Additional Details tab, choose the
Provisioning sub-tab.
b) In the Role Status field, choose Under Development from the drop-down list
c) On the Business Role: <Role Name> screen, choose Save to save your work and remain
in the same phase.
d) Remain on this screen for the next step.
11. Review the Role Management Change Log.
a) On the Business Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab.
b) In the Results List, review the change log entries.
c) Remain on this screen for the next step.
© Copyright. All rights reserved.
157
Unit 9: Role Design and Management
12. Save your work and proceed to the next phase - Analyze Access Risks.
a) On the Business Role: <Role Name> screen, choose the Define Role tab.
b) Choose Save & Continue to save your work and to continue to the next phase - Analyze
Access Risks.
c) Remain on this screen for the next step.
13. Analyze the role for access risks.
a) On the Business Role: <Role Name> screen, on the Analyze Access Risks tab, in the
Analysis Criteria section, choose Analysis Type: Risk Analysis and Rule Set: GLOBAL.
Note:
For the System designation, this will be determined by the roles that are
contained in the Business Role.
b) In the Result Options section, choose Format: Summary, Type: Action, Permission,
Critical Action.
Note:
Since this is a new role, the Impact Analysis Criteria section is grayed out
as this role cannot have been assigned.
c) Choose Foreground.
d) Review data results. In the Result area, choose different Types and Formats to review
additional data.
e) Remain on this screen for the next step.
14. Save your work and proceed to the next phase - Request Approval.
a) On the Business Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Request Approval.
b) Remain on this screen for the next step.
15. Initiate Role Approval Request, and enter the following reason: Training Course
Group ##.
a) Choose Initiate Approval Request.
b) In the Approval Request dialog screen, In the Request Reason box, enter Training
Course Group ##.
c) Choose OK.
Result: The Request Status will appear as PENDING.
d) Choose Close.
e) Choose Home to return to the SAP Fiori Launchpad home page.
16. Approve the Role Approval request with the following comment: Approved Training
Request Group ##.
© Copyright. All rights reserved.
158
Solution 21: Create a Business Role
a) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
b) Choose the subject Role Approval required for role <Role Name> to open the work
item.
c) On the Role Approval for <Role Name> screen, review the data, then choose Approve.
d) Click the Role Name to display the role details.
e) On the Business Role: <Role Name> screen, choose Close.
f) On the Role Approval for <Role Name> screen, choose the Approve.
g) If needed, in the Approver Comments dialog box, enter comments Approved
Training Request Group ##.
h) Choose OK.
i) Choose Close.
j) Choose Home to return to the SAP Fiori Launchpad home page.
k) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
Result: On the ERM Role screen, the Current Phase of your role should be Maintain
Test Cases.
17. Maintain Test Case information using the following data:
Table 17: Test Results Data
Field
Value
(Test Case) Name:
Business Role Test Case
(Test Case) Description:
Test for GRC Training Business
Role
Tested by:
Use Default Value
Date/Time:
Use Default Value
Table 18: Add Link Data
Field
Value
Title:
Business Test Results
Path:
www.sap.com
a) On the Business Role: <Role Name> screen, on the Maintain Test Cases tab, choose
Create.
b) On the Test Results dialog screen, enter the data provided in the table, Test Results
Data.
c) Choose Add → Add Link.
© Copyright. All rights reserved.
159
Unit 9: Role Design and Management
d) On the Add Link dialog screen, enter the data provided in the table, Add Link Data.
e) Choose OK.
f) Choose Save.
Result: The test case should now appear in the Test Results section.
g) Remain on this screen for the next step.
18. Save your work and proceed to the final phase - Complete.
a) On the Business Role: <Role Name> screen, choose Save & Continue to save your work
and to continue to the next phase - Complete
b) Verify Complete status appears.
19. Set role to In Productive Use status.
a) On the Business Role: <Role Name> screen, choose Go To Phase → Define Role.
b) Choose the Additional Details tab, then choose the Provisioning sub-tab.
c) In the Role Status field, choose In Productive Use.
d) Choose Save.
e) Remain on this screen for the next step.
20. Review the Role Management Change Log.
a) On the Business Role: <Role Name> screen, in the Additional Details tab, choose the
Change History sub-tab.
b) In the Results List, review change log entries.
c) Choose Close.
d) Choose Home to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
160
Unit 9
Exercise 22
Review Parameter Settings for Design and
Manage Roles
Business Example
You are a system administrator. You have been asked to review the current and available
configuration settings related to designing and managing roles.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Design and Manage Roles.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
1008 - Enable Role Change Log
3. List the settings that are set and their values for Parameter Group 5 - Workflow:
●
3022 - Request Type for Role Approval
●
3023 - Priority for Role Approval
4. List the settings that are set and their values for Parameter Group 10-Role Management:
●
3000 - Default Business Process
●
3001 - Default Subprocess
●
3002 - Default Critical Level
●
3003 - Default Project Release
●
3004 - Default Role Status
●
3005 - Reset Role Methodology when Changing Role Attributes
●
3006 - Allow add functions to an authorization
●
3007 - Allow editing organizational level values for derived roles
●
3008 - A ticket number is required after authorization data changes
●
3009 - Allow Role Deletion from Back End
●
3010 - Allow attaching files to the role definition
© Copyright. All rights reserved.
161
Unit 9: Role Design and Management
●
3011 - Conduct Risk Analysis before Role Generation
●
3012 - Allow Role Generation on Multiple Systems
●
3013 - Used Logged-on user credentials for role generation
●
3014 - Allow role generation with Permission Level violations
●
3015 - Allow role generation with Critical Permission violations
●
3016 - Allow role generation with Action Level violations
●
3017 - Allow role generation with Critical Action violations
●
3018 - Allow role generation with Critical Role/Profile violations
●
3019 - Overwrite individual role's Risk Analysis result during Mass Risk Analysis run
●
3020 - Role certification reminder notification
●
3021 - Directory for mass role import server files
●
3024 - Enforce methodology process for derived roles during generation
●
3025 - Allow selection of Org. Value Maps without leading org
●
3026 - Save Role Provisioning Details while copying role
●
3027 - Automate authorization copy from master role to its new derived roles
●
3028 - Generate Derived roles after Creation/Update
●
3029 - Notify User when Business Role Assignment Changes
●
3030 - Initiate role approval request with mandatory Role content approver
●
3040 - A ticket number is required for all role changes
●
3041 Perform mandatory risk analysis during role maintenance
●
3042 - Do not allow role creation with risks
●
3043 - Default Connector for IDM GRC integration
5. List the settings that are set and their values for Parameter Group 5-Workflow:
●
3022 - Request Type for Role Approval
●
3023 - Priority for Role Approval
6. Choose Back to return to the Display IMG screen.
7. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Specify Naming Conventions.
8. Review the following settings related to Design and Manage Roles:
How many naming conventions have been configured?
What is the Connector Group attached to Naming Convention 3?
© Copyright. All rights reserved.
162
Exercise 22: Review Parameter Settings for Design and Manage Roles
There is a mismatch in configuration for the Naming Convention for Business Roles. What
is it?
What role attributes are used for Composite roles to create the Role ID?
9. Choose Back to return to the Display IMG screen.
10. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Project and Product Release Name.
11. Review the following settings related to Design and Manage roles:
How many project releases have been configured?
What is the Project Release ID and Description?
12. Choose Back to return to the Display IMG screen.
13. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Role Sensitivity.
What is the description of Role Sensitivity ID 3?
14. Choose Back to return to the Display IMG screen.
15. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Role Status.
What is the Role Status ID for "In Productive Use"?
16. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Specify Critical Level.
What does the Critical Level for "VH" mean?
17. Choose Back to return to the Display IMG screen.
18. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Companies.
What is the Company ID for the IDES Company?
19. Choose Back to return to the Display IMG screen.
20. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Functional Areas.
What is the Functional Area ID for the Materials Management?
What is the abbreviation for the Sales functional area?
21. Choose Back to return to the Display IMG screen.
22. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Organizational Value Maps.
What is the parent organizational value for the IDES AG map? List Org Level (ID or
Description) and the value.
What is the value of Org Level LGNUM for this value map?
23. Choose Back to return to the Display IMG screen.
24. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Prerequisite Types.
What is the description for prerequisite type CERTIF?
© Copyright. All rights reserved.
163
Unit 9: Role Design and Management
25. Choose Back to return to the Display IMG screen.
26. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Role Prerequisites.
What is the Course ID and description for the CERT role prerequisite?
27. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
164
Unit 9
Solution 22
Review Parameter Settings for Design and
Manage Roles
Business Example
You are a system administrator. You have been asked to review the current and available
configuration settings related to designing and managing roles.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Design and Manage Roles.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG
c) Choose Governance, Risk and Compliance → Access Control → Maintain Configuration
Settings..
The AC Configuration Settings screen is displayed. These are the parameters that are
configured for this particular instance of SAP Access Control. Remember, that some
parameters do have a coded default in the GRACCONFIG table. If a parameter is not
entered here, then the default will be applied.
2. List the settings that are set and their values for Parameter Group 1 - Change Log:
●
1008 - Enable Role Change Log
a) 1008: Yes
3. List the settings that are set and their values for Parameter Group 5 - Workflow:
●
3022 - Request Type for Role Approval
●
3023 - Priority for Role Approval
a) 3022: 21
b) 3023: 005
4. List the settings that are set and their values for Parameter Group 10-Role Management:
●
3000 - Default Business Process
●
3001 - Default Subprocess
© Copyright. All rights reserved.
165
Unit 9: Role Design and Management
●
3002 - Default Critical Level
●
3003 - Default Project Release
●
3004 - Default Role Status
●
3005 - Reset Role Methodology when Changing Role Attributes
●
3006 - Allow add functions to an authorization
●
3007 - Allow editing organizational level values for derived roles
●
3008 - A ticket number is required after authorization data changes
●
3009 - Allow Role Deletion from Back End
●
3010 - Allow attaching files to the role definition
●
3011 - Conduct Risk Analysis before Role Generation
●
3012 - Allow Role Generation on Multiple Systems
●
3013 - Used Logged-on user credentials for role generation
●
3014 - Allow role generation with Permission Level violations
●
3015 - Allow role generation with Critical Permission violations
●
3016 - Allow role generation with Action Level violations
●
3017 - Allow role generation with Critical Action violations
●
3018 - Allow role generation with Critical Role/Profile violations
●
3019 - Overwrite individual role's Risk Analysis result during Mass Risk Analysis run
●
3020 - Role certification reminder notification
●
3021 - Directory for mass role import server files
●
3024 - Enforce methodology process for derived roles during generation
●
3025 - Allow selection of Org. Value Maps without leading org
●
3026 - Save Role Provisioning Details while copying role
●
3027 - Automate authorization copy from master role to its new derived roles
●
3028 - Generate Derived roles after Creation/Update
●
3029 - Notify User when Business Role Assignment Changes
●
3030 - Initiate role approval request with mandatory Role content approver
●
3040 - A ticket number is required for all role changes
●
3041 Perform mandatory risk analysis during role maintenance
●
3042 - Do not allow role creation with risks
© Copyright. All rights reserved.
166
Solution 22: Review Parameter Settings for Design and Manage Roles
●
3043 - Default Connector for IDM GRC integration
a) 3000 - 3003: (not defined)
b) 3004: DEV
c) 3005: NO
d) 3006 - 3007: YES
e) 3008 - 3009: NO
f) 3010: YES
g) 3011: NO
h) 3012 - 3019: YES
i) 3020: 1
j) 3021: (not defined)
k) 3024: NO
l) 3025: YES
m) 3026: NO
n) 3027 - 3029: YES
o) 3030: (not defined)
p) 3040: NO
q) 3041: YES
r) 3042: NO
s) 3043: (not defined)
5. List the settings that are set and their values for Parameter Group 5-Workflow:
●
3022 - Request Type for Role Approval
●
3023 - Priority for Role Approval
a) 3022: 21
b) 3023: 005
6. Choose Back to return to the Display IMG screen.
7. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Specify Naming Conventions.
8. Review the following settings related to Design and Manage Roles:
How many naming conventions have been configured?
What is the Connector Group attached to Naming Convention 3?
There is a mismatch in configuration for the Naming Convention for Business Roles. What
is it?
What role attributes are used for Composite roles to create the Role ID?
© Copyright. All rights reserved.
167
Unit 9: Role Design and Management
a) Configured naming conventions: 10
b) Connector group attached: R3 (double-click on the naming convention)
c) Mismatch: The maximum length for this role type is configured at 30 characters, but
the role naming convention is configured to 40 characters.
d) Role attributes for Composite Roles: Role Type, Business Process, Subprocess
9. Choose Back to return to the Display IMG screen.
10. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Project and Product Release Name.
11. Review the following settings related to Design and Manage roles:
How many project releases have been configured?
What is the Project Release ID and Description?
a) Configured project releases: 5
b) Project Release ID and Description: PROD; Production
12. Choose Back to return to the Display IMG screen.
13. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Role Sensitivity.
What is the description of Role Sensitivity ID 3?
a) Description: Restricted
14. Choose Back to return to the Display IMG screen.
15. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Role Status.
What is the Role Status ID for "In Productive Use"?
a) Role Status ID: PRD
16. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Specify Critical Level.
What does the Critical Level for "VH" mean?
a) VH: Very High
17. Choose Back to return to the Display IMG screen.
18. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Companies.
What is the Company ID for the IDES Company?
a) Company ID: 0001
19. Choose Back to return to the Display IMG screen.
20. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Maintain Functional Areas.
What is the Functional Area ID for the Materials Management?
What is the abbreviation for the Sales functional area?
a) Materials Management Functional Area ID: MATERIAL
© Copyright. All rights reserved.
168
Solution 22: Review Parameter Settings for Design and Manage Roles
b) Sales Functional Area abbreviation: SD
21. Choose Back to return to the Display IMG screen.
22. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Organizational Value Maps.
What is the parent organizational value for the IDES AG map? List Org Level (ID or
Description) and the value.
What is the value of Org Level LGNUM for this value map?
a) On the Change View "Org level Mapping" Details screen, review the data in the
Org.Level and From fields.
b) Parent org value: BUKRS/Company Code: 1000
c) On the Change View "Org level Mapping" Details screen, in the Dialog Structure area,
double-click Org level Mapping Details.
d) Org Level LGNUM: 001
23. Choose Back to return to the Display IMG screen.
24. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Prerequisite Types.
What is the description for prerequisite type CERTIF?
a) Certification
25. Choose Back to return to the Display IMG screen.
26. In SAP Reference IMG, navigate to Governance, Risk and Compliance → Access Control
→ Role Management → Define Role Prerequisites.
What is the Course ID and description for the CERT role prerequisite?
a) CERT305; Certification Course 305
27. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
169
Unit 10
Exercise 23
Maintain EAM Owners and Controllers in
Central Owner Maintenance
Business Example
You are a system administrator. You have been asked to maintain Emergency Access
Management Owners and Controllers in Central Owner Maintenance.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign users in Access Control Owners for Role Management.
Owner
Type
ACFFIDOWN##
Select Type Firefighter ID Owner
ACFFIDCNTL##
Select Type Firefighter ID Controller
© Copyright. All rights reserved.
170
Unit 10
Solution 23
Maintain EAM Owners and Controllers in
Central Owner Maintenance
Business Example
You are a system administrator. You have been asked to maintain Emergency Access
Management Owners and Controllers in Central Owner Maintenance.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign users in Access Control Owners for Role Management.
Owner
Type
ACFFIDOWN##
Select Type Firefighter ID Owner
ACFFIDCNTL##
Select Type Firefighter ID Controller
a) On the SAP Fiori Launchpad home page, in the ARA Configuration tile group, choose
Access Control Owners.
b) On the Owner Assignment: New screen, choose Create.
c) In the Owner field, choose Search.
d) On the Select User dialog box, in the Find field, enter AC*##.
e) Choose Go.
f) In the Available table, choose ACFFIDOWN##.
g) Choose OK.
h) On the Owner Assignment: New screen, in the Owner Type section, choose Firefighter
ID Owner.
i) In the Comment Column enter EAM Owner Maintenance for GRC Training
Course Group ##.
j) Choose Save.
© Copyright. All rights reserved.
171
Unit 10: Emergency Access Management
k) Choose Close.
l) Repeat steps b - k for the other owners using the data in the table.
m) Close the Central Owner browser tab.
© Copyright. All rights reserved.
172
Unit 10
Exercise 24
Assign Owners to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign Firefighter Owners to
Firefighter IDs.
Note:
As a prerequisite, the Firefighter IDs have already been created on the SAP target
back-end systems (ZMCCLNT800 & T41CLNT400) and have been assigned the
appropriate roles to be used in Emergency Access, as well as the Firefighter ID
role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter
ID 4010. Profile/Role and User Synchronization have also been performed.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign Firefighter Owners to Firefight IDs.
Firefighter Owner
Firefighter ID
System
ACFFIDOWN##
FFID##01
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##02
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##03
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##04
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##05
T41CLNT400
ZMGCLNT800
© Copyright. All rights reserved.
173
Unit 10
Solution 24
Assign Owners to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign Firefighter Owners to
Firefighter IDs.
Note:
As a prerequisite, the Firefighter IDs have already been created on the SAP target
back-end systems (ZMCCLNT800 & T41CLNT400) and have been assigned the
appropriate roles to be used in Emergency Access, as well as the Firefighter ID
role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter
ID 4010. Profile/Role and User Synchronization have also been performed.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign Firefighter Owners to Firefight IDs.
Firefighter Owner
Firefighter ID
System
ACFFIDOWN##
FFID##01
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##02
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##03
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##04
T41CLNT400
ZMGCLNT800
ACFFIDOWN##
FFID##05
T41CLNT400
ZMGCLNT800
© Copyright. All rights reserved.
174
Solution 24: Assign Owners to Firefighter IDs
a) On the SAP Fiori Launchpad Home page, in the EAM Administration tile group, choose
Owners.
b) On the Firefighter Owners screen, choose Assign.
c) On the Owner Assignment: New screen, in the Owner ID field, choose Search.
d) In the Select Owner ID dialog box, in the User Name field, enter AC*##.
e) Choose Go.
f) In the Available table, choose ACFFIDOWN##.
g) Choose OK.
h) On the Owner Assignment: New screen, in the Firefighter ID section, choose Add.
i) In the Firefighter ID field, choose Search.
j) In the Select Firefighter ID dialog box, in the Firefighter ID field, enter FFID##*.
The Firefighter IDs that meet the search criteria will appear. There should be 5
Firefighter IDs for each system ZMGCLNT800 and T41CLNT400.
k) Choose Add All (double right arrows) to move all Firefighter IDs to the Selected
section.
l) Choose OK.
m) Add Comments, if you wish.
n) Choose Save.
o) Choose Close.
p) Close the Firefighter Owners browser window.
© Copyright. All rights reserved.
175
Unit 10
Exercise 25
Assign Controllers to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign Firefighter Controllers to
Firefighter IDs.
Note:
As a prerequisite, the Firefighter IDs have already been created on the SAP target
back-end systems (ZMCCLNT800 & T41CLNT400) and have been assigned the
appropriate roles to be used in Emergency Access, as well as the Firefighter ID
role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter
ID 4010. Profile/Role and User Synchronization have also been performed.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign Firefighter Controllers to Firefight IDs.
Firefighter Owner
Firefighter ID
System
Notification By
ACFFIDCNTL##
FFID##01
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##02
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##03
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##04
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##05
T41CLNT400
Workflow
ZMGCLNT800
© Copyright. All rights reserved.
176
Unit 10
Solution 25
Assign Controllers to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign Firefighter Controllers to
Firefighter IDs.
Note:
As a prerequisite, the Firefighter IDs have already been created on the SAP target
back-end systems (ZMCCLNT800 & T41CLNT400) and have been assigned the
appropriate roles to be used in Emergency Access, as well as the Firefighter ID
role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter
ID 4010. Profile/Role and User Synchronization have also been performed.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign Firefighter Controllers to Firefight IDs.
Firefighter Owner
Firefighter ID
System
Notification By
ACFFIDCNTL##
FFID##01
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##02
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##03
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##04
T41CLNT400
Workflow
ZMGCLNT800
ACFFIDCNTL##
FFID##05
T41CLNT400
Workflow
ZMGCLNT800
© Copyright. All rights reserved.
177
Unit 10: Emergency Access Management
a) On the SAP Fiori Launchpad Home page, in the EAM Administration tile group, choose
Controllers.
b) On the SPM Controllers screen, choose Assign.
c) On the Controller Assignment: New screen In the Controller ID field, choose Search.
d) In the Select Controller ID dialog box, in the User Name field, enter AC*##.
e) Choose Go.
f) In the Available table, choose ACFFIDCNTL##.
g) Choose OK.
h) On the Controller Assignment: New screen, in the Firefighter ID section, choose Add.
i) In the Firefighter ID field, choose Search.
j) In the Select Firefighter ID dialog box, in the Firefighter ID field, enter FFID##*.
Result: The Firefighter IDs that have been assigned Firefighter Owners and meet the
search criteria will appear. There should be 5 Firefighter IDs for each system
ZMGCLNT800 and T41CLNT400.
k) Choose Add All (double right arrows) to move all Firefighter IDs to the Selected
section.
l) Choose OK.
m) In the Notification By field for each ID, use the drop-down to choose Workflow.
n) In the Comments field, enter GRC300 Training.
o) Choose Save.
p) Choose Close.
q) Choose Home to return to the SAP Fiori Launchpad home page.
© Copyright. All rights reserved.
178
Unit 10
Exercise 26
Assign Firefighter Users to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign users to Firefighter
Note:
There are two ways to assign Firefighters to Firefighter IDs. You can assign a
Firefighter ID to a Firefighter(s) or a Firefighter to a Firefighter ID(s). The exercise
includes both scenarios.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign a Firefighter ID to Firefighters
Firefighter ID
System
Criticality
Firefighter User ID
FFID##01
T41CLNT400
Medium
ACFFIGHTER##
2. Assign a Firefighter to Firefighter IDs
Firefighter
Firefitgher ID
System
ACFFIGHTER##
FFID##01
ZMGCLNT800
ACFFIGHTER##
FFID##02
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##03
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##04
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##05
T41CLNT400
ZMGCLNT800
© Copyright. All rights reserved.
179
Unit 10
Solution 26
Assign Firefighter Users to Firefighter IDs
Business Example
You are a system administrator. You have been asked to assign users to Firefighter
Note:
There are two ways to assign Firefighters to Firefighter IDs. You can assign a
Firefighter ID to a Firefighter(s) or a Firefighter to a Firefighter ID(s). The exercise
includes both scenarios.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Assign a Firefighter ID to Firefighters
Firefighter ID
System
Criticality
Firefighter User ID
FFID##01
T41CLNT400
Medium
ACFFIGHTER##
a) On the SAP Fiori Launchpad Home page, in the EAM Administration tile group, choose
Firefighter IDs.
b) On the Firefighter ID and Role Assignment screen, choose Assign.
c) On the Firefighter ID Assignment: New screen, in the Firefighter ID field, choose Search.
d) On the Select Firefighter ID dialog box, in the Firefighter ID field, enter FFID##01.
e) Choose Go.
f) Choose FFID##01 for System T41CLNT400.
g) Choose OK.
h) On the Firefighter ID Assignment: New screen, choose Add.
i) In the Firefighter User ID field, choose Search.
j) In the Select Firefighter dialog box, in the Firefighter field, enter ACFF*##.
© Copyright. All rights reserved.
180
Solution 26: Assign Firefighter Users to Firefighter IDs
k) Choose Go.
l) In the Available section, select ACFFIGHTER## and choose Add (single right arrow) to
move the Firefighter to the Selected section.
m) Choose OK.
n) On the Firefighter ID Assignment: New screen, choose Save.
o) Choose Close.
p) Close the Firefighter ID and Role Assignment browser tab.
2. Assign a Firefighter to Firefighter IDs
Firefighter
Firefitgher ID
System
ACFFIGHTER##
FFID##01
ZMGCLNT800
ACFFIGHTER##
FFID##02
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##03
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##04
T41CLNT400
ZMGCLNT800
ACFFIGHTER##
FFID##05
T41CLNT400
ZMGCLNT800
a) On the SAP Fiori Launchpad Home page, in the EAM Administration tile group, choose
Firefighters.
b) On the SPM Firefighter user screen, select one of the lines with your Firefighter User
Name, choose Open.
c) On the Firefighter Assignment: GROUP ## AC FF User Training ID dialog box, choose
Add.
d) In the Firefighter ID field, choose Search.
e) In the Select Firefighter ID dialog box, in the Firefighter ID field, enter FFID##*.
f) Choose Add All (double right arrows) to move all Firefighter IDs to the Selected
section.
g) Choose OK.
Note:
You are not able to assign Criticality in this application.
h) On the Firefighter Assignment: GROUP ## AC FF User Training ID screen, for each line
that was just added, enter the Owner.
© Copyright. All rights reserved.
181
Unit 10: Emergency Access Management
Note:
You can copy the Owner Name that was entered from the previous step
and paste in each line.
i) Choose Save.
j) Choose Close.
k) Choose Home to return to the SAP Fiori Launchpad home page.
Note:
To update the target systems with the latest EAM Master Data
assignments, the EAM Master Data Synchronization should be executed.
© Copyright. All rights reserved.
182
Unit 10
Exercise 27
Maintain Reason Codes
Business Example
You are a system administrator. You have been asked to Maintain Reason Codes for
Emergency Access Management.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Maintain a Reason Code that will be assigned to a Firefight Session.
Reason Code
Description
System
EAM##01
EAM Reason 1 Group ##
T41CLNT400
ZMGCLNT800
EAM##02
© Copyright. All rights reserved.
EAM Reason 2 Group ##
ZMGCLNT800
183
Unit 10
Solution 27
Maintain Reason Codes
Business Example
You are a system administrator. You have been asked to Maintain Reason Codes for
Emergency Access Management.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Maintain a Reason Code that will be assigned to a Firefight Session.
Reason Code
Description
System
EAM##01
EAM Reason 1 Group ##
T41CLNT400
ZMGCLNT800
EAM##02
EAM Reason 2 Group ##
ZMGCLNT800
a) On the SAP Fiori Launchpad Home page, in the EAM Administration tile group, choose
Reason Codes.
b) On the SPM reason code screen, choose Create.
c) In the Reason Code: New dialog box, enter the Reason Code and Description from the
table.
d) Choose Add.
e) In the System field, choose Search.
f) On the Select Systems dialog box, choose Go.
g) In the Available section, the system(s) as noted in the table for the Reason Code.
h) Choose Add (single right arrow) to move selected systems to the Selected section.
i) Choose OK.
j) On the Reason Code: New screen, choose Save.
© Copyright. All rights reserved.
184
Solution 27: Maintain Reason Codes
k) Choose Close.
l) Repeat steps b-k for the other Reason Codes.
m) Close the SPM reason code browser window.
© Copyright. All rights reserved.
185
Unit 10
Exercise 28
Execute a Firefight Session
Business Example
You are a system administrator. You have been asked to test executing a firefight session
using the EAM Centralized scenario. A firefight session can also be performed directly in the
system to be maintained (Decentralized).
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Execute a Firefight session using the Centralized functionality. Use Firefighter ID FF##01
with system ZMGCLNT800.
Note:
Due to compliance reasons, to execute this exercise, you must log on to SAP
Access Control with using ID ACFFIGHTER##.
Reason Codes
Reason Details
EAM##01
Execute Firefight
Session for GRC
Training Course Group
##
Actions to Perform
●
OB52
●
PFCG
2. Execute transactions OB52 and PFCG in the firefight session and then end the session.
3. You have realized that an additional transaction needs to be performed. As per policy, you
must document this in the EAM Log.
4. Refresh the Emergency Access Management console to verify you have logged off the
Firefighter ID. Log off the SAP Access Control system for your Firefighter ID.
5. As the Firefight ID Controller, you have received an email stating you have a log report to
review.
© Copyright. All rights reserved.
186
Exercise 28: Execute a Firefight Session
Note:
Close all SAP Fiori sessions before executing this step.
© Copyright. All rights reserved.
187
Unit 10
Solution 28
Execute a Firefight Session
Business Example
You are a system administrator. You have been asked to test executing a firefight session
using the EAM Centralized scenario. A firefight session can also be performed directly in the
system to be maintained (Decentralized).
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Execute a Firefight session using the Centralized functionality. Use Firefighter ID FF##01
with system ZMGCLNT800.
Note:
Due to compliance reasons, to execute this exercise, you must log on to SAP
Access Control with using ID ACFFIGHTER##.
Reason Codes
Reason Details
EAM##01
Execute Firefight
Session for GRC
Training Course Group
##
Actions to Perform
●
OB52
●
PFCG
a) Log on to the TGT system, Client 001, with the User ID ACFFIGHTER## and password
Welcome1.
b) On the SAP Easy Access — User Menu for GROUP ## AC FF User Training ID screen, in
the command field, enter /nGRAC_EAM or choose Emergency Access Management
from the User Menu.
c) On the Emergency Access Management screen, in the row for FFID##01 and system
ZMGCLNT800, choose Logon.
d) On the Emergency Access Management dialog box, enter the data from the table.
© Copyright. All rights reserved.
188
Solution 28: Execute a Firefight Session
e) Choose Continue.
f) A new SAP session will open. Check to see that the correct system and ID are
displayed using the information pop-up on the bottom of the screen.
g) Choose the Start SAP Easy Access button if it appears
h) Remain on this screen for the next step.
2. Execute transactions OB52 and PFCG in the firefight session and then end the session.
a) On the SAP Easy Access — User Menu for FFID01 Firefight ID Group ## screen, in the
command box, enter /nOB52. Choose Enter.
b) On the Determine Work Area: Entry dialog, box, choose Continue (Enter).
c) On the Change view "Posting Periods: Specify Time Intervals": Overview screen, in the
command box, enter /nPFCG. Choose Enter.
d) On the Role Maintenance screen, in the Role field, enter Z:RISK_##R1.
e) Choose Role → Copy.
f) In the Query dialog box, in the to role field, enter Z:RISK_##R1_COPY.
g) Choose Copy All.
h) Remain on this screen for the next step.
3. You have realized that an additional transaction needs to be performed. As per policy, you
must document this in the EAM Log.
a) In the Windows task bar, choose the session titledEmergency Access Management.
Note:
This should be your ACFFIGHTER## session in the TGT system.
b) On the Emergency Access Management screen, in the row for FFID##01 and system
ZMGCLNT800, choose Additional Activity.
c) On the Emergency Access Management dialog box, in the Document additional activity
field, enter Additional Transaction needed to complete task - SU01D.
d) Choose Continue.
e) In the Windows task bar, choose the session titled Role Maintenance.
Note:
This should be your Firefight Session in the ZMG system.
f) On the Role Maintenance screen, in the command box, enter /nSU01D. Choose
Enter.
g) On the User Maintenance: Initial Screen, in the command box, enter /nEX to log off the
ZMG system.
© Copyright. All rights reserved.
189
Unit 10: Emergency Access Management
Note:
After participants execute the firefight session, if the Log Update job has
not been scheduled, this will need to be executed manually.
4. Refresh the Emergency Access Management console to verify you have logged off the
Firefighter ID. Log off the SAP Access Control system for your Firefighter ID.
a) In the TGT system, on the Emergency Access Management screen, choose Refresh.
Result: The Firefight ID you were using should no longer by checked out.
b) In the command box, enter /nEX to log off the Firefighter user.
5. As the Firefight ID Controller, you have received an email stating you have a log report to
review.
Note:
Close all SAP Fiori sessions before executing this step.
a) Log on to SAP Fiori launchpad with user ID ACFFIDCNTL## and password Welcome1.
b) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose Work
Inbox.
c) Choose the subject EAM Audit review required for... to open the work item.
d) To enter comments, choose the Notes tab.
e) Choose Add Note. Enter comments into the text box that appears.
f) Choose Submit.
g) In the Confirmation Dialog screen, choose Yes.
h) Choose Close.
i) Choose the Me icon in the upper left of the screen, then choose Sign Out.
© Copyright. All rights reserved.
190
Unit 10
Exercise 29
Review a Log Report
Business Example
You are a system administrator. You have been asked to review a log report from a Firefight
session using the Consolidated Log Report.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review the Firefight Logs for Firefighter FFID##01 using the Consolidated Log Report.
© Copyright. All rights reserved.
191
Unit 10
Solution 29
Review a Log Report
Business Example
You are a system administrator. You have been asked to review a log report from a Firefight
session using the Consolidated Log Report.
Note:
Unless otherwise noted in the instructions, use GRC300-## when accessing the
SAP GRC or SAP ERP systems.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Review the Firefight Logs for Firefighter FFID##01 using the Consolidated Log Report.
a) Log on to SAP Fiori launchpad with user ID GRC300-##.
b) On the SAP Fiori Launchpad home page, in the EAM Reporting tile group, choose
Consolidated Log Report.
c) On the Consolidated Log Report screen, in the Firefighter ID field, enter FFID##01.
d) Choose Run in foreground.
e) Review the data that displays. Scroll to the left to see additional data.
f) Close the Consolidated Log Report browser tab.
© Copyright. All rights reserved.
192
Unit 10
Exercise 30
Review Parameter Settings for Emergency
Access Management
Business Example
You are a system administrator. You have been asked to review current and available
configuration settings for Emergency Access Management.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Emergency Access Management.
2. List the settings that are set and their values for Parameter Group 6-Emergency Access
Management:
●
4000-Application type
●
4001-Default Firefighter Validity Period (Days)
●
4003-Retrieve Change Log
●
4004-Retrieve System log
●
4005-Retrieve Audit log
●
4006-Retrieve OS Command log
●
4007-Send Log Report Execution Notification Immediately
●
4008-Send FirefightId Login Notification
●
4009-Log Report Execution Notification
●
4010-Firefighter ID role name
●
4012-Default User for forwarding the Audit Log workflow
●
4013-Firefighter ID owner can submit request for Firefighter ID owned
●
4014-Firefighter ID controller can submit request for Firefighter ID controlled
●
4015-Enable Decentralized Firefighting
© Copyright. All rights reserved.
193
Unit 10: Emergency Access Management
●
4017-Enable CUP request no. to be shown in Firefighter - Firefighter ID/Role
assignment screen
●
4018-Enable detailed logging (SLG1) for EAM Log Synchronization programs
●
4020-Generate EAM log for Firefighter sessions with no activity
●
4021–Use ALV Grid for Firefighter Filter Transaction
●
4025–Restrict Firefighter Validity period during Access Request
●
5033-Allow Firefighter with no Controller
3. Choose Back to return to the Display IMG screen.
4. Review configuration in Emergency Access Management node and review configuration
settings. Navigate to Governance Risk and Compliance → Access Control → Emergency
Access Management .
5. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
6. List the settings that are set and their values for the ZMG system:
●
1000-Please maintain Plug-in Connector
●
1001-Please maintain GRC Connector
●
1002-Please maintain Ruleset
●
4000-EAM Application Type
●
4001–Default Firefighter Validity Period (Days)
●
4008–Send FirefightId Login Notification
●
4010-FFID Role Name
Note:
Parameters 1089 and 1090 are obsolete and have been replaced with
Parameters 4000 and 4010, respectively.
7. In the command field, enter /nEX to log off from this system.
8. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
9. Log on and review the following settings in T41 system (use the SAP Logon Pad) with
GRC300–##, which are configured in the IMG under Governance, Risk and Compliance
(Plug-In) → Maintain Plug-In Configuration Settings:
●
1000-Please maintain Plug-in Connector
●
1001-Please maintain GRC Connector
●
1002-Please maintain Ruleset
© Copyright. All rights reserved.
194
Exercise 30: Review Parameter Settings for Emergency Access Management
●
4000-EAM Application Type
●
4001–Default Firefighter Validity Period (Days)
●
4008–Send FirefightId Login Notification
●
4010-FFID Role Name
Note:
Parameters 1089 and 1090 are obsolete and have been replaced with
Parameters 4000 and 4010, respectively.
10. In the command field, enter /nEX to log off from this system.
© Copyright. All rights reserved.
195
Unit 10
Solution 30
Review Parameter Settings for Emergency
Access Management
Business Example
You are a system administrator. You have been asked to review current and available
configuration settings for Emergency Access Management.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Emergency Access Management.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG .
c) Choose Governance, Risk and Compliance → Access Control → Maintain Configuration
Settings..
The AC Configuration Settings screen is displayed. These are the parameters that are
configured for this particular instance of SAP Access Control. Remember, that some
parameters do have a coded default in the GRACCONFIG table. If a parameter is not
entered here, then the default will be applied.
2. List the settings that are set and their values for Parameter Group 6-Emergency Access
Management:
●
4000-Application type
●
4001-Default Firefighter Validity Period (Days)
●
4003-Retrieve Change Log
●
4004-Retrieve System log
●
4005-Retrieve Audit log
●
4006-Retrieve OS Command log
●
4007-Send Log Report Execution Notification Immediately
●
4008-Send FirefightId Login Notification
●
4009-Log Report Execution Notification
© Copyright. All rights reserved.
196
Solution 30: Review Parameter Settings for Emergency Access Management
●
4010-Firefighter ID role name
●
4012-Default User for forwarding the Audit Log workflow
●
4013-Firefighter ID owner can submit request for Firefighter ID owned
●
4014-Firefighter ID controller can submit request for Firefighter ID controlled
●
4015-Enable Decentralized Firefighting
●
4017-Enable CUP request no. to be shown in Firefighter - Firefighter ID/Role
assignment screen
●
4018-Enable detailed logging (SLG1) for EAM Log Synchronization programs
●
4020-Generate EAM log for Firefighter sessions with no activity
●
4021–Use ALV Grid for Firefighter Filter Transaction
●
4025–Restrict Firefighter Validity period during Access Request
●
5033-Allow Firefighter with no Controller
a) 4000: 1
b) 4001: 365
c) 4003 - 4009: YES
d) 4010: SAP_GRC_SPM_FFID
e) 4012: 2 (Only to Controllers)
f) 4013 - 4015: YES
g) 4017 - 4018: YES
h) 4020 - 4021: YES
i) 4025: YES
j) 5033: NO
3. Choose Back to return to the Display IMG screen.
4. Review configuration in Emergency Access Management node and review configuration
settings. Navigate to Governance Risk and Compliance → Access Control → Emergency
Access Management .
a) Maintain Firefighter ID Role Name Per Connector.
Are there any Connector specific Firefight ID identifier roles?
No
b) Maintain Criticality Levels for Emergency Access Management.
© Copyright. All rights reserved.
197
Unit 10: Emergency Access Management
How many criticality levels have been configured? List the descriptions.
4 levels: Low, Medium, High, Very High
5. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
a) Log on to the ZMG ABAP client with user ID GRC300–##.
b) Execute transaction /nSPRO, then choose SAP Reference IMG.
c) Choose Governance, Risk and Compliance (Plug-In) → Access Control → Maintain
Plug-In Configuration Settings.
The Change View "For System Details": Overview screen is displayed.
6. List the settings that are set and their values for the ZMG system:
●
1000-Please maintain Plug-in Connector
●
1001-Please maintain GRC Connector
●
1002-Please maintain Ruleset
●
4000-EAM Application Type
●
4001–Default Firefighter Validity Period (Days)
●
4008–Send FirefightId Login Notification
●
4010-FFID Role Name
Note:
Parameters 1089 and 1090 are obsolete and have been replaced with
Parameters 4000 and 4010, respectively.
a) 1000: ZMGCLNT800
b) 1001: TGTCLNT001
c) 1002: GLOBAL
d) 4000: 1
e) 4001: 365
f) 4008: YES
g) 4010: SAP_GRAC_SPM_FFID
7. In the command field, enter /nEX to log off from this system.
8. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Analyze and Manage Risk.
a) Log on to the T41 ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG
© Copyright. All rights reserved.
198
Solution 30: Review Parameter Settings for Emergency Access Management
c) Choose Governance, Risk and Compliance (Plug-In) → Access Control → Maintain
Plug-In Configuration Settings.
The Change View "For System Details": Overview screen is displayed.
9. Log on and review the following settings in T41 system (use the SAP Logon Pad) with
GRC300–##, which are configured in the IMG under Governance, Risk and Compliance
(Plug-In) → Maintain Plug-In Configuration Settings:
●
1000-Please maintain Plug-in Connector
●
1001-Please maintain GRC Connector
●
1002-Please maintain Ruleset
●
4000-EAM Application Type
●
4001–Default Firefighter Validity Period (Days)
●
4008–Send FirefightId Login Notification
●
4010-FFID Role Name
Note:
Parameters 1089 and 1090 are obsolete and have been replaced with
Parameters 4000 and 4010, respectively.
a) 1000: T41CLNT400
b) 1001: TGTCLNT001
c) 1002: GLOBAL
d) 4000: 1
e) 4001: 365
f) 4008: YES
g) 4010: SAP_GRAC_SPM_FFID
10. In the command field, enter /nEX to log off from this system.
© Copyright. All rights reserved.
199
Unit 11
Exercise 31
Review Parameter Settings for Periodic Access
Review
Business Example
You are a system administrator. You have been asked to review configuration parameters for
Periodic Access Review.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Periodic Access Review.
2. List the settings that are set and their values for Parameter Group 7- UAR Review:
●
2004 - Request Type for UAR
●
2005 - Default Priority
●
2006 - Who are the reviewers?
●
2007 - Admin. review required before sending tasks to reviewers
●
2008 - Number of line items per UAR request
●
2062 - Send notification to users whose access is removed
3. List the settings that are set and their values for Parameter Group 15- SoD Review:
●
2016 - Request Type for SoD
●
2017 - Default priority for SoD
●
2018 - Who are the reviewers?
●
2019 - Admin. review required before sending tasks to reviewers
●
2020 - Number of unique line items per SOD request.(Maximum 9999)
●
2023 - Is actual removal of role allowed
4. In the SAP Reference IMG, navigate to Governance, Risk and Compliance → Access
Control → User Provisioning → Maintain Review Rejection Reasons .
Review the listed rejection reasons.
5. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
200
Unit 11
Solution 31
Review Parameter Settings for Periodic Access
Review
Business Example
You are a system administrator. You have been asked to review configuration parameters for
Periodic Access Review.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Access the IMG Configuration to review the SAP Access Control parameter settings
relevant to Periodic Access Review.
a) Log on to the TGT ABAP client with user ID GRC300–##.
b) Execute transaction /NSPRO, then choose SAP Reference IMG .
c) Choose Governance, Risk and Compliance → Access Control → Maintain Configuration
Settings.
The AC Configuration Settings screen is displayed. These are the parameters that are
configured for this particular instance of SAP Access Control. Remember, that some
parameters do have a coded default in the GRACCONFIG table. If a parameter is not
entered here, then the default will be applied.
2. List the settings that are set and their values for Parameter Group 7- UAR Review:
●
2004 - Request Type for UAR
●
2005 - Default Priority
●
2006 - Who are the reviewers?
●
2007 - Admin. review required before sending tasks to reviewers
●
2008 - Number of line items per UAR request
●
2062 - Send notification to users whose access is removed
a) 2004: 011
b) 2005: 006
c) 2006: ROLE OWNER
d) 2007: YES
e) 2008: 25
© Copyright. All rights reserved.
201
Unit 11: Periodic Access Review Process
f) 2062: YES
3. List the settings that are set and their values for Parameter Group 15- SoD Review:
●
2016 - Request Type for SoD
●
2017 - Default priority for SoD
●
2018 - Who are the reviewers?
●
2019 - Admin. review required before sending tasks to reviewers
●
2020 - Number of unique line items per SOD request.(Maximum 9999)
●
2023 - Is actual removal of role allowed
a) 2016: 010
b) 2017: 007
c) 2018: MANAGER
d) 2019: YES
e) 2020: 25
f) 2023: YES
4. In the SAP Reference IMG, navigate to Governance, Risk and Compliance → Access
Control → User Provisioning → Maintain Review Rejection Reasons .
Review the listed rejection reasons.
a) Rejected User - Not my Direct Report
b) Rejected User - User is Unknown
c) Rejected Risk - Risk no Longer Approved
5. Choose Back to return to the Display IMG screen.
© Copyright. All rights reserved.
202
Unit 12
Exercise 32
Add Custom Fields to Request Header
Business Example
You are a system administrator. You have been asked to add custom fields to a request
header.
Note:
This exercise creates data that is used in the exerciseAdd Custom Fields to Role
Definition.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Log on to ABAP client for GRC, SID: TGT, Client: 001 with user ID GRC300-##.
2. Create Domains using the data in the following table:
Note:
Save items as LOCAL OBJECT. Remember to activate each object after
saving.
Domain ID
Short Description
Data Type
No. Characters
ZAC_CF_TX20_##
Char String 20
Chars for Group ##
CHAR
20
ZAC_CF_REG_##
Multiple Values
String for Group ##
CHAR
5
Enter the following
values for this domain
●
●
●
●
© Copyright. All rights reserved.
EMEA – Europe
APJ – Asia Pacific
Japan
ANZ – Australia
New Zealand
AMER – Americas
203
Unit 12: Appendix (Optional) Maintaining Custom Fields
Domain ID
Short Description
Data Type
ZAC_CF_DATE_##
Single Date Value for DATS
Group ##
No. Characters
Attributes will be
populated automatically
3. Create Data Elements using the data in the following table:
Data Type
Short Description
Domain
ZAC_DE_EID_##
Employee ID – Custom Field for GRC
Training Group ##
ZAC_CF_TX20_##
Length-Field Label
●
10-Emp ID##
●
10-Emp ID##
●
●
ZAC_DE_DIV_##
ZAC_DE_MKT_##
Division – Custom
Field for GRC Training Group ##
ZAC_CF_TX20_##
Market – Market of ZAC_CF_REG_##
User-Custom Field
for GRC Training Grp
##
5-DIV##
●
10-Division##
●
20- Division##
●
20- Division##
●
10 - MKT##
●
●
Hire Date – Custom
Field for GRC Training Group ##
ZAC_CF_DATE_##
20-Employee
ID##
●
●
ZAC_DE_HIR_##
20-Employee
ID##
15 - Mkt of
User##
20 - Market of
User##
20- Market of
User##
●
8 – Hire##
●
10 – Hire Dte##
●
12 – Hire Dte##
●
12 – Hire Dte##
4. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to
add the custom fields to the Request Header table using the data in the following table.
In the short description, enter Custom fields INCLUDE for Role Definition.
Component
Component Type
ZZAC_DE_EID_##
ZAC_DE_EID_##
© Copyright. All rights reserved.
204
Exercise 32: Add Custom Fields to Request Header
Component
Component Type
ZZAC_DE_DIV_##
ZAC_DE_DIV_##
ZZAC_DE_MKT_##
ZAC_DE_MKT_##
ZZAC_DE_HIR_##
ZAC_DE_HIR_##
Note:
Remember to set the Enhancement Category. Review any warnings that may
display. Warning messages regarding Position can be ignored.
5. Check the Customer Defined fields for issues.
6. Configure your newly created custom fields using the data in the following table. When
configuring these custom fields, mark them as Optional. When creating the request use
the short description Custom Field Customizing Group ##.
Field ID
Status
ZZAC_DE_EID_##
Optional Entry
ZZAC_DE_DIV_##
Optional Entry
ZZAC_DE_MKT_##
Optional Entry
ZZAC_DE_HIR_##
Optional Entry
7. Verify that the fields just created appear on the Access Request screen.
8. Verify that the fields created appear in BRF+ context.
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
TEST TO VERIFY CUSTOM FIELDS
Application/Func. Group Name
TEST TO VERIFY CUSTOM FIELDS
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
© Copyright. All rights reserved.
205
Unit 12
Solution 32
Add Custom Fields to Request Header
Business Example
You are a system administrator. You have been asked to add custom fields to a request
header.
Note:
This exercise creates data that is used in the exerciseAdd Custom Fields to Role
Definition.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Log on to ABAP client for GRC, SID: TGT, Client: 001 with user ID GRC300-##.
2. Create Domains using the data in the following table:
Note:
Save items as LOCAL OBJECT. Remember to activate each object after
saving.
Domain ID
Short Description
Data Type
No. Characters
ZAC_CF_TX20_##
Char String 20
Chars for Group ##
CHAR
20
ZAC_CF_REG_##
Multiple Values
String for Group ##
CHAR
5
Enter the following
values for this domain
●
●
●
●
© Copyright. All rights reserved.
EMEA – Europe
APJ – Asia Pacific
Japan
ANZ – Australia
New Zealand
AMER – Americas
206
Solution 32: Add Custom Fields to Request Header
Domain ID
Short Description
Data Type
ZAC_CF_DATE_##
Single Date Value for DATS
Group ##
No. Characters
Attributes will be
populated automatically
a) On the SAP Easy Access - User Menu screen, in the command field, enter SE11.
b) Choose Enter.
c) On the ABAP Dictionary: Initial Screen, choose Domain.
d) In the Domain field, enter the Domain ID from the table.
e) Choose Create.
f) On the Dictionary: Change Domain screen, enter the Short Description, Data
Type, and No. Characters from the table. For the Domain ZAC_CF_REG_##, also
choose Value Range tab, enter values in the Data Type column from the table in Single
Vals for Fix.Val and Short Descript. fields.
g) Choose Check from the Dictionary: Change Domain menu bar.
h) In the Check Domain dialog screen, choose Yes.
i) On the Create Object Directory Entry screen, choose Local Object.
Note:
Choosing Local Object is only for training. During normal maintenance,
place objects in a Package and a transport.
j) Choose Activate from the Dictionary: Change Domain menu bar.
k) Verify that the Domain has changed from New to Active.
l) Choose Back.
m) Repeat steps c - m for each Domain ID in the table.
n) Choose Back to return to the ABAP Dictionary: Initial Screen.
o) Remain on this screen for the next step
3. Create Data Elements using the data in the following table:
Data Type
Short Description
Domain
ZAC_DE_EID_##
Employee ID – Custom Field for GRC
Training Group ##
ZAC_CF_TX20_##
Length-Field Label
●
10-Emp ID##
●
10-Emp ID##
●
●
© Copyright. All rights reserved.
20-Employee
ID##
20-Employee
ID##
207
Unit 12: Appendix (Optional) Maintaining Custom Fields
Data Type
Short Description
Domain
ZAC_DE_DIV_##
Division – Custom
Field for GRC Training Group ##
ZAC_CF_TX20_##
ZAC_DE_MKT_##
Market – Market of ZAC_CF_REG_##
User-Custom Field
for GRC Training Grp
##
Length-Field Label
●
5-DIV##
●
10-Division##
●
20- Division##
●
20- Division##
●
10 - MKT##
●
●
●
ZAC_DE_HIR_##
Hire Date – Custom
Field for GRC Training Group ##
ZAC_CF_DATE_##
15 - Mkt of
User##
20 - Market of
User##
20- Market of
User##
●
8 – Hire##
●
10 – Hire Dte##
●
12 – Hire Dte##
●
12 – Hire Dte##
a) On the ABAP Dictionary: Initial Screen, choose Data type.
b) In the Data type field, enter the Data Type from the table.
c) Choose Create.
d) On the Create Type <Data Type> screen, choose Data Element.
e) Choose Continue (Enter).
f) On the Dictionary: Change Data Element screen, enter the Short Description and the
Domain from the table.
g) Choose Enter.
h) Choose the Field Label tab.
i) Enter Length and Field Label from the table for Short, Medium, Long, and Heading
respectively.
j) Choose Check from the Dictionary: Change Data Element menu bar.
k) If the Check Data Element dialog box appears, choose Yes.
l) On the Create Object Directory Entry screen, choose Local Object.
© Copyright. All rights reserved.
208
Solution 32: Add Custom Fields to Request Header
Note:
Choosing Local Object is only for training. During normal maintenance,
place objects in a Package and a transport.
m) Choose Activate from the Dictionary: Change Data Element menu bar.
n) Verify that the Data Element has changed from New to Active.
o) Choose Back.
p) Repeat steps a - p for each Data Element in the table.
q) Choose Back to return to the ABAP Dictionary: Initial Screen.
4. Modify / Create structure CI_GRAC_REQ_ATTR included in database table GRACREQ to
add the custom fields to the Request Header table using the data in the following table.
In the short description, enter Custom fields INCLUDE for Role Definition.
Component
Component Type
ZZAC_DE_EID_##
ZAC_DE_EID_##
ZZAC_DE_DIV_##
ZAC_DE_DIV_##
ZZAC_DE_MKT_##
ZAC_DE_MKT_##
ZZAC_DE_HIR_##
ZAC_DE_HIR_##
Note:
Remember to set the Enhancement Category. Review any warnings that may
display. Warning messages regarding Position can be ignored.
a) On the ABAP Dictionary: Initial Screen, choose Database table.
b) In the Database table field, enter the GRACREQ.
c) In the Information dialog box, choose Continue (Enter).
d) Verify the window states Dictionary: Change Table. If not, choose Display ↔ Change.
e) On the Dictionary: Change Table screen, scroll down to the field .Include.
f) Double-click the Data Element CI_GRAC_REQ_ATTR.
g) If a message appears to create the structure, choose Yes.
h) Enter Custom Fields INCLUDE for Request Header in the Short Description if
the field is not already populated.
i) Verify that you are in change mode. If not, choose Display ↔ Change.
j) Enter the Component and Component Type for each entry in the table.
k) Choose Types for Typing Method.
© Copyright. All rights reserved.
209
Unit 12: Appendix (Optional) Maintaining Custom Fields
l) On the Dictionary: Change Structure screen, choose Extras from the main menu bar.
m) Choose Enhancement Category.
n) On the Maintain Enhancement Category for CI_GRAC_REQ_ATTR screen, choose
Cannot Be Enhanced.
o) Choose Copy.
p) Choose Check from the Dictionary: Change Structure menu bar.
q) On the Check Structure dialog screen, choose Yes.
r) If the Create Object Directory Entry screen appears, choose Local Object.
Note:
Choosing Local Object is only for training. During normal maintenance,
place objects in a Package and a transport.
s) Choose Activate from the Dictionary: Change Structure menu bar.
t) If the Inactive Objects for GRC300-## appear, choose all entries, then choose
Continue (Enter).
u) Verify that the Structure has changed from New (or Revised) to Active.
v) If the Warning During Activation screen appears, choose Yes.
w) Review the Log display for any Warnings or Errors. If Errors exist, please notify the
instructor for assistance.
x) Choose Back until the SAP Easy Access - User Menu appears.
5. Check the Customer Defined fields for issues.
a) On the SAP Easy Access - User Menu screen, in the command field, enter SA38.
b) Choose Enter.
c) Enter Program GRFN_CHECK_CDF.
d) Choose Execute.
e) On the Customer Defined Fields - Check Utility screen, in the Execution Mode area,
choose Run in a "Correction mode".
f) In the To be Corrected area, choose Subtypes for Reg., UI metadata, and Reporting
metadata.
g) Choose Execute.
Result: Verify that the message "Structures successfully generated" appears and your
ID is listed.
h) Choose Back until the SAP Easy Access - User Menu screen appears.
6. Configure your newly created custom fields using the data in the following table. When
configuring these custom fields, mark them as Optional. When creating the request use
the short description Custom Field Customizing Group ##.
© Copyright. All rights reserved.
210
Solution 32: Add Custom Fields to Request Header
Field ID
Status
ZZAC_DE_EID_##
Optional Entry
ZZAC_DE_DIV_##
Optional Entry
ZZAC_DE_MKT_##
Optional Entry
ZZAC_DE_HIR_##
Optional Entry
a) On the SAP Easy Access - User Menu screen, in the command field, enter transaction
SPRO.
b) Choose Enter.
c) Choose SAP Reference IMG.
d) Choose Governance Risk and Compliance → Shared Master Data Settings → Maintain
Field-Based Configuration.
e) On the Display View "Regulation Specific Configuration": Overview screen, in the Dialog
Structure navigation pane, double-click Choose Entity.
f) On the Information screen, choose Continue (Enter).
g) In the Choose Entity area, choose ACCREQ.
h) In the Dialog Structure navigation pane, double-click Field Status Configuration by
Appl. Component.
i) Choose New Entries.
j) Enter Field ID and Status for each field in the table. Use the Search function to choose.
k) Choose AC for the Component from the drop-down list.
l) Choose Save.
m) If needed, on the Prompt for Customizing request screen, choose Create.
n) On the Create Request screen, enter the Short Description Custom Field
Customizing Group ##.
o) Choose Save.
p) On the Prompt for Customizing request screen, choose Enter.
q) Choose Back until the SAP Easy Access - User Menu screen appears.
7. Verify that the fields just created appear on the Access Request screen.
a) On the SAP Easy Access — User Menu screen, choose SAP Fiori Launchpad.
b) Log on to SAP Fiori with user ID GRC300-## and password Welcome1.
c) On the SAP Fiori Launchpad home page, in the AC Home tile group, choose the Access
Request tile.
d) On the Access Request screen, choose the Custom Data tab.
© Copyright. All rights reserved.
211
Unit 12: Appendix (Optional) Maintaining Custom Fields
e) Review the fields shown. Verify that your fields appear and the correct data is
displayed.
f) Sign out of SAP Fiori.
g) Close all browsers and return to the SAP Easy Access - User Menu screen.
8. Verify that the fields created appear in BRF+ context.
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
TEST TO VERIFY CUSTOM FIELDS
Application/Func. Group Name
TEST TO VERIFY CUSTOM FIELDS
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
a) On the SAP Easy Access - User Menu screen, in the command field, enter transaction
GRFNMW_DEV_RULES.
b) Choose Enter.
c) On the Generate MSMP Rule for Process screen, enter the data from the table.
d) Choose Enter.
Note:
Do not choose Execute.
e) In the Generate decision table section, choose Header (BRF+ Flat Rule).
f) On the Dialog screen, verify that your custom fields appear.
g) Cancel out of all screens without saving any data and return to the SAP Easy Access User Menu screen.
h) In the command field, enter BRF+.
i) Choose Enter.
j) On the Business Rule Framework plus screen, in the My Applications navigation panel,
choose Z##_INITIATOR_RULE → Data
Object → Structure → GRAC_S_REQUEST_RULE_HEADER - Structure.
k) In the Detail section, scroll down to locate your custom fields.
l) If you fields do not appear, in the Define Data Binding section, choose Refresh Binding.
m) Close the BRF+ browser screen.
© Copyright. All rights reserved.
212
Unit 12
Exercise 33
Add Custom Fields to Role Definition
Business Example
You are a system administrator. You have been asked to add custom fields to a role definition.
Note:
This exercise uses data from the exercise Add Custom Fields to Request Header.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Log on to ABAP client for GRC, SID: TGT, Client: 001 with user ID GRC300-##.
2. Create Data Elements using the data in the following table.
Note:
Save items as LOCAL OBJECT. Remember to activate each object after saving.
Data Type
Short Description
Domain
ZAC_DE_RMKT_##
Market of Role –
Custom Field for
GRC Training Group
##
ZAC_CF_REG_##
Length-Field Label
●
●
●
●
ZAC_DE_RREQ_##
Role Request Date – ZAC_CF_DATE_##
Custom Field for
GRC Training Group
##
10 – Mkt Role##
15 – Mkt of
Role##
20 – Market of
Role##
20– Market of
Role##
●
8 – ReqDt##
●
10 – Req Date##
●
12 – Req Date##
●
12 – Req Date##
3. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add
the custom fields to the Role table. Use the data in the following table:
© Copyright. All rights reserved.
213
Unit 12: Appendix (Optional) Maintaining Custom Fields
Component
Component Type
ZZAC_DE_RMKT_##
ZAC_DE_RMKT_##
ZZAC_DE_RREQ_##
ZAC_DE_RREQ_##
Note:
In the short description, enter Custom fields INCLUDE for Role
Definition.
Note:
Remember to set the Enhancement Category. Review warnings that might
display. Warning messages regarding Position can be ignored.
4. Check the Customer Defined fields for issues.
5. Verify that the fields created appear on the Role Maintenance screen.
6. Verify that the fields created appear in BRF+ context.
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
TEST TO VERIFY CUSTOM FIELDS
Application/Func. Group Name
TEST TO VERIFY CUSTOM FIELDS
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
© Copyright. All rights reserved.
214
Unit 12
Solution 33
Add Custom Fields to Role Definition
Business Example
You are a system administrator. You have been asked to add custom fields to a role definition.
Note:
This exercise uses data from the exercise Add Custom Fields to Request Header.
Note:
In this exercise, when values include ##, replace the characters with the
participant number your instructor assigned to you.
1. Log on to ABAP client for GRC, SID: TGT, Client: 001 with user ID GRC300-##.
2. Create Data Elements using the data in the following table.
Note:
Save items as LOCAL OBJECT. Remember to activate each object after saving.
Data Type
Short Description
Domain
ZAC_DE_RMKT_##
Market of Role –
Custom Field for
GRC Training Group
##
ZAC_CF_REG_##
Length-Field Label
●
●
●
●
ZAC_DE_RREQ_##
Role Request Date – ZAC_CF_DATE_##
Custom Field for
GRC Training Group
##
10 – Mkt Role##
15 – Mkt of
Role##
20 – Market of
Role##
20– Market of
Role##
●
8 – ReqDt##
●
10 – Req Date##
●
12 – Req Date##
●
12 – Req Date##
a) On the SAP Easy Access - User Menu screen, in the command field, enter SE11.
© Copyright. All rights reserved.
215
Unit 12: Appendix (Optional) Maintaining Custom Fields
b) Choose Enter.
c) On the ABAP Dictionary: Initial Screen, choose Data Type.
d) In the Data Type field, enter the Data Type from the table.
e) Choose Create.
f) On the Create: <Data Type> screen, choose Data Element.
g) Choose Continue (Enter).
h) On the Dictionary: Change Data Element screen, enter the Short Description, Domain
from the table.
i) Choose Enter.
j) Choose Field Label tab.
k) Enter Length and Field Label from the table for Short, Medium, Long, and Heading
respectively.
l) Choose Check from the Dictionary: Change Data Element menu bar.
m) If the Check Data Element dialog box appears, choose Yes.
n) On the Create Object Directory Entry screen, choose Local Object.
Note:
Choosing Local Object is only for training. During normal maintenance,
place objects in a Package and a transport.
o) Choose Activate from the Dictionary: Change Domain menu bar.
p) If the Inactive Objects for GRC300-## appear, choose all entries, then choose
Continue (Enter).
q) Verify that the Data Element has changed from New to Active.
r) Choose Back.
s) Repeat steps c - r for each Data Element in the table.
t) Choose Back to return to the ABAP Dictionary: Initial Screen.
3. Modify / Create structure CI_ROLE_ATTR included in database table GRACROLE to add
the custom fields to the Role table. Use the data in the following table:
Component
Component Type
ZZAC_DE_RMKT_##
ZAC_DE_RMKT_##
ZZAC_DE_RREQ_##
ZAC_DE_RREQ_##
© Copyright. All rights reserved.
216
Solution 33: Add Custom Fields to Role Definition
Note:
In the short description, enter Custom fields INCLUDE for Role
Definition.
Note:
Remember to set the Enhancement Category. Review warnings that might
display. Warning messages regarding Position can be ignored.
a) On the ABAP Dictionary: Initial Screen, choose Database table.
b) In the Database table field, enter the GRACROLE.
c) In the Information dialog box, choose Continue (Enter).
d) Choose Change.
e) On the Dictionary: Change Table screen, scroll down to the field .Include.
f) Double-click Data Element CI_ROLE_ATTR.
g) If message appears to create the structure, choose Yes.
h) Enter Custom Fields INCLUDE for Role Definition in the Short Description, if
the field is not already populated.
i) Verify that you are in change mode. If not, choose Display ↔ Change.
j) Enter Component and Component Type for each entry in the table.
k) Choose Types for Typing Method.
l) On the Dictionary: Change Structure screen, choose Extras from the main menu bar.
m) Choose Enhancement Category..
n) On the Maintain Enhancement Category for CI_ROLE_ATTR screen, choose Cannot Be
Enhanced.
o) Choose Copy.
p) Choose Check from the Dictionary: Change Structure menu bar.
q) If the Check Structure dialog screen appears, choose Yes.
r) If the Create Object Directory Entry screen appears, choose Local Object.
Note:
Choosing Local Object is only for training. During normal maintenance,
place objects in a Package and a transport.
s) Choose Activate from the Dictionary: Change Structure menu bar.
t) Choose Back to return to the SAP Easy Access screen.
4. Check the Customer Defined fields for issues.
© Copyright. All rights reserved.
217
Unit 12: Appendix (Optional) Maintaining Custom Fields
a) On the SAP Easy Access - User Menu screen, in the command field, enter SA38.
b) Choose Enter.
c) Enter Program GRFN_CHECK_CDF.
d) Choose Execute.
e) On the Customer Defined Fields - Check Utility screen, in the Execution Mode area,
choose Run in a "Correction mode".
f) In the To be Corrected area, choose Subtypes for Reg., UI metadata, and Reporting
metadata.
g) Choose Execute.
Result: Verify that the message "Structures successfully generated" appears and your
ID is listed.
h) Choose Back until the SAP Easy Access - User Menu screen appears.
5. Verify that the fields created appear on the Role Maintenance screen.
a) On the SAP Easy Access — User Menu screen, choose SAP Fiori Launchpad.
b) Log on to SAP Fiori with user ID GRC300-## and password Welcome1.
c) On the SAP Fiori Launchpad home screen, in the BRM Administration tile group,
choose Role Maintenance.
d) On the Business Role Management - Role screen, choose Create.
e) Choose Single Role.
f) On the New Single Role screen, on the Define Role tab, choose Custom Fields.
g) Review the fields shown. Verify that your fields appear and that the correct data is
displayed.
h) Close all browsers and return to the SAP Easy Access - User Menu screen.
6. Verify that the fields created appear in BRF+ context.
Field
Value
MSMP Process ID
SAP_GRAC_ACCESS_REQUEST
Rule Kind
Initiator Rule
Rule ID
TEST TO VERIFY CUSTOM FIELDS
Application/Func. Group Name
TEST TO VERIFY CUSTOM FIELDS
Rule Type
BRFplus Flat Rule (LineItem by
LineItem)
a) On the SAP Easy Access - User Menu screen, in the command field, enter transaction
GRFNMW_DEV_RULES.
b) Choose Enter.
c) On the Generate MSMP Rule for Process screen, enter the data from the table.
© Copyright. All rights reserved.
218
Solution 33: Add Custom Fields to Role Definition
d) Choose Enter.
Note:
Do not choose Execute.
e) In the Generate decision table section, choose Item (BRF+ Flat Rule).
f) On the Dialog screen, verify that your custom fields appear.
g) Cancel out of all screens without saving any data and return to the SAP Easy Access User Menu screen.
h) In the command field, enter BRF+.
i) Choose Enter.
j) On the Business Rule Framework plus screen, in the My Applications navigation panel,
choose Z##_INITIATOR_RULE → Data
Object → Structure → GRAC_S_REQUEST_RULE_LINE - Structure.
k) In the Detail section, scroll down to locate your custom fields.
l) If you fields do not appear, in the Define Data Binding section, choose Refresh Binding.
m) Close the BRF+ browser screen.
© Copyright. All rights reserved.
219