012002523100012446622014 e

7/25/2019 012002523100012446622014 e

http://slidepdf.com/reader/full/012002523100012446622014-e 1/149

© 2016 SAP AG

Applies to:

Access Control 10.1 SP13

Summary:

This guide contains additional information about the parameters used when configuring Access Control.

Created: April 2016

Version 2.0

Maintaining Configuration

Settings in Access Control

7/25/2019 012002523100012446622014 e


© 2016 SAP AG

Document History

Document Version Description

1.00 Initial release

1.10 Modified parameter 1048, 1049, 1050

1.20 Modified parameter 2013

1.30 Added parameter 5031

1.40 Added parameter 1124

Added parameter 5026




1.4.1 Added parameter 1014











1.5.0 Removed parameter 1000



Updated parameter 1071









7/25/2019 012002523100012446622014 e


© 2016 SAP AG

1.6.0 Modified parameter 1050





1.7.0 Modified parameters:

1027

1038

1048

1062

1063

1064

1080

1081

1082

1083

1084

1085

1086

1087

1088

1101

1102

1103

1104

1105

1106

1107

1108

1109

1110

1111

1112

1302

2009

7/25/2019 012002523100012446622014 e


© 2016 SAP AG

1.7.0 (continued)

2011

2023

2038

2040

2047

2048

2050

3005

3019

4000

4001

4002

4003

4004

4005

4006

4007

4008

4009

4010

4012

5026

5027

5028

5033

1.8.0 Added parameter 1115



Modified parameter 4020

1.9.0 SP11 November 2015

Obsoleted parameter 1031


Added additional information explaining parameter 2047 (no

change in parameter, itself)

7/25/2019 012002523100012446622014 e


© 2016 SAP AG

1.9.1 December 2015

Reinstated parameter 1031

1.9.2 January 2016

Added additional information for parameter 1016

2.0 April 2016



Changed default value from NO to <empty> for parameter 5027

Changed default value from NO to <empty> for parameter 5028

7/25/2019 012002523100012446622014 e


© 2016 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. Theseinclude field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names andtheir paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

<Example

text>

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip

7/25/2019 012002523100012446622014 e


© 2016 SAP AG

Table of Contents

1. Maintain Configuration Settings ........................................................................................ 1

1.1 Change Log .................................................................................................................. 2

1.2 Mitigation ...................................................................................................................... 8

1.3 Risk Analysis .............................................................................................................. 13

1.4 Risk Analysis - Spool .................................................................................................. 27

1.5 Workflow ..................................................................................................................... 29

1.6 Emergency Access Management ............................................................................... 42

1.7 UAR Review ............................................................................................................... 54

1.8 Performance ............................................................................................................... 57

1.9 Risk Analysis - Access Request ................................................................................. 62

1.10 Role Management ...................................................................................................... 65

1.11 Risk Analysis – Risk Terminator ................................................................................. 85

1.12 Access Request Role Selection ................................................................................. 88

1.13 Access Request Default Roles ................................................................................. 102

1.14 Access Request Role Mapping ................................................................................ 108

1.15 SOD Review ............................................................................................................. 111

1.16 LDAP ........................................................................................................................ 114

1.17 Assignment Expiry .................................................................................................... 115

1.18 Access Request Training Verification ....................................................................... 116

1.19 Authorizations ........................................................................................................... 119 1.20 Access Request Business Role ................................................................................ 120

1.21 Management Dashboard Reports ............................................................................ 122

1.22 Access Request Validations ..................................................................................... 124

1.23 Simplified Access Request ....................................................................................... 133

1.24 Access Control – General Settings........................................................................... 137

2. Index by Numerical Value ............................................................................................... 139

3. Copyright .......................................................................................................................... 139

7/25/2019 012002523100012446622014 e


Maintaining Configuration Settings in Access Control 10.1

April 2016

1

1. Maintain Configuration Settings

Access Control configuration settings allow you to customize the SAP Access Control application.

You access the settings, or parameters, in Customizing (transaction SPRO). The menu path from theSAP Easy Access screen is Tools Customizing IMG Execute Project SAP Reference IMG

Governance, Risks, and Compliance Access Control Maintain Configuration Settings.

To maintain the configuration settings:

1. Choose the New Entr ies pushbutton and select a parameter group from the dropdown list.

2. In the Parameter ID column, select a parameter ID.

3. Select a Parameter Value from the dropdown list, or, if appropriate, enter a value in the

Parameter Value field.

4. Optionally, in the Priority field, enter a number for the priority of the parameter. This is a user-

defined field.5. Choose Save .

7/25/2019 012002523100012446622014 e



April 2016

2

Parameter Groups

Configuration parameters are organized into Parameter Groups as shown in the table below. Each

group corresponds to an area of functionality within SAP Access Control.

Group Number Group Description Group

Number

Group Description

01 Change Log 13 Access Request Default Roles

02 Mitigation 14 Access Request Role Mapping

03 Risk Analysis 15 SOD Review

04 Risk Analysis - Spool 16 LDAP

05 Workflow 17 Assignment Expiry

06Emergency Access

Management18

Access Request Training

Verification

07 UAR Review 19 Authorizations

08 Performance 20 Access Request Business Role

09 Risk Analysis - AccessRequest

21 Management DashboardReports

10 Role Management 22 Access Request Validations

11Risk Analysis – Risk

Terminator23

Simplified Access Request

12 Access Request Role

Selection24

Access Control – General

Settings

1.1 Change Log

The Change Log parameters control how transaction history is logged and displayed in SAP Access

Control.

Overview of Change Log Parameters

ParameterID

Description Default Value

1001 Enable Function Change Log YES

1002 Enable Risk Change Log YES

7/25/2019 012002523100012446622014 e



April 2016

3

ParameterID


1003 Enable Organization Rule Log YES

1004 Enable Supplementary Rule Log YES

1005 Enable Critical Role Log YES1006 Enable Critical Profile Log YES

1007 Enable Rule Set Change Log YES

1008 Enable Role Change Log YES

5001 SLG1 Logs for HR Trigger HIGH

Details of Change Log Parameters

Param ID Description Default

1001

Enable Function Change Log YES

Set to YES to display the Change History tab on the Function screen.

7/25/2019 012002523100012446622014 e



April 2016

4


1002

Enable Risk Change Log YES

Set to YES to display the Change History tab on the Access Risk screen.


1003

Enable Organization Rule Log YES

Set to YES to display the Change History tab on the Organization Rules screen.

7/25/2019 012002523100012446622014 e



April 2016

5


1004

Enable Supplementary Rule Log Yes

Set to YES to display the Change History tab on the Supplementary Rules screen.


1005

Enable Critical Role Log Yes

Set to YES to display the Change History tab on the Critical Role screen.

7/25/2019 012002523100012446622014 e



April 2016

6


1006

Enable Critical Profile Log Yes

Set to YES to display the Change History tab on the Critical Profile screen.


1007

Enable Rule Set Change Log Yes

Set to YES to display the Change History tab on the Rule Sets screen.

7/25/2019 012002523100012446622014 e



April 2016

7


1008

Enable Role Change Log YES

Set to YES to display the Change History link on the Additional Details tab of the RoleMaintenance screen.


5001

SLG1 Log Level for HR Triggers HIGH

The available values are High and Medium. When this parameter is set to High, all theHR Trigger logs are captured under SLG1 whether or not the info types from the HRSystem satisfy BRF rules. When this parameter is set as Medium, the system onlycaptures those logs that occur after the BRF rules are satisfied.

The screen shot below shows the detail SLG1 logs that are captured when theparameter is set to High.

7/25/2019 012002523100012446622014 e



April 2016

8

1.2 Mitigation

The Mitigation parameters control how risk mitigation works in SAP Access Control.

Overview of Mitigation Parameters

Parameter ID Description Default Value

1011 Default expiration time for mitigating control assignments (indays)

365

1012 Consider Rule ID also for mitigation assignment NO

1013 Consider System for mitigation assignment NO

1014 Enable separate authorization check for mitigation fromaccess request

NO

1015 Get data for Invalid Mitigation Report from ManagementSummary table

NO

1016 Specify number of days to exclude from Invalid MitigationCleanup

0 (zero)

Details of Change Log Parameters


1011

Default expiration time for mitigating control assignments (indays)

365

The default quantity of days you are allowed to mitigate any object (selection on servicemap). You can overwrite this quantity in the Valid To field.

7/25/2019 012002523100012446622014 e



April 2016

9


1012

Consider Rule ID also for mitigation assignment NO

By default, the application includes all rules when it mitigates the access risk.Setting the value to YES allows you to specify the specific Rule ID to be included whenmitigating the risk.

7/25/2019 012002523100012446622014 e



April 2016

10


1013

Consider System for mitigation assignment NO

Setting the value to YES allows you to apply mitigating controls to risks originating fromspecific systems.

7/25/2019 012002523100012446622014 e



April 2016

11


1014

Enable separate authorization check for mitigation from accessrequest

NO

This parameter controls how authorization checks are done during the access requestrisk mitigation process.

Previously, when risk mitigation was done during request approval, the mitigation wassaved directly to the user mitigation tables. If the request was later rejected or cancelled,the mitigation remained in the user mitigation table even though it was then invalid.

By using this parameter, you tell the application to save the mitigation in intermediatetables until the request is fully approved. At that point, the mitigation is transferred to theuser mitigation table.

This parameter works in conjunction with an activity (88) that is added to authorizationobject GRAC_MITC.

Setting the value to YES enables activity 88 and mitigations are saved to an intermediatetable until the request is fully approved.

Setting the value to NO saves the mitigations directly to the user mitigation tables andactivity 88 is not checked.

For more information, see SAP Note 1996151

7/25/2019 012002523100012446622014 e



April 2016

12


1015

Get data for Invalid Mitigation Report from ManagementSummary table

NO

SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls withthe option to use Offline Data. The report gets the offline data from the detailed violationstable from the last batch risk analysis. The data is very granular (low level) and may taketime and more system resources to get.

This parameter allows you to get the Offline Data from the Management Summary table. As the data is already at a summary level, it takes less time and less resources toproduce the report.

Set value to No to get the data from the detailed violations table.

Set value to Yes to get the data from the Management Summary table.


1016

Specify number of days to exclude from Invalid MitigationCleanup

0

As an AC Administrator, you can use Invalid Mitigation Cleanup to remove mitigationassignments that are no longer valid because the risks no longer exist. For example, therole assignments have been removed or the roles have changed.

Additionally, there may be a scenario where you assign mitigation controls in Role

Simulation or User Simulation, which results in invalid mitigation assignments because

the roles or the updates do not yet exist in the back-end. The mitigation assignments will

show as invalid until the user assignments and role changes have propagated to the

back-end system.

If you use Invalid Mitigation Cleanup, it will remove all invalid mitigation

assignments, including those in Simulation. To keep your work from being deleted, you

can use this parameter to exclude the assignments that have been maintained within the

selected number of days from the cleanup. For example, enter 10 to exclude invalid

mitigation assignments maintained in the last 10 days.

The calculated date is based on the date of last maintenance of the mitigating control

assignments to users and roles. Whether the maintenance is done via a request,

manually, or uploaded, the calculation is the same.

Note: If you use the upload feature, all items uploaded would have a last maintained

date of the upload date even if there is no change.

7/25/2019 012002523100012446622014 e



April 2016

13

1.3 Risk Analysis

The Risk Analysis parameters control how risk analysis works in SAP Access Control.

Overview of Risk Analysis Parameters

Parameter ID Description Default Value

1021 Consider Org Rules for other applications NO

1022 Allow object IDs for this connector to be case sensitive <empty>

1023 Default report type for risk analysis 2

1024 Default risk level for risk analysis 3

1025 Default rule set for risk analysis <empty>

1026 Default user type for risk analysis A

1027 Enable Offline Risk Analysis NO

1028 Include Expired Users NO

1029 Include Locked Users NO

1030 Include Mitigated Risks NO

1031 Ignore Critical Roles and Profiles YES

1032 Include Reference user when doing user analysis YES

1033 Include Role/Profile Mitigating Controls in Risk Analysis YES

1034 Max number of objects in a package for parallel processing 100

1035 Send e-mail notification to the monitor of the updatedmitigated object

YES

1036 Show all objects in Risk Analysis NO

1037 Use SoD Supplementary Table for Analysis YES

1038 Consider FF Assignments in Risk Analysis NO

1046 Extended objects enabled connector <empty>

1048 Business View for Risk Analysis is Enabled NO (Technical View)

1050 Default Report View for Risk Analysis Remediation View

7/25/2019 012002523100012446622014 e



April 2016

14

Details of Risk Analysis Parameters


1021

Consider Org Rules for other applications NO

Setting the value to YES automatically selects the Consider Org Rule checkbox on theRisk Violations tab of the Access Request and Role Maintenance screens.

7/25/2019 012002523100012446622014 e



April 2016

15


1022

Allow object IDs for this connector to be case sensitive <empty>

On the Risk Analysis screen, you specify the system and the analysis criteria such asUser , Risk Level , and so on. This parameter allows you to specify for which systems theinformation entered is case sensitive.

In the example below, z_cup_USR001 is case sensitive for system NCACLNT001.

Note: To enter more than one system or connector, enter additional instances of theparameter.

7/25/2019 012002523100012446622014 e



April 2016

16


1023

Default report type for risk analysis 2

The Risk Analysis screen allows you to select several report type options for the risk

analysis, such as Access Risk Analysis, Action Level, and Permission Level.

This parameter allows you to choose one or more report types that are selected by

default. It works as follows:

If you do not define a value for parameter 1023 in the IMG, the report type

defaults to 2, Permission Level.

If you define one or more values for parameter 1023 in the IMG, the report type

defaults to those values.

Note: In the IMG value cell, press F4 to display the available types, such as Permission

Level, and so on. The screenshot below shows the report being run with a default valueof 2, Permission Level.

Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk

Analysis screens; you must set these separately.

7/25/2019 012002523100012446622014 e



April 2016

17


1024

Default risk level for risk analysis 2

The Risk Analysis screen allows you to select several options for the risk analysis, such

as analysis criteria, report options, and additional criteria.

This parameter allows you to choose the Risk Level that is selected by default.


1025

Default rule set for risk analysis <empty>



This parameter allows you to choose the Rule Set that is selected by default.


1026

Default user type for risk analysis <empty>



This parameter allows you to choose the User Type that is selected by default..

7/25/2019 012002523100012446622014 e



April 2016

18


1027

Enable Offline Risk Analysis NO



The parameter value is set to NO to exclude Offline Data in risk analysis by default. On

the Risk Analysis screen, the Offline Data checkbox is empty by default.

Note:

If Parameter 2023 is set to YES, then this parameter must also be set to Yes.

7/25/2019 012002523100012446622014 e



April 2016

19


1028

Include Expired Users NO

Set to YES to include expired users from plug-in systems for risk analysis.


1029

Include Locked Users NO

Set to YES to include locked users from plug-in systems for risk analysis.


1030

Include Mitigated Risks NO



Set the parameter value to YES to include Mitigated Risks in the risk analysis by default.

The application displays the SoD violations, the mitigated risks, and the mitigating control

assigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox is

automatically selected.


1031

Ignore Critical Roles and Profiles YES

Set the value to YES to exclude critical roles and profiles for risk analysis.


1032

Include Reference user when doing user analysis YES

Set the value to YES to include referenced users when performing SoD risk analysis for

users. This is also valid for Batch Risk Analysis.


1033

Include Role/Profile Mitigating Controls in Risk Analysis YES

Set the value to YES to include the mitigating controls assigned to the user’s roles and

profiles for risk analysis.

7/25/2019 012002523100012446622014 e



April 2016

20


1034

Maximum number of objects in a package for parallel processing 100

The application uses this parameter in conjunction with the Number of Tasks specified

in the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determine

the distribution of objects that are processed per job.

For example, if there are 10,000 users to analyze and this value is 100, then there will be

100 packages created each having 100 users. Each package is submitted to a separate

background process, which is available to the application via the application group.

If instead, we specify three background processes are available to GRAC_SOD, 100

packages are submitted one by one to these processes. Three packages initially and

then one by one to each process, which complete the package execution.

Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if

the RZ10 parameter is set to 2, then the application ignores the parameter in this setting

and uses the value 2 instead.

7/25/2019 012002523100012446622014 e



April 2016

21


1035

Send e-mail notification to the monitor of the updated mitigated

objectYES

Set the value to YES to send e-mail notifications to the owner of the mitigating control

when the mitigated object is updated, such as the user/role.

7/25/2019 012002523100012446622014 e



April 2016

22


1036

Show all objects in Risk Analysis NO

Set the value to YES to select the Show All Objects checkbox on the Risk Analysis

screen by default.

The objects that do not have violations are displayed with the Action: No Violations.

Note: This setting applies to SoD Batch Risk Analysis.

7/25/2019 012002523100012446622014 e



April 2016

23


1037

Use SoD Supplementary Table for Analysis YES

Set value to YES to use supplementary rules for SoD risk analysis.


1038

Consider FF Assignments in Risk Analysis NO

Set value to YES to use supplementary rules for SoD risk analysis. You can use this

parameter to select whether or not to include Firefighter (FF) assignments in risk

analysis.

Select YES to include FF assignments for risk analysis.

On the Access Management > Access Risk Analysis screens, the application

displays the Include FFIDS checkbox.

Select NO to exclude FF assignments for risk analysis.

On the Access Management > Access Risk Analysis screens, the application

does not display the Include FFIDS checkbox.

(cont.)

7/25/2019 012002523100012446622014 e



April 2016

24


Note: For Access Requests, the application does not allow users to choose whether ornot to include FFIDs for risk analysis. As shown in the graphic below, the Include FFIDscheckbox is not part of the Risk Violation tab on the Access Request screen. If you setthe parameter value as YES, the application includes FFIDs in the risk analysis, but it willnot display the checkbox on the screen.

7/25/2019 012002523100012446622014 e



April 2016

25


1046

Extended objects enabled connector <empty>

Extended objects are objects from non-SAP systems. This parameter allows you to

specify the connectors for non-SAP systems.

The connectors can have object lengths greater than SAP objects. For example, SAP

User ID length is 12, but the extended object length may be 50.

Note: You can set multiple connectors by adding multiple instances of the parameter.


1048

Business View for Risk Analysis is Enabled NO (Technical View)

The available values are Yes and No.

If the parameter is set to Yes, the system displays the Business View format on the Risk

Violations tab during creation or approval of a request as shown in the screen shot.

7/25/2019 012002523100012446622014 e



April 2016

26


1050

Default Report View for Risk Analysis Remediation View

There are three types of views for Risk Analysis reports (technical, business and

remediation). To change the global default to something other than the Technical View,

you can do that through this parameter. This parameter affects the dashboard drill-down

for Risk Analysis.

You can change the default view on a case-by-case basis for the ad hoc reports through

the User Interface (as shown below).

7/25/2019 012002523100012446622014 e



April 2016

27

1.4 Risk Analysis - Spool

The Risk Analysis - Spool parameters control variables having to do with how Risk Analysis reports

are run.

Overview of Risk Analysis – Spool Parameters

ParameterID


1051 Max number of objects in a file or database record 200000

1052 Spool File Location <empty>

1053 Spool Type D

1054 Max number of violations supported in Organization Rule Analysis 500000

Details of Risk Analysis – Spool Parameters


1051

Max number of objects in a file or database record 200000

You can use this parameter to specify the maximum number of analytics data objects theapplication stores.

If parameter 1053 is set to F, the value is the maximum number of objects stored in the

file.

If parameter 1053 is set to D, the value is the maximum number of objects stored in theREPCONTENT column of the GRACSODREPDATA table.

Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up theanalytics data from the file system or table.

Prerequisite: You have configured parameters 1052 and 1053.


1052

Spool File Location <empty>

You can specify the file location where the application stores the analytics data, such as

\\ <ip_address>\public\SoD\.

Note: This parameter is only valid if parameter 1053 is set to F.Prerequisite: You have configured parameter 1053.

7/25/2019 012002523100012446622014 e



April 2016

28


1053

Spool Type D

You can use this parameter to set whether the application uses the file system or thedatabase table to store the analytics data for access control, such as ad hoc SoDviolations.Set the value to F to store the data on the file system. (Set the file location in parameter1052).

Set the value to D to store the data in the GRACSODREPDATA table.

Note:

You see the intermediate results while risk analysis is running. This gives you anopportunity to see if the desired records are created and choose to stop or cancelthe job.

If you change the location type (such as from D to F) in mid-course, the report willstill read the previously generated files or database records. Index tables keep track

of the source of the records when the data was generated.

If you cancel the job before the report is finished, you can still read the data up to thepoint the files or database records were created.


1054

Max number of violations supported in Organization Rule Analysis

500000

SAP Access Control allows you to consider Organizational Rules when performingaccess risk analysis. Depending on the total number of org rules, the analysis cangenerate a very large number of violations, which may cause the system to run out of

memory and result in a dump.With SP07, a feature has been added to enable the application to exit the analysis beforethe system runs out of memory. You use this parameter to set the threshold limit. Thedefault is 500,000.

For example, you can perform User Level risk analysis and choose the option toConsider Org Rule. If the 500,000 violations threshold is reached, the applicationstops the analysis for that particular user and displays the message “Too manyviolations”.

7/25/2019 012002523100012446622014 e



April 2016

29

1.5 Workflow

The Workflow parameters control variables across all the processes in SAP Access Control. Examples

include specifying whether to send notifications when mitigating controls or risks change.

Overview of Workflow Parameters

ParameterID


1061 Mitigating Control Maintenance NO

1062 Mitigation Assignment NO

1063 Risk Maintenance NO

1064 Function Maintenance NO

1101 Create Request for Risk Approval 12

1102 Update Request for Risk Approval 13

1103 Delete Request for Risk Approval 141104 Create Request for Function Approval 15

1105 Update Request for Function Approval 16

1106 Delete Request for Function Approval 17

1107 Create Request for Mitigation Assignment Approval 18

1108 Update Request for Mitigation Assignment Approval 19

1109 Delete Request for Mitigation Assignment Approval 20

1110 High 2

1111 High 3

1112 High 4

1113 Access Control E-mail Sender WF-BATCH

1115 Enable Escalation for Requests on Hold NO

2051 Enable User ID Validation in Access Request against Search DataSources

YES

3022 Request Type for Role Approval 21

3023 Priority for Role Approval 5

7/25/2019 012002523100012446622014 e



April 2016

30

Details of Workflow Parameters


1061

Mitigating Control Maintenance NOThe application allows users to create and change mitigating controls. Set the value toYES to require that when users create or change mitigating controls, the applicationsends a workflow item to an approver to approve the action.

Note: On the Mitigating Control screen, the Create button is replaced by a Submit button.

You can configure the role that receives the workflow item for approving the mitigatingcontrol changes using the Customizing activity Maintain MSMP Workflows underGovernance, Risk, and Compliance > Access Control > Workflow for AccessControl.

Figure A below shows that on the control Owners tab the Mitigation Control Approverpoints to the Approver.

Figure B below shows you can use Maintain MSMP Workflows to change the approveragent ID (GRAC_CONTROL_APPROVER).

(cont.)

Figure A

7/25/2019 012002523100012446622014 e



April 2016

31


Figure B

7/25/2019 012002523100012446622014 e



April 2016

32


1062

Mitigation Assignment NO

The application allows users to mitigate risks for objects (user, role, profile, and so on). Set the value to YES to require the application to send an approval workflow item to

the mitigating control approver. The screen displays a Submit button. If this

parameter is set to Yes, you must also configure parameters 1107, 1108, 1109, and1112.

Note: You can configure the role that receives the workflow item for approving themitigating control changes. Use the Customizing activity Maintain MSMPWorkflows under Governance, Risk, and Compliance > Access Control >Workflow for Access Control.

Set the value to NO and the users can mitigate risks without approval. The screen

displays a Save button.

7/25/2019 012002523100012446622014 e



April 2016

33


1063

Risk Maintenance NO

The application allows users to create and modify risks.

Set the value to YES to require the application to send an approval workflow item to

the Risk Owner (or to any alternate workflow agent you set) for approval. The screen

displays a Submit button. If this parameter is set to Yes, you must also configure

parameters 1101, 1102, 1103, and 1110.

Note: You can configure the role that receives the approval workflow item using

the Customizing activity Maintain MSMP Workflows under Governance, Risk,

and Compliance > Access Control > Workflow for Access Control .

Set the value to NO and then users can create and modify risks without approval.

The screen displays a Save button.

7/25/2019 012002523100012446622014 e



April 2016

34


1064

Function Maintenance NO

The application allows users to create and change functions.Set the value to YES to require the application to send an approval workflow item to thespecified workflow agent for approval when functions are created or modified. If thisparameter is set to Yes, you must also configure parameters 1104, 1105, 1106, and1111.

Note: Workflow agents are users who have been assigned the role

SAP_GRAC_FUNCTION_APPROVER. You can change the approver agent by using theCustomizing activity Maintain MSMP Workflows under Governance, Risk, andCompliance > Access Control > Workflow for Access Control .

7/25/2019 012002523100012446622014 e



April 2016

35


1101

Create Request for Risk Approval 12

Use F4 help and choose the request type the workflow uses to create requests for riskapproval. This request type is associated with an MSMP process ID such asSAP_GRAC_RISK_APPR.

You maintain the list of available request types in the Customizing activity DefineRequest Type under Governance, Risk, and Compliance > Access Control > UserProvisioning.

This parameter is only valid if parameter 1063 is set to Yes.

7/25/2019 012002523100012446622014 e



April 2016

36


1102

Update Request for Risk Approval 13

Use F4 help and choose the request type the workflow uses to update requests for riskapproval. The request type is associated with an MSMP process ID.


(See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes.


1103

Delete Request for Risk Approval 14

Use F4 help and choose the request type the workflow uses to delete requests for riskapproval. The request type is associated with an MSMP process ID.




1104

Create Request for Function Approval 15

Use F4 help and choose the request type the workflow uses to create requests for

function approval. The request type is associated with an MSMP process ID.




1105

Update Request for Function Approval 16

Use F4 help and choose the request type the workflow uses to update requests forfunction approval. The request type is associated with an MSMP process ID.




1106

Delete Request for Function Approval 17

Use F4 help and choose the request type the workflow uses to delete requests for riskapproval. The request type is associated with an MSMP process ID.



7/25/2019 012002523100012446622014 e



April 2016

37


1107

Create Request for Mitigation Assignment Approval 18

Use F4 help and choose the request type the workflow uses to create requests formitigation assignment approval. The request type is associated with an MSMP process

ID.You maintain the list of available request types in the Customizing activity DefineRequest Type under Governance, Risk, and Compliance > Access Control > UserProvisioning.



1108

Update Request for Mitigation Assignment Approval 19

Use F4 help and choose the request type the workflow uses to update requests formitigation assignment approval. The request type is associated with an MSMP processID.




1109

Delete Request for Mitigation Assignment Approval 20

Use F4 help and choose the request type the workflow uses to delete requests for

mitigation assignment approval. The request type is associated with an MSMP processID.




1110

High 2

You use this parameter to set the default workflow request priority for Updating andCreating Risks. Use F4 help to display the list of available priorities.

You maintain the list of priority values in the Customizing activity Maintain PriorityConfiguration under Governance, Risk, and Compliance > Access Control > UserProvisioning. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk

approval priorities.

Note: This parameter is only valid if parameter 1063 is set to Yes.


1111

High 3

You use this parameter to set the default workflow request priority for Creating andUpdating Functions. Use F4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activity MaintainPriority Configuration under Governance, Risk, and Compliance > Access Control> User Provisioning. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function approval priorities.


7/25/2019 012002523100012446622014 e



April 2016

38


1112

High 4

You use this parameter to set the default workflow request priority for Mitigation Control Assignments. Use F4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activity MaintainPriority Configuration under Governance, Risk, and Compliance > Access Control> User Provisioning. You assign the MSMP Process ID ofSAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities.



1113

Access Control E-mail Sender WF-BATCH

The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers.

See the Access Control 10.1 Security Guide for information about required authorizations

for the WF-BATCH user.Param ID Description Default

1115

Enable Escalation for Requests on Hold NO

Parameter 1115 interacts with Access Control MSMP (Workflow) Configuration todetermine whether to escalate an access request that is on hold.

The possible values of parameter 1115 are:

YES – the system escalates a request on hold if Escalation Type is set toEscalate to Specified Agent in MSMP.

NO – the system does not escalate a request on hold even if Escalation Type isset to Escalate to Specified Agent in MSMP.

The screenshot below shows the Escalation Type field in MSMP Configuration. You can

find this screen in Customizing under Governance, Risk and Compliance AccessControl Workflow for Access Control Maintain MSMP Workflows.

( continued…)

7/25/2019 012002523100012446622014 e



April 2016

39


Placing an Access Request on Hold

An access request approver can place a request on hold during the request reviewprocess as illustrated in the screenshot below.

Examples of the Interaction Between Access Control Configuration Parameter1115 and the MSMP Escalation Type Setting The table below shows what happenswhen you place an access request on hold given the sample settings.

1115 Setting MSMP EscalationType Setting

Result

YES Escalate to Specified Agent

The request is escalated according to yourconfiguration.

7/25/2019 012002523100012446622014 e



April 2016

40


NO Escalate to Specified Agent

The request is not escalated. MSMP isoverridden.

YES Skip to Next Stage The request is escalated according to your

configuration.NO Skip to Next Stage The request is not escalated. MSMP is

overridden.

YES No Escalation The request is not escalated.

NO No Escalation The request is not escalated.

More Information

See SAP Note 2136059 - UAM: On hold requests are getting escalated

The table below shows what happens when you place an access request on hold giventhe sample settings.

1115 Setting MSMP EscalationType Setting

Result

YES Escalate to Specified Agent

The request is escalated according to yourconfiguration.

NO Escalate to Specified Agent

The request is not escalated. MSMP isoverridden.

YES Skip to Next Stage The request is escalated according to yourconfiguration.

NO Skip to Next Stage The request is not escalated. MSMP isoverridden.

YES No Escalation The request is not escalated.

NO No Escalation The request is not escalated.

More Information

See SAP Note 2136059 - UAM: On hold requests are getting escalated

7/25/2019 012002523100012446622014 e



April 2016

41


2051

Enable User ID Validation in Access Request against SearchData Sources

YES

If set to YES, the application validates the UserID exists on the specified source system.

If the user does not exist, the application does not allow the request to continue.The validation is performed when you select Submit or Enter .


3022

Request Type for Role Approval 21

Use F4 help and choose the request type the workflow uses for role approval. The

request type is associated with an MSMP process ID. You maintain the list of available

request types in the Customizing activity Define Request Type under Governance,

Risk, and Compliance > Access Control > User Provisioning .

(See also parameter 1101)


3023

Priority for Role Approval 5

Priority of the request for Role Approval

You use this parameter to set the default workflow request priority for Role Approvals.Use F4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activity MaintainPriority Configuration under Governance, Risk, and Compliance > Access Control> User Provisioning. You assign the MSMP Process ID of SAP_GRAC_ROLE_APPRto role approval priorities.

7/25/2019 012002523100012446622014 e



April 2016

42

1.6 Emergency Access Management

The Emergency Access Management (EAM) parameters control many aspects of how EAM functions.

Overview of EAM Parameters

ParameterID


4000 Application Type 1

4001 Default Firefighter Validity Period (in days) <empty>

4002 OBSOLETE - Send e-mail immediately YES

4003 Retrieve Change Log YES

4004 Retrieve System Log YES

4005 Retrieve Audit Log YES

4006 Retrieve O/S Command Log YES

4007 Send Log Report Execution Notification Immediately YES4008 Send Firefight ID Logon Notification YES

4009 Log Report Execution Notification YES

4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID

4012 Default users for forwarding the Audit Log workflow 2

4013 Firefighter ID owner can submit request for Firefighter ID owned YES

4014 Firefighter ID controller can submit request for Firefighter ID YES

4015 Enable decentralized Firefighting NO

4017 Enable CUP request number to show in Firefighter ID/Role Assignment Screen

YES

4018 Enable detailed application logging (SLG1) for Firefighter log

synchronization programs

NO

4020 Generate EAM log Firefighter sessions with no activity NO

4021 Use ALV Grid for Firefighter filter transaction NO

5033 Allow creation of Firefighters with no Controller YES

7/25/2019 012002523100012446622014 e



April 2016

43

Details of Emergency Access Management Parameters


4000

Application Type 1

You use this parameter to set the firefighting configuration: Choose 1 for ID-based firefighting.

Choose 2 for Role-based firefighting.

Note:

Configuration of parameter 4000 in any relevant target system is also required.

7/25/2019 012002523100012446622014 e



April 2016

44


4001

Default Firefighter Validity Period (Days) <empty>

Set the default validity period (in days) of Firefighter ID assignments to a Firefighter.Notes:

This is only the default period. You can override the validity period for eachassignment as needed in the front-end.

Configuration of parameter 4001 in any relevant target system is also required


4002

Send E-mail Immediately

THIS PARAMETER IS OBSOLETE. IT IS NO LONGER USED IN SAP ACCESSCONTROL

7/25/2019 012002523100012446622014 e



April 2016

45


4003

Retrieve Change Log YES

The possible values are YES and NO.If set to YES, the application fetches the Change Log when a user chooses the UpdateFirefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE isexecuted.

The Update Firefighter Log button is available on the Consolidated Log Report underEmergency Access Management Reports.

Note

Plug-in systems must have the O/S time and R/3 time zone matched for the logs to beproperly collected. This is because STAD stores the logs in O/S files.

7/25/2019 012002523100012446622014 e



April 2016

46


4004

Retrieve System Log YES

The possible values are YES and NO. If set to YES then the application fetches the System Log (debug changes) when a userchooses the Update Firefighter Log button or when the programGRAC_SPM_LOG_SYNC_UPDATE is executed.



4005

Retrieve Audit Log YES

The possible values are YES and NO.

If set to YES then the application fetches the audit (security) log when a user choosesthe Update Firefighter Log button or when the programGRAC_SPM_LOG_SYNC_UPDATE is executed.


Note

You can activate Audit Logs using the transaction SM19.


4006

Retrieve O/S Command Log YES


If set to YES then the application fetches the O/S Command Log when a user chooses

the Update Firefighter Log button or runs the programGRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information whenO/S commands (SM49) are created, changed, or executed.


7/25/2019 012002523100012446622014 e



April 2016

47


4007

Send Log Report Execution Notification Immediately YES

The application can send log reports to controllers. The application sends thenotifications as e-mails or workflow items based on the configuration of the controllers.(See figure below.)

Set the value to YES and the application sends email notifications or executesworkflow when a user chooses the Update Firefighter Log button or when theprogram GRAC_SPM_LOG_SYNC_UPDATE is executed.


Set the value to NO and the application only collects the logs when a user choosesthe Update Firefighter Log button or when the program

GRAC_SPM_LOG_SYNC_UPDATE is executed. The application sends the e-mailnotifications or executes the workflow when the GRAC_SPM_WORKFLOW_SYNCprogram is executed.

Notes

This parameter is only valid if parameter 4009 is set to YES

A separate email or workflow is created for each EAM session performed

7/25/2019 012002523100012446622014 e



April 2016

48


4008

Send Firefighter ID Logon Notification YES

The possible values are YES and NO. Set to YES and the application sends an email notification to the controller

whenever a firefighter executes a firefighting session.

Set to NO if you do not want the application to send an email notification to thecontroller whenever a firefighter executes a firefighting session.


4009

Log Report Execution Notification YES


If set to YES then the application sends email notifications to the controller or executesworkflow when a user chooses the Update Firefighter Log button or when the programGRAC_SPM_LOG_SYNC_UPDATE is executed.


Recommendation

Consider parameter 4007 if this parameter is set to YES


4010

Firefighter ID Role NameZSAP_GRAC_SMP

_FFID

Enter the name of the role assigned to the firefighter ID in the target systems. Thisinforms the application that the user who is logging on to the target system is a firefighterID. The target system makes a call to the GRC system and reads this configuration to

check if the user has this role assigned to them.

Notes

Configuration of parameter 4010 in any relevant target systems is also required

If IMG Activity Maintain Firefighter ID Role Name Per Connector is utilized,parameter 4010 is not considered and therefore does not need to be configured

See SAP Note 2106895 for more information.

7/25/2019 012002523100012446622014 e



April 2016

49


4012

Default users for forwarding the Audit Log workflow 2

Configuration parameter 4012 is used to restrict the users to whom the EAM logworkflow can be forwarded.

If it is set to 1, the workflow can be forwarded to any user in the GRC system.

If it is set to 2, the workflow can only be forwarded to users who are designated as

controllers in the Access Control Owners table.


4013

Firefighter ID owner can submit request for Firefighter ID owned YES


Based on the parameter value, the firefighter ID owner can submit request for himself(Yes) or not (No).


4014

Firefighter ID controller can submit request for Firefighter IDcontroller

YES


Based on the parameter value, the firefighter ID controller can submit a request forhimself (Yes) or not (No).


4015

Enable decentralized firefighting NO


Based on the parameter value, you can enable the EAM launchpad on non-GRCsystems (Yes) or not (No).

7/25/2019 012002523100012446622014 e



April 2016

50


4017

Enable CUP request number to show in Firefighter ID/Role Assignment Screen

YES

The Firefighter ID is requested to be assigned to the Firefighter User during the AccessRequest process (formerly CUP).

Setting the parameter to YES ensures that this request number is visible in theFirefighter ID and Firefighter maintenance screens in the Comment column. Thisprovides a way to track the progress of the request.

Setting the parameter to NO will result in the request number not being visible in theFirefighter ID and Firefighter maintenance screens in the Comment column.

For more information, see SAP Note 1840064.


4018

Enable detailed application logging (SLG1) for Firefighter log

synchronization programsNO

SAP Access Control keeps logs of firefighting activities on the plug-in systems. The logsare synchronized back to the central system and the data goes into firefighting reports.

Errors may occur that disrupt the synchronization of the logs from the plug-in systems tothe central system.

Set the parameter to Yes to enable detailed logging in SLG1. You can use the additionalinformation to determine the cause of the disruption.

7/25/2019 012002523100012446622014 e



April 2016

51


4020

Generate EAM log for Firefighter sessions with no activity NO

This parameter controls whether to send EAM log review workflow even if the Firefighterhas not performed any activity.

Set the parameter to Yes to generate the EAM log review even if there is no activity.

For more information, see SAP Note 2017105

Note: Parameter 4009 must be set to Yes for this parameter to be considered.

For an example, below is the screen that shows the message indicating no activity by theFirefighter.

7/25/2019 012002523100012446622014 e



April 2016

52


4021

Use ALV Grid for Firefighter Filter Transaction NO

ONLY FOR CENTRALIZED EAM Launchpad (transactions GRAC_SPM or GRA_EAM)Input the new transaction GRAC_EAM_FILTER to display the below landing page and

filter by Connector or Firefigter ID. This transaction is available whether the parameter isYES or NO.

This parameter allows you to use the ABAP List Viewer (ALV) grid for the Firefightertable.

NO – This is the default and you will see the traditional EAM launchpad.

YES - Shows the ALV grid with the EAM launchpad. Here you can filter the data.

Refer to SAP Note 2256927 for more information.

7/25/2019 012002523100012446622014 e



April 2016

53


5033

Allow creation of firefighters with no controller YES

In SAP Access Control, the controller is the user who reviews and approves log files fromfirefighting activities.

Set the parameter to YES to create firefighters without requiring a controller.

Set the parameter to NO to prevent the creation of firefighters without a controller.

7/25/2019 012002523100012446622014 e



April 2016

54

1.7 UAR Review

The User Access Review (UAR) parameters allow you to make decisions about how to process User

Access Reviews.

Overview of UAR Parameters

ParameterID


2004 Request Type for UAR <empty>

2005 Default Priority UAR_PRIORITY

2006 Who are the reviewers? MANAGER

2007 Admin. Review required before sending tasks to reviewers YES

2008 Number of line items per UAR request 100

Details of UAR Parameters


2004

Request Type for UAR <empty>

All request types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visibleby pressing F4.

This is important for tagging the workflow in MSMP for UAR Review.

7/25/2019 012002523100012446622014 e



April 2016

55


2005

Default Priority UAR_PRIORITY

You use this parameter to set the default priority for user access request reviews. Use F4help to display the list of available priorities for UAR Requests.

You maintain the list of available priority values in the Customizing activity MaintainPriority Configuration under Governance, Risk, and Compliance > Access Control> User Provisioning. You assign the MSMP Process ID ofSAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. In this example,priority IDs 10, 22, 24, and 36 are relevant for UAR Review.


2006

Who are the reviewers? MANAGER

Select either Manager or Role Owner as the approver type for user access reviewrequests. The application creates a review workflow for the specified approver type.Managers receive review requests sorted by USER, and Role Owners receive reviewrequests sorted by ROLE.

7/25/2019 012002523100012446622014 e



April 2016

56


2007

Admin. review required before sending tasks to reviewers YESSet the value to YES to require that users who are assigned the role of access requestadministrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review therequest before the workflow goes to the reviewers. You specify reviewers in parameter2006.


2008

How many line items per UAR request 100

This parameter allows you to specify the maximum number of items per UAR requestwhen creating a UAR request.


7/25/2019 012002523100012446622014 e



April 2016

57

1.8 Performance

The Performance parameters allow you to make decisions about variables that affect the performance

of SAP Access Control.

Overview of Performance Parameters

ParameterID


1120 Batch size for Batch Risk Analysis 1000

1121 Batch size for User Sync 1000

1122 Default batch size for Role Synchronization 1000

1123 Default batch size for Profile Synchronization 1000

1124 Default batch size for Authorization Synchronization 1000

1125 Pre-aggregate Access Risk Information NO

1126 Number of background jobs created for one Ad-Hoc Risk Analysis job

1

1127 Minimum number of objects considered for splitting into multiplebackground jobs in Ad-Hoc Risk Analysis

1000

Details of Performance Parameters


1120

Batch size for Batch Risk Analysis 1000

The application uses this value to determine the size of the batch when performing batchrisk analysis.(See also parameter 1121 for an example).


1121

Batch size for User sync 1000

The application uses this value to determine the size of the batch when synchronizingusers to the GRC AC Repository.

For example, if the batch size is 1000 and there are 10,000 users, the application dividesthe total users (10,000) by the batch size (1000), and then processes the job in 10batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in itsentirety before continuing with the next.

To synchronize users to the GRC AC Repository, you use the Customizing activityRepository Object Synch under Governance, Risks, and Compliance > AccessControl > Synchronization Jobs.


1122

Default batch size for role synchronization 1000

The application uses this value to determine the size of the batch when synchronizingroles to the GRC AC Repository. Each batch is processed in its entirety before movingon to the next. See also parameter 1121

7/25/2019 012002523100012446622014 e



April 2016

58


1123

Default batch size for profile synchronization 1000

The application uses this value to determine the size of the batch when synchronizingprofiles to the GRC AC Repository. Each batch is processed in its entirety before movingon to the next. See also parameter 1121


1124

Default batch size for authorization synchronization 1000

The application uses this value to determine the size of the batch when synchronizingauthorization master data from the backend ERP systems to the GRC AC Repository.Each batch is processed in its entirety before moving on to the next. See also parameter

1121.


1125

Pre-aggregate Access Risk Information NO

Setting the parameter to YES renders the SAP Fiori for SAP GRC transactionalapplications Compliance Approver and Access Approver more quickly.

Setting the parameter to NO can adversely affect the rendering of the SAP Fiori for SAPGRC transactional applications Compliance Approver and Access Approver.

When performing risk analysis, the risk count shows the number of risks per accessrequest. This parameter stores the risk count more efficiently. For more information, seeSAP Note 1976368.

7/25/2019 012002523100012446622014 e



April 2016

59


1126

Number of background jobs created for one Ad-Hoc Risk Analysis job

1

This parameter works with parameter 1127 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects,the one job is split into 2 background jobs for faster processing.


1127

Minimum number of objects considered for splitting into multiplebackground jobs in Ad-Hoc Risk Analysis

1000

This parameter works with parameter 1126 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects,the one job is split into 2 background jobs for faster processing.

7/25/2019 012002523100012446622014 e



April 2016

60


2050

Enable Real-time LDAP Search for Access Request User NO

If set to YES, the application searches for the access request user on the specified LDAPsource and in real time.

Prerequisite

You have specified the first user search data source as LDAP, or else the applicationignores this parameter.

Note

Since the search is performed in realtime, it can negatively affect performance.


2060

Organization Rules -Maximum allowed to be generated in

foreground50000

In SAP Access Control, you can use the Organizational Rule Creation Wizard togenerate organizational rules. You can choose to generate the rules in the foreground orthe background.

Generating the rules in the foreground may use up system resources for other activitiesor affect performance. You can use this parameter to set a threshold for the maximumorganizational rules that can be generated in the foreground, thereby keeping it fromnegatively affecting the system resources.

For example, you set the threshold value at 20,000. If the threshold is reached whensomeone is generating organizational rules in the foreground, the application halts thetask and displays options to either run the job in the background or cancel it.

7/25/2019 012002523100012446622014 e



April 2016

61


2061

Duration for displaying confirmation message (in milliseconds) 1000

This parameter applies to the SAP Fiori for SAP GRC transactional application,Compliance Approver.

You use this parameter to set how long the confirmation message appears on thescreen. The default is 1000 milliseconds.

Below is an example of the confirmation message

7/25/2019 012002523100012446622014 e



April 2016

62

1.9 Risk Analysis - Access Request

The Risk Analysis - Access Request parameters allow you to make decisions about how Risk Analysis

behaves when access requests are created.

Overview of Risk Analysis - Access Request Parameters

ParameterID


1071 Enable Risk Analysis on form submission NO

1072 Mitigation of critical risk required before approving the request NO

1073 Enable SoD violations detour on risks from existing roles NO

(Continued …)

7/25/2019 012002523100012446622014 e



April 2016

63

Details of Risk Analysis - Access Request Parameters


1071

Enable risk analysis on form submission NO

You can use this parameter to set the application automatically to perform risk analysison the access request the user submitted. The risk analysis results are added to theaccess request for the approver to review. Therefore, the risk analysis results appear onthe approver’s screens but not on the requestor’s screens.

Set to No to disable automatic risk analysis.

Set to Yes to enable automatic risk analysis.This triggers a risk analysis. The user must wait for the risk analysis to finish beforeproceeding.

Set to Asynch to enable automatic risk analysis and allow the user to proceed to the

next screen without waiting.The risk analysis is performed in the background and the results are attached to therequest.Note: This does not change the workflow for the request. The request will only proceedto the approver after the risk analysis is completed in the background.


1072Mitigation of critical risk required before approving the request NO

Set the value to YES to require mitigation of Risks of the type Critical Access.

7/25/2019 012002523100012446622014 e



April 2016

64


1073

Enable SoD violations detour on risks from existing roles NO

The possible values for this parameter are YES and NO.If an SoD risk exists in an access request, the application considers it a special conditionand sends it to a detour path in the workflow.

However, SoD risks may arise from the new roles the user is requesting and they mayarise from the existing roles that are already assigned to the user.

Set the value to YES to consider risks from new and existing roles for the detour.

Set the value to NO to consider risks only from new roles (and not existing roles) for the

detour.

7/25/2019 012002523100012446622014 e



April 2016

65

1.10 Role Management

The Role Management parameters allow you to make decisions parameters that affect role creation

and processing.

Overview of Role Management Parameters

ParameterID


3000 Default Business Process <empty>

3001 Default Subprocess <empty>

3002 Default Criticality Level <empty>

3003 Default Project Release <empty>

3004 Default Role Status <empty>

3005 Reset Role Methodology when Changing Role Attributes YES

3006 Allow add functions to an authorization YES3007 Allow editing organizational level values for derived roles NO

3008 A ticket number is required after authorization data changes YES

3009 Allow Role Deletion from back-end system YES

3010 Allow attaching files to the role definition YES

3011 Conduct Risk Analysis before Role Generation YES

3012 Allow Role Generation on Multiple Systems NO

3013 User logged-on user credentials for role generation NO

3014 Allow role generation with Permission Level violations NO

3015 Allow role generation with Critical Permission violations NO

3016 Allow role generations with Action Level violations NO

3017 Allow role generation with critical Action violations NO

3018 Allow role generation with Critical Role/Profile violations NO

3019 Overwrite individual role Risk Analysis results for Mass Risk Analysis NO

3020 Role certification reminder notification 10

3021 Directory for mass role import server files <empty>

3024 Enforce methodology process for derived roles during generation YES

3025 Allow selection of Org Value Maps without leading org. NO

3026 Save Role Provisioning Details While Copying Role YES

3027 Automate authorization copy from master role to derived roles NO

3028 Generate derived roles after Creation/Update NO

3029 Notify User When Business Role Assignment Changes NO

3040 A ticket number is required for changes to role master data NO

7/25/2019 012002523100012446622014 e



April 2016

66

Details of Role Management Parameters


3000

Default Business Process <empty>

Select the business process the application displays by default on the Role Import screen. Use F4 help to display the available business processes.

You maintain the list of business processes in the Customizing activity MaintainBusiness Processes and Subprocesses under Governance, Risk and Compliance >Access Control.

7/25/2019 012002523100012446622014 e



April 2016

67


3001

Default Subprocess <empty>

Select the sub process the application displays by default on the Role Import screen.Use F4 help to display the available subprocesses.

You maintain the list of subprocesses in the Customizing activity Maintain BusinessProcesses and Subprocesses under Governance, Risk and Compliance > AccessControl.


3002

Default Criticality Level <empty>

Select the criticality level the application displays by default on the Role Import screen.Use F4 help to display the available criticality levels.

You maintain the list of sub processes in the Customizing activity Specify CriticalityLevel under Governance, Risk and Compliance > Access Control > Role

Management.


3003

Default Project Release <empty>

Select the project release the application displays by default on the Role Import screen.Use F4 help to display the available project releases.

You maintain the list of project releases in the Customizing activity Maintain Project andProduct Release Name under Governance, Risk and Compliance > Access Control > Role Management.


3004

Default Role Status <empty>

Select the role status the application displays by default on the Role Import screen. UseF4 help to display the available role status.

You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance, Risk and Compliance > Access Control > Role Management


3005

Reset Role Methodology when Changing Role Attributes YES


This parameter determines whether the role methodology step is reset to the first step(Definition) after a mass update. It is particularly useful to avoid creating mass approvalrequests.

7/25/2019 012002523100012446622014 e



April 2016

68


3006

Allow add functions to an authorization YES

Set the value to YES to display the Add/Delete Function button on the MaintainAuthorizations tab of the Role Maintenance screen.


3007

Allow editing organizational level values for derived roles NO

The maintenance screen for derived roles displays organizational levels from the parentrole.

Set the value to YES to allow the derived roles to change the values for theorganizational levels.

7/25/2019 012002523100012446622014 e



April 2016

69


3008

A ticket number is required after authorization data changes YES

Set the value to YES to require a ticket number when role authorizations are modified inPFCG and the user chooses the Synch with PFCG button.

Note: The Ticket Number field is a free text entry field. The application only provides thefield and does not have any specific requirements. You can enter information appropriatefor your company’s change request processes.

Interaction with parameter 3040:

Parameter 3008 interacts with parameter 3040 (A ticket number is required for changesto role master data) in the following way:

If 3040 is set to Yes, then 3008 is ignored. If 3040 is set to No, then 3008 behaves asdocumented.

7/25/2019 012002523100012446622014 e



April 2016

70


3009

Allow Role Deletion from back-end system YES

Set the value to YES to allow users the option to roles from both Access Control andrelevant plug-in systems. Setting this value to Yes deletes the roles in each of thesystems the role resided individually. For example, the role is DELETED directly fromPRD instead of having a delete request transported through CTS.

Set the value to NO to allow users to delete roles only from Access Control.


3010

Allow attaching files to the role definition YES

Set the value to YES to allow users to attach files by displaying the Attachments tab onthe Role Maintenance screen.

7/25/2019 012002523100012446622014 e



April 2016

71


3011

Conduct Risk Analysis before Role Generation YES

Set the value to YES to automatically perform risk analysis when the user generatesroles.

7/25/2019 012002523100012446622014 e



April 2016

72


3012

Allow Role Generation on Multiple Systems NO

Set the value to YES to allow users to select multiple systems when generating roles.The application displays systems in the landscape, which are available for rolegeneration action.

7/25/2019 012002523100012446622014 e



April 2016

73


3013

Use logged-on user credentials for role generation NO

When generating a role, the application connects to back-end systems to push theauthorization data. The application needs a username/password to open the connectionto the back-end ERP system. You can use this parameter to specify whether theapplication uses a generic username/password for all role generation connections to theERP system, or the username/password of the person generating the role.

Set the value to NO to use a generic username/password for the connection to theERP system.You maintain the generic username/password for the connector in the Customizingactivity Create Connectors under Governance, Risk, and Compliance > CommonComponent Settings > Integration Framework.

Set the value to YES to allow the application to use the username/password of the

person who is generating the role.

The advantage of setting this parameter to Yes is that when you open a role in the ERPsystem, you can view who generated it. If the parameter is set to No, you can only seewhich connector, with the generic username/password, that generated it


3014

Allow role generation with Permission Level violations NO

Set the value to YES to allow the application to generate roles even if Permission Levelviolations are present.

Set the value to NO to prohibit role generation if permission level violations are present.

7/25/2019 012002523100012446622014 e



April 2016

74


3015

Allow role generation with critical permission violations NO

Set the value to YES to allow the application to generate roles even if permission levelviolations are present.

Set the value to NO to prohibit role generation if permission level violations are present.


3016

Allow role generation with action level violations NO

Set the value to YES to allow the application to generate roles even if action levelviolations are present.

Set the value to NO to prohibit role generation if action level violations are present.


3017

Allow role generation with critical action violations NO

Set the value to YES to allow the application to generate roles even if critical actionviolations are present.

Set the value to NO to prohibit role generation if critical action violations are present..


3018

Allow role generation with critical role/profile violations NO

Set the value to YES to allow the application to generate roles even if critical role/profileviolations are present.

Set the value to NO to prohibit role generation if critical role/profile violations are present.

7/25/2019 012002523100012446622014 e



April 2016

75


3019

Overwrite individual role risk analysis results for mass riskanalysis

NO


The application allows you to perform ad hoc risk analysis for multiple roles underAccess Management > Role Mass Maintenance > Run Risk Analysis. The application stores the results of the analysis. (See also parameters 1052 and 1053).When you next perform mass risk analysis, the application searches the stored data todetermine if there are previous risk analysis results for each role. You can choosewhether the application overwrites the risk analysis results.

Set the parameter to YES to write or overwrite stored results during mass role risk

analysis

Set the parameter to NO if you do not want to overwrite the stored results during

mass role risk analysis. In this case, results are only stored during the risk analysisphase of role maintenance or during ad-hoc role risk analysis.

Note

The above actions are done per individual role. The application does not automaticallyoverwrite the results for all roles.


3020 Role certification reminder notification 10

7/25/2019 012002523100012446622014 e



April 2016

76


You use this parameter to set how many days prior to the Next Certification date theapplication sends a reminder to the role owner.

For example, if the next certification is June 15, xxxx, and this parameter value is 10,

then the application sends the reminder notification to the role owner on June 5, xxxx.You set the Certification Period in Days and Next Certification date in the DefineRole phase, on the Properties tab.

Note – Additional information about Certification Notifications:

You can use the following Customizing activities to maintain custom notification e-mailsunder Governance, Risks, and Compliance > Access Control > Workflow forAccess Control:

Maintain Custom Notification Messages

Maintain Text for Custom Notification Messages

Maintain Background Job for E-mail Reminders

The following is an example of a notification e-mail:

The application provides notification templates. You can assign custom notificationtemplates in the Customizing activity: Maintain Custom Notification Messages underGovernance, Risk, and Compliance > Access Control > Workflow for AccessControl.

You can customize the notification text by using the Customizing activity Maintain Textfor Custom Notification Messages under Governance, Risks, and Compliance >Access Control > Workflow for Access Control.

7/25/2019 012002523100012446622014 e



April 2016

77


3020(cont.)

Role certification reminder notification (cont.) 10

You can customize the notification text by using the Customizing activity Maintain Text

for Custom Notification Messages under Governance, Risks, and Compliance >Access Control > Workflow for Access Control.

For certification notifications to be delivered, you must run theGRAC_ERM_ROLE_CERTIFY_NOTIF program in either the foreground or thebackground.

You can schedule background jobs to run periodically using the Customizing activityMaintain Background Job for E-mail Reminders under Governance, Risk, andCompliance > Access Control > Workflow for Access Control.

If you run the program in the foreground, the application displays a results screen:

7/25/2019 012002523100012446622014 e



April 2016

78


3021

Directory for mass role import server files <empty>

The application allows you to perform mass role import under Access Management >Role Mass Maintenance > Role Import. You can select the Import Source as File onServer . You use this parameter to specify the location of the files on the server.


3024

Enforce methodology process for derived roles during generation YES

You use this parameter to determine the derived roles displayed in the role generation

phase of the master role.

Set the value to YES to display only the derived roles that reach the role generation

phase of the methodology process.

Set the value to NO to display all derived roles, regardless of their phase in the

methodology process.

In the following example, Figure A shows five derived roles available; two of the roles are

in Role Generation phase.

Figure B shows that if the value is set to YES, only the two roles in Role Generation

phase are displayed.

7/25/2019 012002523100012446622014 e



April 2016

79


3025

Allow selection of Org. Value Maps without leading org. NO

You use this parameter to determine if users may derive roles by using Org Value Mapsthat do not contain a leading organization.Set the value to YES to allow role derivation using Org Value Maps that do not contain aleading organization.Set the value to NO to require that role derivation is performed using Org Value Mapsthat do contain a leading organization.Single Role Derivation

Choose Access Management Role Management Role Search Search and open

any role.Go to the role derivation phase and choose Derive.

If the AC Configuration parameter 3025 = YES, the screen appears as below:

If the AC Configuration parameter 3025 = NO, the screen appears as below:

7/25/2019 012002523100012446622014 e



April 2016

80

Mass Role Derivation

Choose Access ManagementRole Mass MaintenanceRole Derivation.

Search and select any map and choose Next to go to the Select Master Role screen.

If the AC Configuration parameter 3025 = YES, the screen appears as below:

If the AC Configuration parameter 3025 = NO, the screen appears as below:

7/25/2019 012002523100012446622014 e



April 2016

81


3026

Save Role Provisioning Details While Copying Role YES

You use this parameter to specify whether you wish to copy the role details such as thesystem validity period when copying roles. The default value is YES – copy the detailswhen creating a new role.


3027

Automate authorization copy from master role to its derived roles NO

Possible values are YES and NO.

If the parameter is set to YES, the application automatically copies authorization data

from the master role to its derived roles.

If the parameter is set to NO, the application does not copy the authorization data fromthe master role to its derived roles.


3028

Allow role generation with critical action violations NO

In SAP Access Control, you can create derived roles and update them using RoleDerivation and Derived Role Org. Values Update. To generate the profiles in thebackend system, you must use Role Generation to create the background job. This is amanual step, and if not done, the profiles are not generated and the changes to thederived roles are not implemented.

This parameter allows you to schedule the background job for Role Generation

automatically.

Set this parameter to Yes to schedule the background job automatically at the time youcreate or update a derived role.


3029

Notify User When Business Role Assignment Changes NO

SAP Access uses Parameter 3029 in Business Role Management to determine whether

to notify users when their role assignments change.


YES – notify users when their role assignments change.

NO – Do not notify users when their role assignments change.

In Access Control 10.1, during business role creation, under Provisioning options, there

is an Update Assignment button. If you select this button, when changes occur to the

business role assignment, the application sends a notification to all end users who are

assigned to this business role.

This feature is not available in Access Control 10.0, so there is no notification to users

upon changes to the business role.

If you are using Access Control 10.1 and you want to turn this notification off, you set

parameter 3029 parameter to NO.

Example

The screenshot below shows a sample user notification.

7/25/2019 012002523100012446622014 e



April 2016

82


More Information

See SAP Note 2130921 for more information.

7/25/2019 012002523100012446622014 e



April 2016

83


3040

A ticket number is required for changes to role master data NO

Parameter 3040, if set to Yes, requires a ticket number be assigned when any rolemaster data changes. This number allows changes to be traced to the original changerequest.


• YES – ticket numbers must be entered when role master data changes

• NO – ticket numbers are not required when role master data changes

This functionality applies to all phases of role maintenance as well as changes madeusing Role Copy, Role Mass Maintenance: Role Import, Role Update, Derived Role Org.Value Update, and Mass Update.

When a role is created, a dialog box appears allowing the user to enter a ticket numberand description. Ticket Number is mandatory. The screenshot below shows the dialogbox that displays for entering a ticket number when you create a new role.

When a user edits a role that is completed, the same dialog box is displayed for enteringa new ticket number. For all subsequent edits, the same ticket number will be usedautomatically without the user entering a new number. The application tracks all ticketnumbers in the role change history.

On the Role Maintenance screen, under the Additional Details tab, you can chooseTicket Number to display the current ticket number for the role. By default, this tab isread-only. Only the users with special authorization (GRAC_ROLED V8 Modify ticket)are able to edit the ticket details (including the ticket number) here.

7/25/2019 012002523100012446622014 e



April 2016

84

3040(cont.)

Click Additional Details Change History to see the history of changes to this role alongwith the associated ticket numbers.

You can use Role Search to search for roles with a certain ticket number as shown in thescreenshot below.

Interaction with Parameter 3008

Parameter 3008 (A ticket number is required after authorization data changes) interactswith parameter 3040 in the following way: If 3040 is set to Yes, then 3008 is ignored. If

3040 is set to No, then 3008 behaves as described.

7/25/2019 012002523100012446622014 e



April 2016

85

1.11 Risk Analysis – Risk Terminator

The Risk Analysis – Risk Terminator control parameters that affect Risk Terminator.

Overview of Risk Analysis – Risk Terminator Parameters

ParameterID


1080 Connector enabled for Risk Terminator <empty>

1081 Enable Risk Terminator for PFCG Role Generator NO

1082 Enable Risk Terminator for PFCG User Assignment NO

1083 Enable Risk Terminator for SU10 multiple User Assignment NO

1084 Enable Risk Terminator for SU10 multiple User Assignment NO

1085 Stop role generation if violations exist NO

1086 Comments are required in case of violations NO

1087 Send Notification in case of violations NO

1088 Default report type for Risk Terminator 2

(Continued …)

7/25/2019 012002523100012446622014 e



April 2016

86


1080

Connector enabled for Risk Terminator <empty>

Enter the name of the connector in the value field to enable it for risk terminator. To usethis parameter, you must also configure parameters 1081 – 1088.

You can enter multiple values by entering multiple instances of the parameter, as follows:

Note: The following parameters must be configured in the relevant target systems:

1000, 1001, 1002, 1081 – 1088.

Parameter 1000 is the target Connector ID (Plug-in Connector).

Parameter 1001 is the GRC Connector ID.

Parameter 1002 is the rule set to be used. Parameters 1081 – 1088 should be the same in both GRC and the target

systems. This is a recommendation, but not a requirement.


1081

Enable Risk Terminator for PFCG Role Generation NO

Set to YES to trigger the risk terminator service for PFCG Role Generation. This

parameter is only valid if parameter 1080 is configured with at least one connector.

The Risk Terminator service is a tool that resides in the back end SAP ABAP system andnotifies you when a risk violation occurs.


1082

Enable Risk Terminator for PFCG User Assignment NO

Set to YES to trigger the risk terminator service for PFCG User Assignment. Thisparameter is only valid if parameter 1080 is configured with at least one connector.

7/25/2019 012002523100012446622014 e



April 2016

87


1083

Enable Risk Terminator for SU01 Role Assignment NO

Set to YES to trigger the risk terminator service for SU01 Role Assignment. Thisparameter is only valid if parameter 1080 is configured with at least one connector.


1084

Enable Risk Terminator for SU10 multiple User Assignment NO

Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment. This

parameter is only valid if parameter 1080 is configured with at least one connector.


1085

Stop role generation if violations exist NO

Set to YES the risk terminator service stops generating roles if violations exist. Thisparameter is only valid if parameter 1080 is configured with at least one connector.


1086

Comments are required in case of violations NO

Set the value to YES to require the user to enter comments if SoD violations are reportedand the user wants to continue with role generation or role assignment. This parameter isonly valid if parameter 1080 is configured with at least one connector.


1087

Send Notification in case of violations NO

Set the value to YES to enable the application to send e-mail notifications to the role

owner when violations occur. This parameter is only valid if parameter 1080 is configuredwith at least one connector.


1088

Default report type for Risk Terminator 2

Select the default report type the risk terminator service uses to report SoD violations.Use F4 help to display the available report types. This parameter is only valid ifparameter 1080 is configured with at least one connector.

7/25/2019 012002523100012446622014 e



April 2016

88

1.12 Access Request Role Selection

The Access Request Role Selection parameters affect how you select and process roles when you

create an access request.

Overview of Access Request Role Selection Parameters

ParameterID


2031 Allow All Roles for Approver YES

2032 Approver Role Restriction Attribute <empty>

2033 Allow All roles for Requestor YES

2034 Requestor Role Restriction Attribute <empty>

2035 Allow Role Comments YES

2036 Role Comments Mandatory YES

2037 Display expired roles for existing roles YES2038 Auto Approve Roles without Approvers YES

2039 Search Role by Transactions from Backend System NO

2040 Assignment Comments mandatory on rejection NO

2042 Visibility of Valid from/Valid to for profiles 0

2043 Authorization object for role search – provisioning GRAC_ROLED

2044 Display profiles in Existing Assignments, My Profile and Model User YES

2045 Default provisioning action after adding roles/profiles/FFID fromexisting assignment and My Profile

010

2046 Field type for business process and system fields, in access requestrole search

<empty>

2047 Filter business process and systems based on application area NO

2048 Default provisioning environment for business role <empty>


2031

Allow All Roles for Approver YES

The application allows approvers to add additional roles to access requests whenreviewing them.

Set the value to YES to allow approvers to view and select all roles.

Set the value to NO to restrict the roles the approvers can view and select for requestcreation. You specify the restriction criteria in parameter 2032.

7/25/2019 012002523100012446622014 e



April 2016

89


2032

Approver Role Restriction Attribute <empty>

The application allows approvers to add additional roles to access requests whenreviewing them. You can restrict the roles approvers can view and select for requestcreation.

Set the value to A to Restrict on Role Approver . Approvers can view and select only those roles for which they are the role approver.

Set the value to B to Restrict on Business Process. Approvers can view and add only those roles with business process attributes thatmatch those in the request

Set the value to F to Restrict on Functional Area. Approvers can view and add only those roles with functional area attributes thatmatch those in the request.

Prerequisite: You have set parameter 2031 to NO. If parameter 2031 is set to YES, theapplication ignores the restrictions specified here.

You can add multiple restriction values by adding additional instances of the parameter.


2033

Allow All Roles for Requestor YES

Set the value to YES to allow the user to view all roles for request creation.

Set the value to NO to restrict the roles the user can view for request creation. Youspecify the restriction criteria in parameter 2034.

7/25/2019 012002523100012446622014 e



April 2016

90


2034

Requestor Role Restriction Attribute <empty>

This parameter allows you to require that, for access request creation, the applicationdisplays only the roles that have attributes that match the specified requestor attributes.

Set the value to B to Restrict on Business Process. The application displays onlythe roles that match the requestor’s business process attribute.

Set the value to F to Restrict on Functional Area. The application displays only theroles that match the requestor’s functional area attribute.

Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. Ifparameter 2033 is set to YES, the application ignores the restrictions specified here.

You can add multiple restriction values by adding additional instances of the parameter.


2035

Allow Role Comments YES

Set value to YES to allow the user to enter Role Comments when creating accessrequests.


2036

Role Comments Mandatory YES

Set value to YES to require Role Comments when creating access requests.Note: This is a GLOBAL setting and is required for all roles included on requests.Mandatory comments can also be determined at the individual role level.

Prerequisite: Parameter 2035 must be set to YES.

7/25/2019 012002523100012446622014 e



April 2016

91


2037

Display expired roles for existing roles YES

Set the value to YES to include the roles for which the user assignment is expired whenthe user chooses the Existing Assignment button on the Access Request.


2038

Auto Approve Roles without Approvers YES

Set the value to YES to allow the application to approve access requests for roleswithout role assignment approvers.

7/25/2019 012002523100012446622014 e



April 2016

92


2039

Search Role by Transactions from Backend System NO

Set the value to NO to allow users to search for roles using the role information in theGRC AC Repository.

Set the value to YES to allow users to search for roles by transactions on a specificbackend system in real time. This has the following effect:

It adds the Transaction from Backend System criteria to the Select Roles screen.

It makes the System criteria mandatory.

It fetches role information from the specified system in real time, which may havean effect on performance.


2040

Assignment comments mandatory on rejection NO

The available values are YES and NO.

If the value is set to NO, when you open an access request, you are not required to entera comment if you reject a role, a system, or a Firefighter ID assignment.

If the value is set to YES, you must enter a comment if you reject a role, a system, or a

Firefighter ID assignment


2042

Visibility of Valid from/Valid to for profiles 0The available values are: 0,1,2,3,4

The effect on the user experience is based on the value the user selects – The visibilityof dates and editable property of Valid from and Valid To field will depend on the valueselected for the parameter as indicated in the screen shots below.

7/25/2019 012002523100012446622014 e



April 2016

93

7/25/2019 012002523100012446622014 e



April 2016

94


2043

Authorization object for role search - provisioning GRAC_ROLED

This parameter allows you to determine the behavior of role search based onauthorizations and the roles the user can see during role definition and role provisioning.

GRAC_ROLEDEnter this value to enforce role search authorizations during the role definition.

GRAC_ROLEPEnter this value to enforce role search authorizations during role provisioning.

BOTHEnter this value enforce role search authorizations during both role definition androle provisioning.

For more information about the authorization objects, see the Access Control 10.1

Security Guide.


2044

Display profiles in Existing Assignments, My Profile, and ModelUser

(Continued …)

YES

7/25/2019 012002523100012446622014 e



April 2016

95



Based on the parameter value, the system displays or hides Profiles for Existing Assignments, My Profile, and Model User as illustrated by the screen shots below.

7/25/2019 012002523100012446622014 e



April 2016

96


2045

Default provisioning action after adding roles/profiles/FFID fromexisting assignments and My Profile

010

The available values are: 006,009,010

Based on the parameter value the provisioning action is set for roles/profiles/FFID fromexisting assignments and My Profile as indicated in the screen shots below.

7/25/2019 012002523100012446622014 e



April 2016

97


2046

Field type for business process and system fields, in accessrequest role search

<empty>

This parameter allows you to choose the field type for the Business Process andSystem search criteria on the Access Request Role Search screen. You can choosethe field types as a Text field with F4 help or a dropdown list.

Set the value to 0 (zero) to display the field types for both Business Process andSystem as a text field. (See example below.)

Set the value to 1 to display the Business Process field as a dropdown list, and

the System field as a text field.

Set the value to 2 to display the Business Process field as a text field, and theSystem field as a dropdown list.

Set the value to 3 to display both the Business Process and System fields as adropdown list.

7/25/2019 012002523100012446622014 e



April 2016

98


2047

Filter business process and systems based on Application Area NO

You can use Application Area to group systems that are of the same application type

(for example, ECC, BI/BW, etc.).

You designate the connector group as an Application Area by connecting it to Group

Type CUP-AA - Application Area.

(IMG: Governance Risk and Compliance > Common Component Settings > Integration

Framework > Maintain Connectors and Connector Types.)

Then, you can assign the Application Area to Business Processes.

(IMG: Governance Risk and Compliance > Access Control > Maintain Business Processes

and Subprocesses.)

Note: Only Connector Groups that have been assigned the group type CUP-AA-

Application Area can be assigned to business processes.

You can assign a Business Process to multiple Application Areas.

Continued next page …

7/25/2019 012002523100012446622014 e



April 2016

99

… Parameter 2047 continued .


2047

Set this parameter to Yes to allow filtering of Systems and Business Processes by

assigned Application Area during role selection.

Set this parameter to No to not allow filtering by Application Area.

Setting this parameter to Yes displays the Application Area field in the Advanced

Search on the Add Roles to Request screen in the Simplified Access Request, or during

F4 System search on the regular Access Request screen. (See figures below )

Simplified Access Request screen

Continued on next page …

7/25/2019 012002523100012446622014 e



April 2016

100

… Parameter 2047 continued.


2047Regular Access Request

Note: If this parameter is set to Yes, you must also set Parameter 2046 to 0 or 1 for this

functionality to be used in the regular Access Request.For the Simplified Access Request, you can set Parameter 2046 to any setting

7/25/2019 012002523100012446622014 e



April 2016

101


2048

Default provisioning environment for business role <empty>

Use this parameter to set the default provisioning environment for business roles. Forexample, if you set the parameter to TST then when a user submits a request for abusiness role the default provisioning environment is Test.

The possible values for this parameter are:

DEV - Development

PRD - Production

TST - Test

7/25/2019 012002523100012446622014 e



April 2016

102

1.13 Access Request Default Roles

The Access Request Default Roles parameters control the assignment and characteristics of default

roles assigned during access request creation

Overview of Access Request Default Roles

ParameterID


1302 Add default roles only for systems specified in the Access Request NO

2009 Consider Default Roles YES

2010 Request type for default roles <empty>

2011 Default Role Level REQ&ROL

2012 Role Attributes <empty>

2013 Request Attributes <empty>

Details of Access Request Default Roles


1302

Add default roles only for systems specified in the AccessRequest

NO

Default roles are automatically assigned to users on a system. Typically, these roleshave little to no risk and contain authorizations you want everyone to have.

For example, you want everyone with access to System_A to have authorization to viewdata. Therefore, when someone requests access to System_A the applicationautomatically assigns the default roles to him or her in addition to whatever roles theyrequested.

Previously, the application would assign all default roles for all systems in one requesteven if the systems were not specified in the request. The rationale is that all defaultroles are safe so the risk is low and it saves you from having to assign the roles inseparate requests. For example, someone requests access to System_A. Theapplication assigns them the default roles for System_A and the default roles for all othersystems.

You can use this parameter to have the application add default roles only for systemsexplicitly included in the access request.

If the parameter is set to YES, the application only adds system-specific roles to the

request.If the parameter is set to NO, the application adds default roles for all systems into therequest.

Note

This parameter is only valid if parameter 2009 is set to Yes.

7/25/2019 012002523100012446622014 e



April 2016

103


2009

Consider Default Roles YES

If set to YES, the application automatically adds the relevant default roles to the accessrequest.

Prerequisites: You have maintained the following parameters as needed: 1302, 2010,2011, 2012, and 2013.

In this example, the value for the attribute Functional Area maps to a relevant default

role, so the application adds the role to the request.

7/25/2019 012002523100012446622014 e



April 2016

104


2010

Request type for default roles <empty>

Enter the request types that are relevant for default roles functionality. The applicationadds default roles only for the specified roles.

Enter multiple request types by adding additional instances of the parameter.

Use F4 help to display the available request types. You maintain the list of availablerequest types in the Customizing activity Define Request Type under Governance,Risk, and Compliance > Access Control > User Provisioning.

See also parameters 2009, 2011, 2012, and 2013.


2011

Default Role Level REQ&ROL

Select which attribute type determines the relevance of the default roles.

Role – The application uses the role attributes to determine the relevant default rolesand adds the default roles at the time the user adds the roles to the request. That is,the user does see the added default roles at the time they create the request. Youdefine the relevant role attributes in parameter 2012.

Request - The application uses the request attributes to determine the relevantdefault roles and adds the default roles when the request is displayed for theapprover . That is, the user does not see the added default roles at the time theycreate the request. You define the relevant request attributes in parameter 2013.

Request & Role – The application uses both the request and the role attributes todetermine the default roles. If a default role is added due to a role attribute, the userwill see it after adding it to the request. If a default role is added due to a requestattribute, the role is added when the request is displayed for the approver. Youdefine the relevant role attributes in parameter 2012 and the relevant requestattributes in parameter 2013.

In this example, the value is set to Request. The manager receives a request with thedefault role z_user_admin already added, because Functional Area is a relevantattribute.

(Continued …)

7/25/2019 012002523100012446622014 e



April 2016

105


In this example, the value is set to Role. On the request screen, the application showsthe default roles as Existing and adds them to the request.

7/25/2019 012002523100012446622014 e



April 2016

106

(Cont.)


7/25/2019 012002523100012446622014 e



April 2016

107


2012

Role Attributes <empty>

Enter the role attributes the application considers for Default Role Attribute mapping.These are mutually exclusive of the request attributes maintained in parameter 2013.

You can add multiple role attributes by adding additional instances of the parameter.

See also parameters 2009, 2010, 2011, and 2013


2013

Request Attributes <empty>Enter the request attributes the application considers for Default Role Attribute mapping.These are mutually exclusive of the request attributes maintained in parameter 2012.

You can add multiple request attributes by adding additional instances of the parameter.


7/25/2019 012002523100012446622014 e



April 2016

108

1.14 Access Request Role Mapping

The Access Request Role Mapping parameters determine how and if you use role mapping during

access request creation.

Overview of Access Request Role Mapping Parameters

ParameterID


2014 Enable Role Mapping YES

2015 Applicable to Role Removals YES

Continued …

7/25/2019 012002523100012446622014 e



April 2016

109

Details of Access Request Role Mapping Parameters


2014

Enable Role Mapping YES

The application allows you to assign roles as child roles (or map the roles). This allowsanyone who is assigned this role to be assigned the authorizations and access for thechild roles.

Set the parameter value to YES to enable this functionality. The role mappings areapplicable for provisioning access requests.

Note: On the Role Maintenance screen, you can select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignoreany approvers associated with the child roles.

In the following example, the user is requesting the role BS_BS_123 of system GF1->GO7. The mapped role AC_C_ROLE1 is automatically added to the request. The user

can choose to remove the role from the request.Note: The Source System dropdown list is from the same landscape you chose on theDetail tab.

7/25/2019 012002523100012446622014 e



April 2016

110


2015

Applicable to Role Removals YES

Set the value to YES to allow users to include mapped roles in requests for role removal.For example, if a user creates a request to remove a role assigned to them, and the rolehas mapped roles, then the mapped roles are automatically included in the request. Theuser can choose to keep the mapped roles by deleting them from the removal request.

7/25/2019 012002523100012446622014 e



April 2016

111

1.15 SOD Review

The Separation of Duties (SOD) Review parameters allow you to make decisions about how to

process SOD Reviews.

Overview of SOD Parameters

ParameterID


2016 Request Type for SoD <empty>

2017 Default priority for SoD <empty>

2018 Who are the reviewers? MANAGER

2019 Admin. Review required before sending tasks to reviewers YES

2020 Unique number of line items per SoD request (Maximum 9999) <empty>

2023 Is actual removal of role allowed? YES

Details of SOD Parameters


2016

Request Type for SoD <empty>

Use F4 help and select the request type when SoD review requests are created.

You maintain the list of available request type values in the Customizing activity DefineRequest Types under Governance, Risk, and Compliance > Access Control > UserProvisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.


2017

Default priority for SoD <empty>

Use F4 help and select the default priority used for SoD review requests.

You maintain the list of available priority values in the Customizing activity MaintainPriority Configuration under Governance, Risk, and Compliance > Access Control> User Provisioning. You assign the MSMP Process ID ofSAP_GRAC_SOD_RISK_REVIEW.

7/25/2019 012002523100012446622014 e



April 2016

112


2018

Who are the reviewers? MANAGER

Select either Manager or Risk Owner as the approver type for user access reviewrequests. The application creates a review workflow for the specified approver type.Managers receive review requests sorted by USER, and Risk Owners receive reviewrequests sorted by Risk.


2019

Admin. review required before sending tasks to reviewers YES

Set the value to YES to require that users with the role of access request administrator

(such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before theworkflow goes to the reviewers. You specify reviewers in parameter 2018.


2020

Number of unique line items per SOD request (Maximum 9999) <empty>

You use this parameter to control the number of unique line items an approver wants tosee in a SOD Review Request. The possible values are all numeric values between

0001 and 9999. For more information, see SAP Note 1994429 - UAM: Running BatchRisk Analysis is mandatory for SOD Review Request creation.

7/25/2019 012002523100012446622014 e



April 2016

113


2023

Is actual removal of role allowed YES

You use this parameter to configure whether the reviewers of SoD risks are allowed toremove the roles associated with an SOD risk or only propose removal of the roles.

Set value as NOThis is the recommended setting. On the SoD Review screen, the applicationdisplays the Propose Removal button. Reviewers can only propose the removal of

roles associated with a SoD risk violation. The workflow goes to the securityadministrator who is able to view the source of the risk before deciding whether toremove the role.

Set value as YES This setting is not recommended. On the SoD Review screen, the applicationdisplays the Remove Role button. This allows the reviewer to delete the rolesdirectly without going through approval by the security administrator.Warning: Reviewers do not have the ability to view the source of the risks; therefore,

they have the risk of potentially deleting relevant roles.

Note

If this parameter is set to Yes, then Parameter 1027 must also be set to Yes..

7/25/2019 012002523100012446622014 e



April 2016

114

1.16 LDAP

The Lightweight Directory Access Protocol (LDAP) parameter determines where you can search for

user data.

Overview of LDAP Parameters

ParameterID


2052 Use LDAP domain forest NO

Details of LDAP Parameters


2052

Use LDAP domain forest NO

The available values are Yes and No.The effect on the user experience is based on the value set in configuration. If the valueis Yes, users can search from multiple domains when the user data source is LDAP.

7/25/2019 012002523100012446622014 e



April 2016

115

1.17 Assignment Expiry

The Assignment Expiry parameter controls the time period after which roles expire.

Overview of Assignment Expiry Parameters

ParameterID


2041 Duration for assignment expiry in Days <empty>

Details of Assignment Expiry Parameters


2041

Duration for assignment expiry in Days <empty>

On the My Profile and Existing Assignment screens, the application displays theStatus field for the roles. Roles that are about to expire displays the status of Expiring.You use this parameter to specify the timeframe (in days) that triggers the application todisplay the status as Expiring.

In the following example, the My Profile and Existing Assignment screens will showthe status of Expiring for all roles assigned to the user that is about to expire in 1 to 45days.

7/25/2019 012002523100012446622014 e



April 2016

116

1.18 Access Request Training Verification

The Access Request Training Verification parameter allows you to require training certification for

specific roles.

Overview of Access Request Training Verification Parameters

ParameterID


2024 Training and verification <empty>

(Continued …)

7/25/2019 012002523100012446622014 e



April 2016

117

Details of Access Request Training Verification Parameters


2024

Training and verification <empty>

The application allows you to require that users complete training courses before theapplication provisions specific roles to them.

You enable this functionality by :

1. Setting training requirements(See Example 1 below.)

2. Configuring MSMP routing rule

3. Configuring the data source systems for verifying if the training requirements arecompleted

Example 1: The user is requesting a role that has a TRAINING prerequisite, and Verifyon Request is set to Yes. The application will not allow them to submit the request until

all the prerequisites are met.

The application has a Routing rule for Training and Verification in MSMP(GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks this parameter todetermine the data source for verifying if the user has completed the training required for

the roles they are requesting to add. If the required training is not completed for aparticular role, the application does not provision the role, and instead, sends the requestto the routing path.

Leave the value field empty to disable the function. The workflow does not takeany routing paths.

Set the value to BAdI and the application uses the specified BAdI to perform theverification.

Set the value to WS and the application uses the specified web service toperform the verification.(cont.)

7/25/2019 012002523100012446622014 e



April 2016

118


2024(cont.)

Training and verification (cont.) <empty>

Note: Specify the prerequisite system in the connector configuration. To configure theconnectors, use the Customizing activity Maintain Connectors and Connector Typesunder Governance, Risk, and Compliance > Common Component Settings >Integration Framework. The connector must be of the type WS and associated with alogical port. You can define the logical port in transaction SOAMANAGER.

Prerequisite: You have implemented the BAdI or web service (WS) as needed.

Note: You can configure the routing in the Customizing activity Maintain MSMPWorkflows under Governance, Risk, and Compliance > Access Control > Workflowfor Access Control.

7/25/2019 012002523100012446622014 e



April 2016

119

1.19 Authorizations

The Authorizations parameters control how authorization messages and logging are handled.

Overview of Authorizations Parameters

ParameterID


1100 Enable the authorization logging NO

1114 Display authorization message in reports YES

Param ID Description Details of Authorizations Parameters Default

1100

Enable the authorization logging NO

If set to YES, the application logs all occurrences of insufficient authorizations on theGRC box in transaction SLG1. For example, an owner wants to perform an action and ismissing the necessary authorizations.


1114

Display authorization message in reports YES

If set to YES, the application logs all occurrences of insufficient authorizations on theGRC box in transaction SLG1. For example, an owner wants to perform an action and ismissing the necessary authorizations.

The Access Control reports and dashboards display data based on the user’s

authorizations. You can use this parameter to display a message and link that displaysthe objects the user is authorized to view.

Set the value as YES to display the message and link.

Set the value as NO if you do not want to display the message and link.

7/25/2019 012002523100012446622014 e



April 2016

120

1.20 Access Request Business Role

The Access Request Business Role parameters control how business roles are processed during

access request creation.

Overview of Access Request Business Role Parameters

ParameterID


4011 Allow deletion of technical roles if part of business roles YES

4016 Consider only the approved/completed version of a business rolewhen provisioning

NO

4019 Exclude manual changes to role assignments or profiles fromrepository sync

NO

Details of Authorizations Parameters


4011

Allow deletion of technical roles if part of business roles YES


Business roles are logical roles that exist only in the Access Control application. Theyallow you to create relationships with multiple technical roles, and thereby granting theauthorizations from multiple roles by assigning a single business role.

Use this parameter to set whether to allow the deletion of technical roles if they areassigned to a user as part of business role.

Set the value to NO to prohibit the deletion of such technical roles. Theapplication displays an error message:Role TechRole01 cannot be deleted; it is part of BusinessRole_AB .

Set the value to YES to allow the application to delete the technical roles.

7/25/2019 012002523100012446622014 e



April 2016

121


4016

Consider only the approved/completed version of a business role

when provisioningNO

This parameter allows the system to consider only the Approved or Completed versions

of a Business Role for provisioning.


If 4016 is set to YES:

4016

Setting in

IMG

BRM Setting Behavior During Provisioning

YES Approval is

configured

Only the Approved version of the business roles is

considered for provisioning.

YES Approval is not

configured

Only the Complete version of the business roles is

considered for provisioning.

If 4016 is set to N0:

4016

Setting in

IMG

BRM

Setting

Behavior During Provisioning

NO Not equal to

Approval or

Complete

The system considers the current version of the business

role when provisioning, irrespective of whether it is

Approved or Complete.



4019

Exclude manual changes to role assignments or profiles fromrepository sync

NO

This parameter controls whether manual changes to role assignments and profiles donein SU01 and SU10 on the backend system are synched to the GRC repository.

Set the parameter to No to include the manual changes to role assignments or profiles

in the synch job.

Set the parameter to Yes to exclude the manual changes to role assignments or profilesin the synch job.


7/25/2019 012002523100012446622014 e



April 2016

122

1.21 Management Dashboard Reports

The Management Dashboard Reports parameters set defaults for the Access Dashboard reports.

Overview of Management Dashboard Reports Parameters

ParameterID


1047 Default Management Report Violation Count P

1049 Default Management Report Risk Type ALL

Details of Management Dashboard Reports Parameters


1047

Default Management Report Violation Count P

This parameter is used by the Access Risk Violations Dashboard. It controls the defaultbehavior for how the application displays the violation count. The possible values are P

and R.If the parameter is set to P, the application displays the violation count by permission asshown in the example below.

If the parameter is set to R, the application displays the violation count by access risklevel.

7/25/2019 012002523100012446622014 e



April 2016

123


1049

Default Management Report Risk Type ALL

Management reports consider all three types of access risk types. SOD, Critical Actionsand Critical Permission. The inclusion of all risk types does pie chart calculations for allthe management reports: Risk Violations, User Analysis and Role Analysis. Thisparameter provides a way to restrict the access risk types in the management reports.

If parameter 1049 is set to *, all three types of access risk types are captured.

If parameter 1049 is set to 1, Segregation of Duties will be captured.

If parameter 1049 is set to 2, Critical Actions will be captured.

If parameter 1049 is set to 3, Critical Permissions will be captured.

7/25/2019 012002523100012446622014 e



April 2016

124

1.22 Access Request Validations

The Access Request Validations parameters allow you to make decisions about how to process User

Access Reviews.

Overview of Access Request Validations Parameters

ParameterID


5021 Validate the manager ID for the specified User ID YES

5022 Consider the password change in access request YES

5023 Consider details from multiple data sources for missing user detailsin access requests

NO

5024 Enable in-line editing for user group and parameters in Access

Request

NO

5026 Make system and provisioning actions visible for filtering userassignments for model users

NO

5027 Default value for filtering by system <empty>

5028 Default value for filtering by provisioning action <empty>

Details of Access Request Validations Parameters


5021

Validate the manager ID for the specified User ID YES

The application allows you to choose whether to validate the manager ID against the

specified user ID when submitting an access request. The application takes the valuefrom the Manager field on the Access Request > User Details page, and checks itagainst the information from table USR01 in the current system.

Set the value to Yes to enable the validation.

Set the value to No to disable the validation.

7/25/2019 012002523100012446622014 e



April 2016

125


5022

Consider the password change in access request YES

On the Access Request screen, users can change their account information includingtheir password. When the request is created and approved, the application sends anemail notification to the user.

Set the value to YES to allow users to change passwords in the request.

Set the value to NO to prevent users from changing their passwords in the request.


7/25/2019 012002523100012446622014 e



April 2016

126


5023

Consider details from multiple data sources for missing userdetails in access requests

NO

This parameter controls where the system looks for user details when an access requestis created using the standard access request method. It does not apply to accessrequests that are created using templates. The possible values are YES or NO.

The User Details are defined in the SAP IMG under Governance, Risk, and Compliance Access Control Maintain Data Sources Configuration :

(cont.)

7/25/2019 012002523100012446622014 e



April 2016

127


(cont.)

7/25/2019 012002523100012446622014 e



April 2016

128


The application only searches the entries for User Detail Data Sources. There can be severalentries in this table.

If the parameter is set to NO, the application obtains the user details from the first connector(User Detail Data Source) where the user exists. It does not check if the user exists in anyadditional connectors even if it needs more details.

If the parameter is set to YES, the application searches the user details of all data sourceswhere the user exists. For example, if the application finds only partial data from the first datasource, it continues to retrieve data from additional data sources until there are no more datasources or until the data for the user is complete.

7/25/2019 012002523100012446622014 e



April 2016

129


5024

Enable in-line editing for user group and parameter in accessrequest.

NO

This parameter applies to the Access Request screen. It enables you to choose whetheror not users may freely enter values on the User Group and Parameter tabs or whetherthey must choose from predetermined values.

Set the value to Yes to allow users to enter any value on the screen.

Set the value to No to force users to choose from predetermined values


5026

Make system and provisioning actions visible for filtering userassignments for model users.

(cont.)

NO

7/25/2019 012002523100012446622014 e



April 2016

130


Parameter 5026 allows Access Control to display system and provisioning actions thatyou can use to filter user assignments for model users. You must enter a value or YES orNO.

If you choose NO, the Model User Access screen looks like this:

If you choose YES, the Model User Access screen looks like this:

Recommendation

If this parameter is set to YES, review parameters 5027 and 5028.

7/25/2019 012002523100012446622014 e



April 2016

131


5027

Default value for filtering by system <empty>

This parameter applies to the Model User Access screen. It enables you to choose adefault system for filtering when you define the user access. Valid values are anysystems in your landscape. If you leave the field empty, the user access is not filtered bythe system.

Note: This parameter is only valid if parameter 5026 is set to YES.

7/25/2019 012002523100012446622014 e



April 2016

132


5028

Default value for filtering by provisioning action <empty>

This parameter applies to the Model User Access screen. It enables you to choose adefault provisioning action for filtering when you define the user access. Valid values are Assign, Remove, Retain, and <empty>. If you leave the field empty, the user access isnot filtered by the provisioning action.

Note: This parameter is only valid if parameter 5026 is set to YES.

7/25/2019 012002523100012446622014 e



April 2016

133

1.23 Simplified Access Request

The Simplified Access Request parameters control how the Simplified Access Request screen

functions.

Overview of Simplified Access Request Parameters

ParameterID


5031 Enable “Open in Advanced Mode” option YES

5032 Disable Type-ahead search in Simplified Access Request NO

Details of Simplified Access Request Parameters


5031

Enable “Open in Advanced Mode” option YES

This parameter applies to the Simplified Access Request screen. It enables you tochoose whether to display the button Open in Advanced Mode.

Set the value to Yes if you want to display the button Open in Advanced Mode on theSimplified Access Request screen.

Set the value to No if you do not want to display the button Open in Advanced Mode onthe Simplified Access Request screen.

If 5031=Yes, the screen display looks like the image below. The Open in AdvancedMode button is present.

If 5031=No, the Open in Advanced Mode button is missing as shown in the image below:

7/25/2019 012002523100012446622014 e



April 2016

134


The screenshot below shows what users see if they select the Open in Advanced Mode button.

(cont.)

7/25/2019 012002523100012446622014 e



April 2016

135


The screenshot below shows what users see if they select the Open in Advanced Modebutton.


5032

Disable Type-ahead search in Simplified Access Request NO

This parameter influences how the search function works when you search for rolesduring Simplified Access Request.

When you choose the Select Roles for Addition button, you are given a choice to searchby User , System, Role, or Key Word . You can also have the system anticipate yoursearch value by setting the parameter value to No. Then, as you enter text, the systemfinds one or more possible matches for the text and presents these to you as choices.

Set the parameter value to No if you want to use type-ahead search.

Set the value to Yes if you do not want to use type-ahead search.

The image below shows how you access the role search screen.

(cont.)

7/25/2019 012002523100012446622014 e



April 2016

136


Choose a search key such as Role.

Begin to type a value. As illustrated below, if parameter 5032 is set to NO, the systemproposes possible values from which you can choose.

7/25/2019 012002523100012446622014 e



April 2016

137

1.24 Access Control – General Settings

The Access Control – General Settings parameters allow customization for business-use.

Overview of Access Control – General Settings Parameters

ParameterID


2401 Allowed extensions for attachments *

2402 Display Change delegation link for delegated user if only GRC-ACapplication is active.

YES

Details of Access Control – General Settings Parameters


2401

Allowed extensions for attachments *

The application allows users to attach files. By default, it allows all file types. You canuse this parameter to restrict the types of files users can attach. To restrict file types:

1. Enter the allowed file types in this parameter. Separate each file type by acomma.For example: docx, pdf, xlsx

2. Implement the BAdI GRFN_DOCUMENT to enable the logic and configure the

wording for the error message.For more information, see SAP Note 2058231.

7/25/2019 012002523100012446622014 e



April 2016

138


2402

Display Change Delegation link for delegated user if only GRC-ACapplication is active.

YES

This parameter allows the administrator to hide the Change Delegation link from the end-user. For more information, see SAP Note 2275031.

NOTE: This parameter applies to Access Control only.

Select YES to display the Change Delegation link.

Select NO to hide the Change Delegation link.

7/25/2019 012002523100012446622014 e



April 2016

139

2. Index by Numerical Value1001 ................................................................................ 3

1002 ................................................................................ 4

1003 ................................................................................ 4

1004 ................................................................................ 5

1005 ................................................................................ 5

1006 ................................................................................ 6

1007 ................................................................................ 6

1008 ................................................................................ 7

1011 ................................................................................ 8

1012 ................................................................................ 9

1013 .............................................................................. 10

1014 .............................................................................. 11

1015 .............................................................................. 12

1016 .............................................................................. 12

1021 .............................................................................. 14

1022 .............................................................................. 15

1023 .............................................................................. 16

1024 .............................................................................. 17

1025 .............................................................................. 17

1026 .............................................................................. 17

1027 .............................................................................. 18

1028 .............................................................................. 19

1029 .............................................................................. 19

1030 .............................................................................. 191031 .............................................................................. 19

1032 .............................................................................. 19

1033 .............................................................................. 19

1034 .............................................................................. 20

1035 .............................................................................. 21

1036 .............................................................................. 22

1037 .............................................................................. 23

1038 .............................................................................. 23

1046 .............................................................................. 25

1047 ............................................................................ 122

1048 .............................................................................. 25

1049 ............................................................................ 123

1050 .............................................................................. 26

1051 .............................................................................. 27

1052 .............................................................................. 27

1053 .............................................................................. 28

1054 .............................................................................. 28

1061 .............................................................................. 30

1062 .............................................................................. 32

1063 .............................................................................. 33

1064 .............................................................................. 34

1071 .............................................................................. 63

1072 .............................................................................. 63

1073 .............................................................................. 64

1080 .............................................................................. 86

1081 .............................................................................. 86

1082 .............................................................................. 86

1083 .............................................................................. 87

1084 .............................................................................. 87

1085 .............................................................................. 87

1086 .............................................................................. 87

1087 .............................................................................. 87

1088 .............................................................................. 87

1100 ............................................................................ 119

1101 .............................................................................. 35

1102 .............................................................................. 36

1103 .............................................................................. 36

1104 .............................................................................. 36

1105 .............................................................................. 36

1106 .............................................................................. 36

1107 .............................................................................. 37

1108 .............................................................................. 37

1109 .............................................................................. 37

1110 .............................................................................. 37

1111 .............................................................................. 37

1112 .............................................................................. 38

1113 .............................................................................. 381114 ............................................................................ 119

1115 .............................................................................. 38

1120 .............................................................................. 57

1121 .............................................................................. 57

1122 .............................................................................. 57

1123 .............................................................................. 58

1124 .............................................................................. 58

1125 .............................................................................. 58

1126 .............................................................................. 59

1127 .............................................................................. 59

1302 ............................................................................ 102

2004 .............................................................................. 54

2005 .............................................................................. 55

2006 .............................................................................. 55

2007 .............................................................................. 56

2008 .............................................................................. 56

2009 ............................................................................ 103

2010 ............................................................................ 104

2011 ............................................................................ 104

2012 ............................................................................ 107

2013 ............................................................................ 107

2014 ............................................................................ 109

2015 ............................................................................ 110

7/25/2019 012002523100012446622014 e



April 2016

140

2016 ............................................................................ 111

2017 ............................................................................ 111

2018 ............................................................................ 112

2019 ............................................................................ 112

2020 ............................................................................ 1122023 ............................................................................ 113

2024 ............................................................................ 117

2031 .............................................................................. 88

2032 .............................................................................. 89

2033 .............................................................................. 89

2034 .............................................................................. 90

2035 .............................................................................. 90

2036 .............................................................................. 90

2037 .............................................................................. 91

2038 .............................................................................. 91

2039 .............................................................................. 92

2040 .............................................................................. 92

2041 ............................................................................ 115

2042 .............................................................................. 92

2043 .............................................................................. 94

2044 .............................................................................. 94

2045 .............................................................................. 96

2046 .............................................................................. 97

2047 .............................................................................. 98

2048 ............................................................................ 101

2050 .............................................................................. 60

2051 .............................................................................. 41

2052 ............................................................................ 1142060 .............................................................................. 60

2061 .............................................................................. 61

2401 ............................................................................ 137

2402 ............................................................................ 138

3000 .............................................................................. 66

3001 .............................................................................. 67

3002 .............................................................................. 67

3003 .............................................................................. 67

3004 .............................................................................. 67

3005 .............................................................................. 67

3006 .............................................................................. 68

3007 .............................................................................. 68

3008 .............................................................................. 69

3009 .............................................................................. 70

3010 .............................................................................. 70

3011 .............................................................................. 71

3012 .............................................................................. 72

3013 .............................................................................. 73

3014 .............................................................................. 73

3015 .............................................................................. 74

3016 .............................................................................. 74

3017 .............................................................................. 74

3018 .............................................................................. 74

3019 .............................................................................. 75

3020 .............................................................................. 753021 .............................................................................. 78

3022 .............................................................................. 41

3023 .............................................................................. 41

3024 .............................................................................. 78

3025 .............................................................................. 79

3026 .............................................................................. 81

3027 .............................................................................. 81

3028 .............................................................................. 81

3029 .............................................................................. 81

3040 .............................................................................. 83

4000 .............................................................................. 43

4001 .............................................................................. 44

4002 .............................................................................. 44

4003 .............................................................................. 45

4004 .............................................................................. 46

4005 .............................................................................. 46

4006 .............................................................................. 46

4007 .............................................................................. 47

4008 .............................................................................. 48

4009 .............................................................................. 48

4010 .............................................................................. 48

4011 ............................................................................ 120

4012 .............................................................................. 494013 .............................................................................. 49

4014 .............................................................................. 49

4015 .............................................................................. 49

4016 ............................................................................ 121

4017 .............................................................................. 50

4018 .............................................................................. 50

4019 ............................................................................ 121

4020 .............................................................................. 51

4021 .............................................................................. 52

5001 ................................................................................ 7

5021 ............................................................................ 124

5022 ............................................................................ 125

5023 ............................................................................ 126

5024 ............................................................................ 129

5026 ............................................................................ 129

5027 ............................................................................ 131

5028 ............................................................................ 132

5031 ............................................................................ 133

5032 ............................................................................ 135

5033 .............................................................................. 53

7/25/2019 012002523100012446622014 e



April 2016

141

3. Copyright

© 2016 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without theexpress permission of SAP AG. The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors contain proprietary software

components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft

Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,

System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,

POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology

invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Explorer, StreamWork, and other SAP

products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of Business Objects

Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products

and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies.

Data contained in this document serves informational purposes only. National product specifications

may vary.

7/25/2019 012002523100012446622014 e



© 2016 SAP SE or an SAP affiliate company. All rights reserved.

These materials are subject to change without notice. These materials are provided by SAP SE and its

affiliated companies ("SAP Group") for informational purposes only, without representation or warranty

of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.

The only warranties for SAP Group products and services are those that are set forth in the expresswarranty statements accompanying such products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the

express permission of SAP SE or an SAP affiliate company.

Please seehttp://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional

trademark information and notices.

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fcorporate-en%2Flegal%2Fcopyright%2Findex.epx%23trademark

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fcorporate-en%2Flegal%2Fcopyright%2Findex.epx%23trademark

012002523100012446622014 e

Documents

Transcript of 012002523100012446622014 e