AC 10.0 Pre-Implementation
description
Transcript of AC 10.0 Pre-Implementation
AC 10.0 Pre-Implementation
From Post-Installation to First Risk Analysis
Customer Solution Adoption
April 11th 2011
Version 1.0
Purpose of this document
This document allows implementation consultants and administrators to
setup the required functionality for running a user level risk analysis after
the post-installation has been finished. This is by no means a
comprehensive guide for setting up the Access Risk Analysis component,
rather it allows testing the application is working properly by setting up a
basic test case.
© 2011 SAP AG. All rights reserved. 3
Disclaimer
This presentation outlines our general product direction and should not be relied on
in making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy
and possible future developments are subject to change and may be changed by
SAP at any time for any reason without notice. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or non-
infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly
negligent.
© 2011 SAP AG. All rights reserved. 4
Agenda
Requirementso Verifying default configuration parameters
o Adding connector to AUTH scenario
Ruleso Setting up rule sets
o Generating rules
Jobso Synchronizing authorizations
o Synchronizing repository
Running the first risk analysis
Additional Taskso Creating a Root Org entry
o Setting up Batch Risk Analysis
o Setting up Action Usage
o Transporting rules
Requirements Verifying default configuration parameters
Adding connector to AUTH scenario
© 2011 SAP AG. All rights reserved. 6
Verifying default configuration parameters
Please check the configuration and make sure you have at least these parameters
configured. The rest can be set according to your needs:
© 2011 SAP AG. All rights reserved. 7
Adding connector to AUTH scenario
To perform risk analysis it is required to have the AUTH scenario linked to the
connector, this is done via IMG:
Rules Introduction
Enabling the right rule set
Assigning connectors to the rule sets
Generating rules
© 2011 SAP AG. All rights reserved. 9
Setting up rule setsIntroduction
Rule sets are enabled using BC sets via transaction code SCPR20
It is required beforehand to enable GRAC_RA_RULESET_COMMON as shown in
the post-installation deck
This only applies if you want to use the rule set(s) provided by SAP
© 2011 SAP AG. All rights reserved. 10
Setting up rule setsEnabling the right rule sets
The following rule sets are available via SCPR20. Notice that each rule set is
activated and linked into a separate logical group (technical name in brackets):
GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)
GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG)
GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis
(SAP_NHR_LG)
GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG)
GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG)
GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG)
GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG)
GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG)
GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)
GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG)
GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG)
© 2011 SAP AG. All rights reserved. 11
Setting up rule setsAssigning connectors to the rule sets
In order to use the enabled rule set, connectors need to be assigned to the
respective logical group in IMG in the following path:
© 2011 SAP AG. All rights reserved. 12
Setting up rule setsAssigning connectors to the logical groups
Then select a logical group and go to “Assign Connectors to Connector Groups” to
link a system
© 2011 SAP AG. All rights reserved. 13
Generating Rules
Then generate the rules by going to IMG under Governance, Risk and Compliance
Access Risk Analysis SoD Rules Generate SoD Rules
Jobs Synchronizing authorizations
Synchronizing repository
© 2011 SAP AG. All rights reserved. 15
JobsSynchronizing authorizations
In IMG go to Access Control Synchronization Jobs and run Authorization Sync
(program GRAC_PFCG_AUTHORIZATION_SYNC), it is recommended you do it in
background. This program contains three jobs: Org. Value sync, Transaction Sync
and Objects sync.
Note: you need to specify the language(s) for your profiles you wish to synchronize
© 2011 SAP AG. All rights reserved. 16
JobsSynchronizing repository
In the same path now go to Repository Object Sync (program
GRAC_REPOSITORY_OBJECT_SYNC), it is recommended you run it in
background.
Note: you need to specify the language(s) you wish to synchronize. First run
should be done in Full Sync mode, then Incremental Sync can be scheduled
© 2011 SAP AG. All rights reserved. 17
Running the first risk analysis
Now you should be able to run a risk analysis. Go to Access Management
Workcenter and run a User Level Risk Risk Analysis on a specific user.
Additional Tasks Creating Root Org entry
Setting up Batch Risk Analysis
Setting up Action Usage
Transporting rules
© 2011 SAP AG. All rights reserved. 19
Additional TasksCreating Root Org entry
Before creating mitigating controls you need to create a Root Org entry, this replaces
the Business Units in previous AC versions. Navigate to the IMG under Shared
Master Data Settings and create a Root Org as shown below:
© 2011 SAP AG. All rights reserved. 20
Additional TasksSetting up Batch Risk Analysis
Batch Risk Analysis can be scheduled using transaction GRAC_BATCH_RA (or
program GRAC_BATCH_RISK_ANALYSIS). The option available are the same as in
AC 5.3
Note: You can monitor the batch risk
analysis job with transaction
GRACRABATCH_MONITOR
Please apply SAP Note 1551230
before using this transaction
© 2011 SAP AG. All rights reserved. 21
Additional TasksSetting up Action Usage
It is possible to view the action usage in different reports in AC 10.0. To show this
information it is required to go to IMG Access Control Synchronization and run
Action Usage Sync (program GRAC_ACTION_USAGE_SYNC)
© 2011 SAP AG. All rights reserved. 22
Additional TasksTransporting Rules
Rules can be transported via transaction GRAC_RULE_TRANSPORT, this will
trigger a transport request to the systems configured in TMS.