Asokkumar Christian, D. Rajen Iyer, Atul Sudhalkar
97
Transcript of Asokkumar Christian, D. Rajen Iyer, Atul Sudhalkar
AsokkumarChristian,D.RajenIyer,AtulSudhalkar
ContinuousControlsMonitoringwithSAP®GRCThisE-Biteisprotectedbycopyright.FullLegalNotesandNotesonUsagecanbefoundattheendofthispublication.
SAPPRESSE-Bites
SAPPRESSE-Bitesprovideyouwithahigh-qualityresponsetoyourspecificprojectneed.Ifyou’relookingfordetailedinstructionsonaspecifictask;orifyouneedtobecomefamiliarwithasmall,butcrucialsub-componentofanSAPproduct;orifyouwanttounderstandallthehypearoundproductxyz:SAPPRESSE-Biteshaveyoucovered.AuthoredbythetopprofessionalsintheSAPuniverse,E-BitesprovidetheexcellenceyouknowfromSAPPRESS,inadigestibleelectronicformat,delivered(andconsumed)inafractionofthetime!
JanetSalmonAccountingEntriesinSAPERPControllingISBN978-1-4932-1301-6|$9.99|89pages
Bryša,Fritzsche,Heß,Jarré,Lövenich,Martin,MüllerTransactionManagerinSAPTreasuryandRiskManagementISBN978-1-4932-1332-0|$12.99|99pages
Bryša,Fritzsche,Heß,Jarré,Lövenich,Martin,MüllerExposureManagement2.0inSAPTreasuryandRiskISBN978-1-4932-1331-3|$9.99|51pages
TheAuthorsofthisE-Bite
AsokkumarChristianhasworkedasanSAPconsultantfor15yearsinvariousrolesasatechnicalconsultant,techno-functionalconsultant,solutionarchitect,SAPGRCSuiteimplementationconsultant,andsecurityarchitect.
D.RajenIyerhasmorethan16yearsofexperienceinsupplychainmanagementapplicationsandimplementations.
AtulSudhalkaristheseniordirectoratSAPLabsforSAPGRC,wherehedefinesproductstrategy,vision,andproductspecificationsforSAP’sGovernance,Risk,andComplianceproducts.
Learnmoreabouttheauthorsathttps://www.sap-press.com/continuous-controls-monitoring-with-sap-grc_4021/authors/.
WhatYou’llLearn
UseSAPGRC’scontinuouscontrolsmonitoring(CCM)toensureyou’reinfullcompliancewithexternalandinternalpolicies.WiththisE-Bite,you’llmastertheins-and-outsofCCMarchitecture,thedifferentdatasourcetypes,howtocreateadatasourceandbusinessrules,andhowtoassigntheserulestocontrols.Learntomaintaincontrolovermasterdata,systemtransactions,andconfigurationparameters!
1CCMataGlance
2ContinuousMonitoringArchitecture
3ConfiguringCCM
4CreatingDataSources
4.1AddingDataSourceInformation
4.2DefiningtheTechnicalDetails
4.3PointingtoaConnector
4.4AddingDocumentation
5CreatingBusinessRules
5.1BasicInformation
5.2FilterCriteria
5.3DeficiencyCriteria
5.4ConditionsandCalculations
5.5TechnicalSettingsandMonitoringRuleBehavior
5.6AdHocQuery
6DataSourceTypesandRelatedRules
7AssigningRulestoControls
8SchedulingMonitoringRules
9StructuredApproachtoContinuousControlsMonitoring
9.1TheNatureofERPControls
9.2TheGoalofMonitoring
9.3EffectiveMonitoring
9.4TheImportanceofProperConfigurationsandMasterDataSettings
9.5Transactions
9.6ReportsandAnalytics
ThisE-BiteisanexcerptfromImplementingSAPGovernance,Risk,andCompliancebyAsokkumarChristian,D.RajenIyerandAtulSudhalkar.
1CCMataGlance
SAPProcessControlhelpscustomerscapturethestructure,intent,utilityandeffectivenessoftheirbusinessprocesscontrols.SAPProcessControlmodelsbusinessprocessesandorganizationalhierarchies,enablingcustomerstorepresenttheirbusinessattheappropriatelevelofgranularityforcompliancemonitoringpurposes.TheircompliancerequirementsarecapturedinregulationandpolicystructuresinSAPProcessControl;controlobjectives,materialityandrelevanceinrelatedstructures,andtheirriskassessmentsandcomplianceplansinstructuredactivitiesaredesignedforthosepurposes.Audittrailsandreportsgathertogetherrelevantinformationfortargetedaudiences(e.g.,whatdidwedolastyeartoachieveSOXcompliance?).
Inthiscontext,continuouscontrolsmonitoring(CCM)helpsassurethat,overtime,businesspracticehasstayedtruetotheoriginaldesignandintentofthesecontrolstructures.Ithelpsgatherandbuildevidenceoftheorganization’scompliancewiththegoalswhichmotivatedthecontrolsinthefirstplace,thushelpingthecustomerprepareforinternalandexternalaudits,executiveandboard-levelreviews,etc.Ithelpsdemonstratediligence:howregularlywereprocessesmonitored,whatstepsweretakentoremedydefects,howquicklywereproblemsaddressed,howorganizedandsystematicwastheapproach,etc.
2ContinuousMonitoringArchitecture
Architecturediagramsservemanydifferentpurposes,fromtechnicaltomarketing.TounderstandhowCCMworksinSAPProcessControl,youmustunderstandhowSAPProcessControlrelatestoothersystemswhenlive.Theliteraturesometimesreferstothisasruntimearchitecture,ordeploymentarchitecture.Figure1showssuchadiagramforSAPGovernance,Risk,andCompliance(SAPGRC)ingeneral.
Figure1SAPGRC10.1intheSystemLandscape
Figure1demonstratesthatSAPProcessControlisseparatefromthebackendsystemsitmonitors,whichappliesevenwhenSAPProcessControlisbeingusedtomonitoranapplicationlocatedinthesameapplicationstack.Thus,monitoringalwaysrequirestheconfigurationofaremoteconnection:SAP’sremotefunctioncall(RFC)protocolsinmostcases,butalsowebservicesconnectionsinothercases.There’sathirdtype,calledlocalsystem,whichisusedonlywhenSAPAccessControlriskanalysisistriggeredfromSAPProcessControlasamonitoringrule.
Overtheyears,customershaveoccasionallyaskedaboutusingSAPProcessControltomonitoritselforotherSAPGRCapplications.Whilethisshouldcertainlybepossible,there’sverylittleinformationaboutscenarioswheresuchSAPGRCself-monitoringwouldaddvalue.Note,however,thateveninsuchscenarios,conceptuallySAPProcessControlwouldstilltreatthemonitoredsystemasremote,requiringoneofthetwosupportedconnectionscenarios(RFCorwebservices).
Functionally,thearchitectureofSAPProcessControlisasshowninFigure2.
Figure2SAPProcessControlComponentModel
UsingCCMfunctionalityfollowsacertainprocessflowinSAPProcessControl,asoutlinedinFigure3andlistedhere:
1. Createthedatasource.
2. Createthebusinessrule.
3. Assignthebusinessruletoalocalcontrol.
4. Scheduletheruletorun.
5. Analyzeandremediatedetectedproblems.
6. Report.
Ifamonitoringruleexecutesandfindsaproblem,itcreatesanissue,whichgetsroutedtocontrolownersforremediation.AllthisisthencapturedinSAPProcessControlaudittrailsandisavailableviareportsanddashboards.
Figure3ContinuousControlsMonitoringProcessFlow
Figure4showstheRULESETUPtabofSAPProcessControl.AsweexplainCCMfunctionalitythroughoutthisE-Bite,we’llrefertovarioususerinterface(UI)pages
fordifferentelements,allofwhichcanbeaccessedfromlinksonthispage.We’llrefertoitaswedescribeeachelementofCCM.
DatasourcesareSAPProcessControlobjectsthatholdinformationaboutaspecificdatasourceinaremotesystemtobemonitored.TheCONTINUOUS
MONITORINGgroupinFigure4(labeled1)hasalinktotheDATASOURCESpage.InSAPGRC,thisisabstractedintotheconnector,whichSAPtraditionalistswillknowbythenameofSM59destination.Therefore,itincludesinformationaboutthesystemaddress,logincredentials,communicationmethod,andsoon.We’llexploredatasourcesinmoredetailinSection4andSection6.
Figure4RuleSetupTabforSAPProcessControl
Businessrulesencapsulatetheactualmonitoringlogic,includingthekeyfunctionalnotionofwhatconstitutesaproblemtoberemedied—adeficiency,inSAPProcessControlparlance.BusinessrulesareaccessedbyalinkintheCONTINUOUSMONITORINGgroupoftheRULESETUPtabofSAPProcessControl1ofFigure4.We’llfurtherexplainbusinessrulesinSection5,Section7,andSection8.
ActualtestingandmonitoringisexecutedviatheSCHEDULER2showninFigure4.Thesetoflinksthereisintendedtobeusedbyauserinatechnicaloradministrativerole,andisconcernedwithscheduling,monitoringandmaintainingbatchjobs.CCMjobshavetwocomponents,onepartwhichrunsontheSAPProcessControlsystem,andarelatedjobwhichexecutesontheremotemonitoredsystem.Whenthingsgowell,theJOBMONITORlinkinthisgroupprovidesapagewhichsufficesfortrackingscheduledrules.Ifthereareproblems,itissometimesnecessarytolookinthelogsofboththeSAPProcessControlsystem,andalsointheremoteormonitoredsystem’slogs.
LegacyAutomatedMonitoringisacompatibilitymoduleusedtorunmonitoringrulescarriedoverfromreleases2.5and3.0.SAPGRCalsodeliveredseveralABAPqueriesdesignedtorunintheSAPGRCplug-insforSAPERP.Linksto
thisfunctionalityarefoundontheRULESETUPtabofSAPProcessControl3inFigure4.ThesewerepopularforearlyadoptersofSAPProcessControl,andthiscompatibilitymoduleismeanttoprovideasmoothtransitionforyou.Infact,ABAP-codedqueriesaredifficulttochange,andinreleases10.0and10.1,SAPGRCenhancedothermonitoringtechniquestoreduceyourneedtorelyonABAP.
TheSAPGRCIntegrationFramework,showninFigure2,isatechnicalcomponentthatunderliesallSAPGRCapplications’communicationswithremotesystems.It’sinvisibletofunctionalusersofSAPProcessControl,butwehaveshownitinthecomponentmodelandmentionitherebecauseitisrelevantwhenmaintainingconfigurations,whichwedescribeinthenextsection.
Beforewediscussdatasourcesandbusinessrulesingreaterdetail,let’slookathowtoproperlyconfigureCCM.
3ConfiguringCCM
CCMrequiresthesetupofvariousconnectors,andtheirassociationwiththedifferentdatasourcetypes.Asalways,configurationbeginsintheSAPstandardIMG,accessedviaTransactionSPRO.AlthoughSAPIMGgenerallyhasitsowndocumentation,theCCMconfigurationsareratherunique,andithelpstowalkthroughtheprocess.Figure5showsthestartingscreen.
Figure5IMGPageShowingContinuousMonitoring
Note
InFigure5,you’llnotetheconfusingfactthatwehavehighlightedanareaofIMGthatisdifferentfromtheonelabeledCONTINUOUSMONITORING.TheINTEGRATIONFRAMEWORKisagroupingofsettingsfundamentaltobothcontinuousmonitoring,andotherGRCRiskManagementandGRCAccessControlfeatureswhichrequirecommunicationwithremotesystems.TheCONTINUOUSMONITORINGsectionofIMG,ontheotherhand,containsnon-criticalsettingswhichareuniquetoSAPProcessControlContinuousMonitoring.
ThefirstnodeinthehighlightedareaofFigure5,CREATECONNECTORS,isjustalinktothestandardTransactionSM59.Becausethat’sstandardSAPNetWeaverfunctionality,wewon’tdescribeitfurtherhere.ThenextlinkintheIMG,MAINTAIN
CONNECTORSANDCONNECTIONTYPES,takesyoutothescreenshowninFigure6,
whichstartsyoudownthepathtodefiningconnectionstoremotesystems.TheINTEGRATIONFRAMEWORKisagroupingofsettingsfundamentaltobothcontinuousmonitoring,andotherRiskManagementandAccessControlfeatureswhichrequirecommunicationwithremotesystems.TheCONTINUOUSMONITORINGsectionofIMG,ontheotherhand,containsnon-criticalsettingswhichareuniquetoSAPProcessControlContinuousMonitoring.Theconnectiontypes1aredefinedwiththedeliveredsoftwareandshouldnotbechanged.
Figure6ConnectorTypes
Thereisnoconfigurationtosetorchangehere;weshowthefigureonlyforyourinformation.NotethatthehighlightedconnectiontypesshownaretheonlyonesSAPProcessControlCCMuses(SAPProcessControl10.1includesonemore,formonitoringSAPHANAsystems).
ThenextstepisDEFINECONNECTORS,whichisinthesameIMGnodeinFigure6.Asyoucansee,thesecondlink2intheDIALOGSTRUCTUREcolumninthefiguredirectsyoutoascreentodefineconnectors.Figure7showstheresultingscreen.
Figure7DefineConnectors
Figure7showsalloftheSAPGRC-relevantTransactionSM59destinationsinthesystem.We’vehighlightedoneofthese,theSMEA5_100TARGETCONNECTOR,whichpointstothebackendSAPERPsystemthatweplantomonitor.Becauseit’sanSAPERPsystem,notethatthesecondcolumn,CONNECTIONTYPE,holdsthevalueSAP—itjustmeansthatRFCistheexpectedcommunicationprotocol.
Again,notethattheotherconnectiontypesvisibleinthesefigures—FILE,EP,andsoon—aren’trelevanttoSAPProcessControlCCMandwon’tbeexplainedfurtherhere.
Noteinparticularthethirdcolumn,SOURCECONNECTOR.Thisisatrickyconceptthatrequirescarefulconfiguration.Thesourceconnectorattributeofaconnectoristhenameofanotherconnector—andthisisthetrickypoint.
InFigure7,thesourceconnectorisSM2,butthatisn’taconnectorinthis(SAPProcessControl)system.Rather,it’sanRFCdestinationintheSAPERPsystempointedtobytheTARGETCONNECTORSMEA5_100.Thissourceconnectorintheremote(monitored)SAPERPsystempointsbacktotheSAPProcessControlsystemthatwe’reconfiguringhere.
Thesourceconnectoris,infact,acallbackchannel.CertainmonitoringrulescauseSAPProcessControltoconnecttotheSAPGRCplug-inonthemonitoredsystem.Inasynchronoussituations,theplug-inneedstocallbacktoSAPProcessControl,andtheinitialcallfromSAPProcessControlintotheplug-insetsthisupbynamingthecallbackconnectortouse.
Torecap,thesourcesysteminthiscaseistheSAPProcessControlsystemwe’reconfiguring.Thereareseveralremotesystemsthesourcesystemcanreach,ofwhichonesystemistobemonitoredviaSAPProcessControlCCMforourpurposes.WerefertothatSAPERPsystemasthetargetsystem,ormonitoredsystem.Theconnectorthatpointstothetargetsystemiscalledthetargetconnector;inourexamplehere,itsnameisSMEA5_100.OneoftheattributesoftheconnectoriscalledSOURCECONNECTOR,whosevalueisthenameofanRFCdestination,whichexistsintheremotetargetsystem.ThatRFCdestinationpointsbacktooursourceSAPProcessControlsystem.ItwillbeusedbytheSAPGRCplug-ininthemonitoredsystemtocallbacktoSAPProcessControl,ifandwhenitneedstodosoduringtheexecutionofaCCMrule.
ThenextstepinconfiguringCCMistoassigntheselectedconnectortotheCCMfunction.CCMcodewasinternallycalledautomatedmonitoringortheAutomatedMonitoringFramework,andthetechnicalnameoftheconnectorgroupisAM.Thisvariationinthenameofthefunctionalityandinternalcodemoduleshascausedsomemildconfusion.ThewaytothinkofthisisthattheautomatedmonitoringcapabilitiesofSAPProcessControlsupportCCMbycustomers.
Now,clickthelastlinkintheDIALOGSTRUCTUREshownearlierinFigure63:ASSIGNCONNECTORSTOCONNECTORGROUPS.Apopupasksyoutoselecttheconnectorgrouptowhichyouwanttoassignconnectors;typeinthename“AM”,
asmentionedearlier.AsyoucanseeinFigure8,theCONNECTORGROUP“AM”hasbeenassignedwiththecorrectconnectiontypeandassignment.
Figure8AssigningaConnectortoaConnectorGroup
Inthiscase,theconnectorofinterest,SMEA5_100,highlightedinFigure8,isalreadyassignedtotheAMgroup.Ifitwerenot,youclicktheNEWENTRIESlinkatthetopofthescreenandaddit.
Next,stepouttotheoriginalIMGdisplayshownearlierinFigure5,andclickontheMAINTAINCONNECTIONSETTINGSnode.Apopupappearsaskingyoutoselecttheintegrationscenario.SelectAM.AscreensimilartoFigure9appears.
Figure9Scenario-ConnectorLink
TherightsideofthefigurelistsnineSUBSCENARIOS,reflectingthedifferenttypesofdatasourcesSAPProcessControl10.0supports;SAPProcessControl10.1supportsanadditionaltypeforSAPHANA(notshowninthefigure).Theimplicationsofthesedifferenttypesareexplainedlater,butfornow,justnotethatforeachdatasourcetype,therelevantconnectorsneedtobeexplicitlyenabled.Thisconfigurationstepaccomplishesthat.
SelecttheSUBSCENARIO(datasourcetype),andthenclickinthelefthalfofthescreenontheSCENARIO-CONNECTORLINK.ThisbringsupascreenlikeFigure10.
Figure10Scenario-ConnectorDetails
Iftheconnectoryouwantisn’talreadyinthelistofconnectorsintheTARGETCONNECTORcolumn,thenyoumustclicktheNEWENTRIESlinkandaddtheconnectoryouwant.
Ingeneral,thislevelofgranularityissomethingofanoverkillfordatasourcetypes.Forinstance,ifthemonitoredsystemisSAPERP,it’shighlylikelythatyou’llwanttoassociateitstargetconnectortoeachofthefollowingdatasourcetypes:CONFIGURABLE,SAPQUERY,ABAPREPORT,andPROGRAMMED.Still,thisishowtheconfigurationIMGissetup,sothisiswhatneedstobedone.Also,datasecurityconsiderationsrequireafinergranularityinconnectorsandtheiraccessprivilegesintheremotesystemstowhichtheyconnect.
FortheoriginalSAPProcessControl10.0release,theSAPBusinessWarehouse(BW)queryDStypecouldonlyconnecttoSAPBWsystemconnectors.WiththenewOperationalDataProvider(ODP)facilityinSAPapplicationsonSAPNetWeaver7.3(orlater),theSAPBWQueryDStypecanalsoconnecttoSAPapplicationsystemsdirectly—sinceServicePack9,SAPProcessControl10(and,ofcourse,SAPProcessControl10.1)supportusingODPtotreatapplicationsystems(suchasSAPERP)asSAPBWquerytargets.ThePIdatasourcetypeworksonlywithSAPProcessIntegration(SAPPI),andthewebservicesconnectorisusedasthecatch-allcategoryforanyothersystemthatcanmatchtheSAP-providedWebServicesDescriptionLanguage(WSDL).SeeSAPNote1549031.
Aswementioned,SAPProcessControl10.1offersanadditionaldatasourcetype,HDB,whichisdesignedformonitoringSAPHANAdatabases,asshowninFigure11.TherearemanynuancestotheuseofSAPHANAastheunderlyingdatabaseforbackendapplicationssuchasSAPERP(oritsuseasananalyticsdatabase).However,we’reconcernedprimarilywithhowtouseSAPHANAasasourceofmonitoringdata.SAPProcessControl10.1enablesthistofitneatlyintotheoverallCCMframework.
Figure11SAPHANADatabaseConnector
TheoddmanoutinthelistofdatasourcetypesistheEVENT(refertoFigure9).Eventsaredifferentfromallothertypesofdatasources,inthataneventoriginatesinexternalsystems.EveryotherdatasourcetypeisinvokedbySAPProcessControleitheronascheduleorwhenausertriggersit;eventsareraisedbyexternalsystemsastheyjudgeappropriate.Sothereisn’treallyaconnectorforit—rather,thereisaninboundwebservice,describedindetailintheuserguidesonSAPServiceMarketplace.
Note
CCMUserGuidesarefoundintheSAPProcessControl10.0releasesectionoftheSAPServiceMarketplaceathttps://service.sap.com/~form/sapnet?_SCENARIO=01100035870000000202&_SHORTKEY=01100035870000735637
We’velookedathowtoproperlyconfigureanddefineaconnectiontypeandensurethatthecorrectconnectorisaffiliated.Nowlet’stakealookathowtocreatedatasources.
4CreatingDataSources
Aswementionedearlier,datasourcesencapsulatemethodsofextractingdatafrombackendsystems.Forthemostpart,theyhavesemanticssimilartoqueriesinthattheyfollowadefinedlogic,takefilterparameters,andreturnresultsofaschemafixedatthetimeofdatasourcedefinition.Basedonthisknownschema,youcandefinebusinessrules(describedinthenextsection).
Asalsomentionedpreviously,SAPProcessControl10.0offeredninetypesofdatasources;SAPProcessControl10.1addsanewtypeformonitoringSAPHANA-baseddata.Inthissection,we’lldescribehowtodefineonespecifictypeofdatasource:SAPQuery.That’sagoodintroductiontothebasicflowofcreatingandusingCCMrules.
Creatingdatasourcesfollowsthissimpleprocess,whichwefirstoutlineandthendescribeindetail:
1. ClicktheCREATEbuttonontheDATASOURCELISTINGpage.
2. Entertheusualinformationsuchasaname,description,validitydates,andsoon.
3. Selectthetypeofdatasourcefromoneofthe10datasourcetypesmentionedearlier.
4. Pointtothemonitoredsystemonwhichtheactualdatawillbefoundviaasuitableconnector(seeSection3).
5. Selectthespecificsourceofthedataonthemonitoredsystem.Thiswilldependonthetypeofdatasourceyouselectedinstep2andwillbedescribedindetailinSection6.
6. Saveandactivatethedatasource.
DatasourcesarecreatedandmaintainedontheDATASOURCESpage,foundintheRULESETUPtabofSAPProcessControl,intheCONTINUOUSMONITORINGarea(refertoFigure4).Notethatcreatingdatasourcesisthefirststepinthesix-stepprocessforCCM,outlinedinFigure2.Figure12showstheDATASOURCEpage.
Figure12DataSourcesList
ClickontheCREATEbuttonasshowninFigure12.ThisbringsupthefirstscreenoftheDATASOURCEcreationprocess,asshowninFigure13.
4.1AddingDataSourceInformation
Asthefirststepincreatinganewdatasource,theinformationinthisscreenisfairlysimple,butitservesasagoodstartingplaceforsomegeneraladvice.ThetitlesofthefollowingsubsectionscorrespondtothelabelsinFigure13.
Figure13DataSourceCreation:Step1
DataSourceandDescription
SAPProcessControlobjectshaveaname,adescription,andanID.TheIDissystem-generatedandisunique.Eventhoughtheseparationofnameanddescriptionsuggeststhatthenamemightbeuniquewhilethedescriptionisfor,obviously,descriptivepurposes,thisisn’tquitecorrect.Thenameitselfisalsotreatedasadescriptorfield,andSAPProcessControldoesn’trequirethenametobeunique.Youshouldtakecaretokeepnamesdistinct;otherwise,youmayhavedifficultytellingapartdifferentdatasources(or,forthatmatter,otherobjects)thathavesimilarnames.
ValidFromandValidTo
Thedatevalidityrangesareforyoutouseasyourbusinessneedsdictate,butthedefaultvalueoftheVALIDFROMfieldisthecurrentdate.Peopletendtoacceptdefaultsunlesstheyhaveclearandspecificreasonstochangethem,andourexperienceisthatthiscausesproblems.Becausethevalidityofmonitoringinactualrulesisgovernedbythedatevalidityofalloftheassociatedobjects(i.e.,datasources,rules,controls,businessprocesses,organizationalstructures,etc.),inadvertentacceptanceofthedefaultvaliditystarthascausedmanyacustomerconfusion.Atypicalsymptomistheinabilitytofindamonitoringruleinvariouscontexts,withnoclearexplanationofwhyanexistingbusinessruleisn’tvisibleallofasudden!Aruleofthumbwefollowistopushthevaliditystartwellbackintothepast,saythefirstofJanuaryafewyearsback.Again,youshouldmakethevaliditystarttobewhatevermakesbusinesssense;however,ifyourbusiness
logicdoesn’tsuggestanythingspecific,it’sbesttomakethisdatethefirstofJanuaryofafewyearsago,givingyourselfsomewiggleroom.
Status
CCMobjectssuchasdatasourcesandbusinessruleshaveaSTATUSfield;thesystemallowsstatusvaluesofNEW,INREVIEW,andACTIVE.Onlyactivedatasourcesareavailableforbuildingbusinessrules(seethenextsection).Butontheotherhand,activedatasourcescan’tbechanged!
Statuschangescanonlygoinstepincrements:NEWtoINREVIEW,INREVIEWtoACTIVE,andviceversa.Forinstance,anewlycreateddatasourcewillbeinstatusNEWbydefault.Theuserhastosaveit,closeit,andreopenittochangethestatustoINREVIEW,andrepeattheprocesstomakeitACTIVE.ExperienceduserstendtochangethestatusfromNEWtoINREVIEWimmediatelyoncreationofadatasourceorbusinessruletoavoidtheannoyanceofanextracycleofediting.
NotealsothatwhileACTIVEdatasourcesandbusinessrulescanbesetbacktoINREVIEW(andthenchanged),thisdemotionfromACTIVEstatusissomewhatrestrictedforobjectsthatarereferencedbyotherobjects.Forinstance,adatasourcemustbeactiveforuserstobeabletodefineabusinessrulethatreferencesit.Afterabusinessruleiscreatedwhichreferencesthatactivedatasource,thestatusofthedatasourcecanbechangedbacktoINREVIEWbutveryfewattributescanbechangedevenso.
SearchTerm
Uptofivesearchtermsortagscanbesetonthedatasource(andalsoonbusinessrulesandsomeotherobjects).ThevaluesofthesearesetintheIMG(seetheIMGnodemarkedCONTINUOUSMONITORINGshownintheprevioussection),andusersmayonlychoosebetweenthetagspreviouslydefinedthere.
4.2DefiningtheTechnicalDetails
Withthesepreliminariesoutoftheway,weproceedwiththebusinessofactuallycreatingadatasource.Thenextstepistodefinethetechnicaldetailsofthedatasource,whichisontheOBJECTFIELDtabofthedatasource.ClicktheOBJECTFIELDtablinkinFigure13,resultinginthescreenshowninFigure14.
Figure14DataSourceStep2:TechnicalSettings
ThefirstactionontheOBJECTFIELDtabistoselectthedatasourcetype(labeledSUBSCENARIO,purportedlyinkeepingwithSAPNetWeaverterminology).SelecttheSAPQUERYtypehere;we’lldiscusstherestlater.
BecauseSAPqueriesonlyexistinSAPABAPapplications,SAPProcessControlautomaticallysetstheCONNECTIONTYPEtoSAPSYSTEMasshowninFigure15.
Figure15DataSourceConfigurationStep2:SAPQueryType
NotethatwhiletheCONNECTIONTYPEfieldlookslikeauser-selectabledropdown,itreallyisn’t.Thenextstepisforyoutoselectaconnector,whichrequiresalittlediversiontoexplainthedesign-timeversusruntimeaspectsofCCMinSAPProcessControl.
CCMis,perhaps,themosttechnicalandchallengingfeatureofSAPProcessControl.Providingearlyvalidationandpromptsiscriticaltoavoiduserconfusion
later,sowherepossible,atdesigntime,SAPProcessControltriestovalidatethecorrectnessofdatasourcesagainstbackendsystems.Oncecreated,atruntime,datasourcescanbeappliedagainstotherbackendsystemsaswell,providedvalidationworks.ThisiswhyyouhavetopointtoaspecificbackendSAPsystemherewhileyouaredefiningthedatasource.
4.3PointingtoaConnector
YournextstepinthisexerciseistopointSAPProcessControltoaconnector(whichisSAPProcessControl’swayofreferringtoamonitoredbackendsystem).TheconnectoryouselectmusthavebeensetuptoworkagainsttheSAPQUERY
datasourcetype(becausethatisourexamplehere).Figure16showsthatSAPProcessControlreliesontheconnectorconfigurationsexplainedinSection3,andoffersonlythoseconnectorsthatapplytoSAPQuerydatasources.
Figure16DataSourceStep2:TargetConnectors
ThennextstepistolookupavailableSAPqueriesbyclickingtheQUERYLOOKUPbuttonshownearlierinFigure14.
InFigure17,notethatyoucansearchforqueriesbyname,usergroup,andqueryarea;wildcardsearchesarealsopossible.Afteryouselectaquery,SAPProcessControlautomaticallylooksuptheassociatedInfoSetsandpopulatestheFIELDSareaofthescreen,asshowninFigure18.
Figure17DataSourceStep1:QueryLookup
Figure18DataSourceStep2:QueryParameters
NotethattheDESCRIPTIONcolumnispopulatedwiththedescriptionextractedfromthequeryInfoSetinthemonitoredsystembutcanbeoverwrittenhereifappropriate.Sometimesit’snecessary—asshowninFigure18,thehighlightedtextiswhatwetypedin,whilethedefaultdescriptionwasjustthetechnicalfieldname.
Thenextstepistoaddadditionalconnectorstothedatasource.Everyadditionalconnectoraddedtoadatasourceshouldpointtoa(presumablydistinct)systemthathasthesamebackendsourceofdata—inourpresentexample,aSAPquery.ThepageforthisisaccessedviatheCONNECTORlink,andthepagethatappearsisshowninFigure19.
Figure19DataSourceStep3:AdditionalConnectors
4.4AddingDocumentation
Thefinalstepistoadddocumentationtothedatasource,ifappropriate.Documentationinthiscasecanbeanattachmentoralinktoadocumentonthenetwork.ThisisaccessedviatheATTACHMENTSANDLINKSlink.
Thenextstep,ofcourse,istosavethenewlycreateddatasource.Afterthis,you’llhavetoreopenittochangetheSTATUStoACTIVE(whichwillrequiretwosteps,ifyouoriginallysavedthedatasourceinNEWstatusratherthanINREVIEW).
Onlyactivedatasourcesareavailableforthenextstep—creatingbusinessrules—whichwedescribenext.
5CreatingBusinessRules
Businessrulesaredesignedtofitparticulardatasources.Theyinvokethedatasource,passingitparametervaluestofilterthedata.Thebusinessrulesthentakethedatareturnedbythedatasource,dosomeprocessingdependingonthetypeofdatasourceinuseandhowthebusinessrulesareconfigured,and,inmostcases,leadtothecreationofaremediationissueifthebusinessrulelogicdeterminesthatthereisadeficiency.
Notethatthereareseveralcaveats—thenatureandbehaviorofabusinessrulecanvaryalot,dependingonthedatasourcetype,typeofanalysisthebusinessruleisdesignedtoperform,andsoon.ThisE-BiteonlypresentsthebusinessrulevariationsrelevanttotheSAPQuerydatasourcetype.Othervariationswillbementionedasrelevanttoothersituations.
Creatingabusinessruleislonger,morecomplicated,andmuchmoredependentonthetypeofdatasourceandbusinessrulebeingdefined.You’llfindithelpfultorememberthat,evenso,theprocessofcreatingbusinessrulesfollowsthesamegeneralsteps:
1. ClicktheCREATEbuttonontheBUSINESSRULESLISTINGpage.
2. SelecttheDATASOURCE(previouslycreatedandactive)onwhichthisbusinessrulewillbebased.
3. Entertheusualgeneralinformation:name,description,validitydates,andsoon.
4. SelecttheCATEGORYandANALYSISTYPEfortherule.
5. Selectwhichdatafields(fromthosemadeavailablebythedatasource)arerelevanttothisbusinessrule.Rememberthatonedatasourcecanservemanybusinessrules,buteachbusinessrulecanchoosetooperateonasubsetofthefieldsthedatasourceprovides.
6. Defineanyfilterstobepasseddowntothedatasource.Forinstance,thebusinessrulemayonlywanttolookatdataforcertaincompanycodes,inaspecificdaterange,andsoon.
7. Definethedeficiencyfields.Thesearefields,onthevaluesofwhichyou’lldefinedeficiencycriteria,whichdeterminewhetherthedatarowinquestionisdeficientandrequiringremediationorreview.
8. Defineanyadditionallogic.ThisrelatestoadvancedBusinessRuleFrameworkPlus(BRF+)features.
9. Examinesometechnicalsettings.Note:youmaybeabletoignorethemformostrules.
10. Testtherulelogicinadhocquerymode.
11. Saveandactivatethebusinessrule.
BusinessRuleFrameworkPlus
BRF+isabusinessrulessystemdevelopedintheABAPStack.Itprovidesacomprehensiveapplicationprogramminginterface(API)anduserinterface(UI)fordefiningandprocessingbusinessrulesbybusinessusertomeetagilebusinessconditionswithoutmuchdependencyontheITdevelopmentteam.
BusinessrulecreationandmaintenanceisdoneontheBUSINESSRULEpage,foundintheCONTINUOUSMONITORINGsectionoftheRULESETUPtabofSAPProcessControl(refertoFigure4).HavingreachedtheBUSINESSRULEpage,youstarttheprocessbyclickingCREATE.ThisbringsupthefirstpageintheBUSINESSRULE
creationwizard,asshowninFigure20.
Figure20BusinessRuleCreationInitialScreen
Thebusinessrulecreationprocessdependsverystronglyonthedatasourcetype,sothefirststepisalwaystoselectthedatasourceforthisbusinessrule.ClicktheSEARCHbuttonnext,whichbringsuptheSEARCHpageshowninFigure21.
Figure21BusinessRuleCreation:DataSourceSearch
ThisSEARCHscreenallowsuserstofiltertheavailabledatasourcesbymanyattributecriteria,asFigure21shows.Italsoallowswildcardsearchesonthename,whichisveryhandy.
Abusinessrulecanonlybebasedononedatasource(althoughadatasourcecandriveanynumberofbusinessrules).Note,too,thateventhoughtheSEARCH
dialogofferstosearchfordatasourcesinanystatus,rulesmayonlybebasedonactivedatasources.
Havingfoundthedatasource,youselectit,andclickOK.Thistakesyoubacktothepreviousscreen,whereyouclickCONTINUE,asshowninFigure22.
Figure22BusinessRuleCreationContinued
Theinformationsoughtinthefirstscreeninthebusinessrulecreationprocessisidenticalforallbusinessruletypes,althoughtheprocessbaratthetopwillshowdifferentstepsforbusinessrulesbasedondifferentdatatypes.We’llfocusonlyontherelevantstepsfortheSAPQueryDStypefornow,andcompletethebusinessrulecreationprocessforthisexample.
Thefollowingsubsectionswalkthroughmostofthestepsoftherulecreationprocess,inthesequenceinwhichtheuserwillseethem.
5.1BasicInformation
Figure23showstheBASICINFORMATIONscreenforthebusinessrulesetup.
TheNAME,DESCRIPTION,STATUS,andVALIDFROM/VALIDTOfieldsmeanthesamehereastheydidforthedatasourcecreationprocess.Becausethesefieldsarefairlyself-explanatory,wewon’tgointofurtherdetailastocompletethesefields.Beyondthefieldssimilartodatasources,theCATEGORYandANALYSISTYPEfieldsshowninFigure23areuniquetobusinessrulesandrequiresomeexplanation.
Figure23BusinessRuleCreation:BasicInformation
ForSAPQuerybusinessrules,therearetwocategories:EXCEPTIONandVALUE
CHECK.ForbusinessrulesofcategoryEXCEPTION,SAPProcessControltreatseveryrowofdataasbeingaproblem,requiringhumanremediation.VALUECHECK
categorybusinessrulescarryfurtherevaluationlogic(describedlaterinthissection),bywhichtheuserwillconfigureSAPProcessControltojudgewhetherrowsreturnedbythebusinessrulerepresentproblemscenarios(calleddeficienciesinSAPProcessControl).
TheANALYSISTYPEdependsontheCATEGORY.FortheEXCEPTIONcategory,twotypesofanalysisareavailable,SETDEFICIENCYINDICATORandREVIEWREQUIRED,asshowninFigure24.
Figure24BusinessRuleExceptionCategoryAnalysisTypes
ThestatusSETDEFICIENCYINDICATORmeanseveryreturnedrowisaproblemscenario,ordeficiency.Inthiscase,allreturnedrowscanbesettoaDEFICIENCY
INDICATOR,whichcanbeoneofLOW,MEDIUM,orHIGH(thedisplaychangestoofferanadditionaldropdownboxforselectingoneofthesevalues).Incontrast,theREVIEWREQUIREDANALYSISTYPEmeansSAPProcessControlwillmakeno
judgmentonthemeaningofthereturneddatabutwillrouteittoahumanforevaluation.
5.2FilterCriteria
VariousparametersintheunderlyingSAPquerythatcanbeassignedfilterconditionsappearonthisscreen,asshowninFigure25.
Figure25BusinessRule:FilterConditions
TypicalfilterfieldsforCCMrulesincludedates,companycode,plantcode,andsoon.ThiswillbesomewhatclearerafterSection7,butthesimplereasonis,whenschedulingmonitoringrules,youcantypicallyfixthesevaluesfromthetesttimeframe,theorganizationalunit,andsoon.
5.3DeficiencyCriteria
Thedeficiencycriteriaistheheartofamonitoringrule.Youdefinecriteriathattheruleengineappliestodatareturnedbythedatasource.Anydatarowsthatmatchthesedeficiencycriteriaareconsidereddeficiencies,alsocalleddefectsorproblemstoberemedied.
Thesimplestdeficiencycriteriaaresetuponasinglefield.YouclickontheSELECT/UNSELECTDEFICIENCYbuttonasshowninFigure26.Notethattobetterhighlightrelevantdetails,Figure26showsboththeoriginalscreenandthemodalpopuptogether;therightsideofthefigureisthepopup.
Figure26BusinessRule:DeficiencyCriteriaSelection
Foreachdeficiencycriterionthusselected,youhaveachoiceoftwoANALYSIS
TYPES:BLANKCHECKandVALUECHECK.BLANKCHECKtellsSAPProcessControlthatablankvalueoftheselectedfieldisadeficiency;VALUECHECKtellsSAPProcessControlthatyouintendtodefinespecificconditionsonthevalueofthedeficiencyfield,whichwillbeconsidereddeficiencies.ThisisshowninFigure27.
NotetheCALCULATEDFIELDbuttonontheDEFICIENCYCRITERIAscreen—thatbuttonhelpssetupadditionalcomputationsusingtheSAPNetWeaverstandardBRF+ruleengine.
Figure27BusinessRule:DeficiencyAnalysisTypes
AfteraVALUECHECKDEFICIENCYfieldisdefined,thelowerhalfofthescreenrequiresconfigurationoftheactualdeficiencyconditions,asshowninFigure28.
Figure28BusinessRule:DeficiencyThresholds
Notethatthreelevelsofdeficiencytypeareonoffer:HIGH,MEDIUM,andLOW.Youcanseetheminthebottomofthefigure,inthefirstcolumn.Customizeddescriptionscanoptionallybesetforeach.Youdon’thavetoconfigureallthree,butyoudohavetoconfigureatleastone.
5.4ConditionsandCalculations
TheCONDITIONSANDCALCULATIONStabrelatestoSAPProcessControlintegrationwiththeSAPNetWeaverBRF+ruleengine.TheSAPProcessControlruledesignercandefinecalculatedfields(i.e.,fieldswhosevaluesaren’tretrievedfromadatasourcebutinsteadcomputedduringtheexecutionoftherule).SAPProcessControlcallsonBRF+tohandlethecomputation,andthistabisusedtosetupthecallstoBRF+andtohandlethevaluesreturnedbyBRF+.
Whendefectsarefound,anissueorcaseiscreated,theproblematicdatarowsarepresentedtotheuser.TheOUTPUTFORMATtabletstheruledesignermakesomesmalladjustmentstohowthedataispresented.Becausetheflexibilityisfairlyminimal,wewon’tfocusonthis.
5.5TechnicalSettingsandMonitoringRuleBehavior
Technicalsettingscontrolhowmonitoringrulesbehaveatruntime.InSAPProcessControl10.1,thissectionhasbeencutdowntojustonesetting—howmanydatarowsareexamined.Thisistheusualperformanceimpactlimiterwithitsadvantages(mainlythatit’seasytospecifyandapplyinthecode)anddisadvantages(relationshipbetweennumberofrowsexaminedandtheactualperformanceimpactvariesbyruleanddatasource).Previousreleasesofferedfiner-grainedcontroloversynchronousversusasynchronousexecutionandwhetherdatafilteringhappensonthemonitoredsystemorontheSAPProcessControlsystem.Butfeedbackfromcustomersandpartnerswasthattheseothersettingsweretootechnicalandconfusing,soinrelease10.1,theyaren’toffered.
Thedefaultnumberofrowstobeexaminedisusually100,whichistoolowforpracticaluse.Ingeneral,settingsuchlimitationsispoorpracticebecauseitsapplicationistechnical,andthesemanticsarethereforearbitrary.Settingtherowsexaminedtozerodisablesthisfeature,forcingSAPProcessControltoexamineallofthedatathatmeetsthefiltercriteria.
Ofcourse,performanceissuescan’tbeignoredbecauseSAPProcessControlcustomerstypicallyliketomonitorproductionbackendsystemsdirectly.
5.6AdHocQuery
Theadhocqueryfacilityisveryusefulforruledesigners.Itallowsyoutoexecutetherule—andhencetheunderlyingdatasourceorquery—immediately,soyoucanverifythatthedataitbringsbackmeetsyourexpectations.Itcanberuninoneoftwomodes,DATACOLLECTIONorAPPLYRULE,asshowninFigure29.
Figure29BusinessRule:AdHocQuery
InDATACOLLECTIONmode,thequeryappliesfiltersasconfiguredbutjustreturnsallofthedatathatthedatasourcefinds.APPLYRULE,incontrast,actuallyappliestherulelogic—anyadditional(BRF+)calculations,deficiencyevaluations,andsoon.APPLYRULEshowsonlyrowsthatarefinallyjudgedtobedeficient.Itshowswhatwouldrouteinanissue,iftheruleweretobescheduledandexecuted.
TheTIMEFRAMEdropdownshowninFigure29requiresadditionalexplanation.Itsbehaviorisn’talwayseasytounderstand.Foronething,it’softenaskedforevenwhentheunderlyingdatasourceorthebusinessruleappliesnotimefiltertothedataitexamines.Sosometimesyou’llbeaskedforavalueforthisfield,anditwillhavenodiscernibleeffectontheresults.
6DataSourceTypesandRelatedRules
Section5describedtheSAPQUERYdatasourcetypeanditsassociatedbusinessrules.Therearenineotherdatasourcetypes,andtheirassociatedbusinessruleshaveseveralcategoriesandanalysistypes.
Figure30showsascreenshotoftheavailabledatasourcetypes.Table1summarizesthedifferentdatatypesandtheirmeanings.
Figure30DataSourceTypes
DropdownText
ShortDescription
ABAPREPORT
ABAPreports—SAPdeliveredorcustom—havelongservedtohelpusersmonitorbusinessprocessesandcompliance.ThisdatasourcetypeinvokesABAPreportsonthemonitoredsystemandpresentstheresultsforuserreviewinSAPProcessControl.
HANA SAPProcessControlcanlookupSAPHANAVirtualDataModel(VDM)viewsandpulldatafromsuchviewsformonitoring.
SODINTEGRATION
InvokesSAPAccessControlriskanalysisasaSAPProcessControlmonitoringrule.
BWQUERY AllowscustomersofSAPBWtousetheiranalyticmodelsasthebasisformonitoring.Particularlyusefulwhenmonitoringrulesrequiresubstantial(inperformanceandcomplexity)analysis,dataharmonizationacrossmultiplesystems,ortheanalysisoflargeamountsofdata.
CONFIGURABLE ThisdatasourceletsusersdefinequeriesintheSAPProcessControlsystemtoberunagainsttablesinthemonitoredsystem.ThequeriesaremuchsimplerthanwhatSAPQuery(SQ01/02)cando,butsoistheuserexperience.Thisalsoavoidsmodificationstothemonitoredsystem,whichisakeyroadblocktoquickdefinition/adjustmentofmonitoringrules.
EVENT EveryotherdatasourcetypeinSAPProcessControlistriggeredfromSAPProcessControl,eithermanuallyorviathescheduler.Events,incontrast,areraisedbysystemsoutsideofSAPProcessControlwhentheyjudgeitappropriate.SAPProcessControlreceivesandprocessesthemastheyarereceived.
EXTERNALPARTNER
ThisisanoutboundwebservicesAPI.Thedesign-timemethodslookupalistofqueriesatthedestinationandthedetails(parameters,results)ofeachquery.TheruntimemethodsinvokethequeryandmakethedataavailabletotheruleengineinSAPProcessControl.
PROCESSINTEGRATION
SAPPIistheSAPstandardIntegrationFramework.CustomersandpartnerscanuseSAPPItocallouttootherapplicationsortoODBC/JDBCsupportingdatabases,andconstructanyquerytheywant.SAPProcessControlcanconnecttoSAPPI,treatingsuchintegrationmodulesasdatasourcesformonitoringpurposes.
PROGRAMMED ReachingbacktotheearliestreleasesofSAPProcessControl,ABAPprogrammedqueriescanbedeployedonbackendsystems.SAPProcessControlcaninvoketheselikeotherrules,andtheirresultsarereturnedtoSAPProcessControlformonitoring.
SAPQUERY SAPQuery(TransactionsSQ01/02)isastandardSAPNetWeaverquerytoolandengine.Widelyused(e.g.,intheAuditInformationSystem),SAPQueryisapowerfulqueryengine.SAPProcessControlcaninvokeSAPqueriesdefinedinbackend(monitored)systemsandpresenttheresultstobusinessrulesformonitoring.
Table1DataTypesandDescription
Havingcreatedabusinessruleandtesteditadhoc,severalmorestepsareneededtousethisruleforCCM.First,therulemustbeassignedtoalocalcontrol,whichprovidestherulewiththepropercompliancecontextinwhichtoexecute.Thisisdescribedinthenextsection.
7AssigningRulestoControls
SAPProcessControlcentralcontrolisattheleafnodeoftheprocesshierarchy.Whenlocalizedtoaparticularorganizationalnode,thecentralcontrolbecomesalocalcontrol.CCMrulescanonlybeassignedtolocalcontrolsviatheBUSINESS
RULEASSIGNMENTlinkintheCONTINUOUSMONITORINGarea.
Figure31showsthepageforassigningrulesto(local)controls.Findyourlocalcontrolbyfilteringonprocess,organizationalunit,previouslyassignedbusinessrules,andsoon,asshowninthetopofthefigure.
Figure31BusinessRuleAssignment:FindLocalControl
NextyoumustclicktheMODIFYbutton,highlightedinFigure31,andthenclicktheADDbutton(justbelowtheMODIFYbutton).Notethattheassignmentoccursinthecontextofoneormoreregulations.Herewe’reabouttoassignitasacross-regulation,orcommonbusinessrule,butit’salsopossibletomaketheassignmentonlyinthecontextofspecificregulation(s).
AfteraCCMruleisassignedtoalocalcontrol,it’sfinallyreadyforactuallymonitoringbackendsystems.Toactuallystartmonitoring,it’snecessarytoscheduletheruleforactualmonitoring,atwhichtimeyou’llspecifywhichsystemtoactuallymonitor,howoften,andsoon.
8SchedulingMonitoringRules
SchedulinghappensfromtheSCHEDULINGareaoftheRULESETUPpage,viatheAUTOMATEDMONITORINGlink.TheCONTINUOUSMONITORSCHEDULERisshowninFigure32.
Figure32ContinuousMonitorScheduler
NotetheQUICKCRITERIAMAINTENANCEarea,shownexpandedinFigure32.Whenthepagefirstcomesup,thisareaiscollapsed,andusersareadvisedtoalwaysverifythattheTIMEFRAMEandYEARsettingsmatchtheirownintentions,orelsetheywillfindthescheduler’sdisplayandbehaviorconfusing.
Inourcontinuingexample,thenextstepistocreateanewjobbyclickingontheCREATEJOBbutton.Figure33showsthefirstpageofthecreatejobprocess.
Figure33AssigningaJobType:CreateJobProcess
NotethattheTIMEFRAMEandYEARaregrayedoutinFigure33.ThesearecopiedfromtheQUICKCRITERIAMAINTENANCEsectionofFigure32andcan’tbechangedhere.ClickingCONTINUEbringsyoutotheCONTINUOUSMONITORSCHEDULERpageshowninFigure34.
Figure34NewJob:Step1
Thereareseveralnoteworthyfeatureshere.First,notethatthetestperiodappearstobeentirelyuptotheuserhere,butinfactmustliewithintheTIMEFRAMEandYEARshownearlierinFigure32.Theuserisfreetouseanysupportedfrequency,buttheFREQUENCYchoicemadeherewillrestricttheuserinthenextstep,whentheuserselectsthebusinessrule(asassignedtoalocalcontrol)toschedule.
ThechoiceofaTARGETCONNECTORherewillsimilarlyrestrictuserstorulesthathavethechosenconnectorassociatedwiththem.Notethatonlyoneconnectorcanbeselected—onejobcanonlyconnecttoonemonitoredsystem.
TheEXECUTIONTYPEofIMMEDIATEislikelyusedmoreoftenfordemonstrationandtestingpurposesthaninactualpractice.Inactualpractice,you’remorelikelytochoosetorunmonitoringjobsattheendofaperiodsuchasweek,month,quarter,andsoon.Andthetimeofexecutionislikelytoreflectyouropinionofwhenthemonitoredsystemisleastlikelytobeunderload.
Thenextsteprequiresyoutoselectaregulation,asshowninFigure35.Evenifyou’reschedulingacross-regulationbusinessrule,youhavetoselectaspecificregulationforwhichmonitoringistonominallyoccur.Youcanthenchoosetosharetheresultswithotherregulations.
Figure35NewJobStep2:Regulation
Finally,thelaststepintheschedulingprocessallowsyoutoselecttheactualcontrol-ruleassignmenttoscheduleformonitoring,asshowninFigure36.InadditiontothesearchfieldsshowninFigure36,allofthechoicesmadesofar—timeframe,year,regulation,andsoon—constrainthesearch.Soiftheresultsarecontrarytoyourexpectation,you’readvisedtogobackandcheckwhetheralloftheexplicitandimplicitsearchconstraintsmatchtheruleandcontrolyouexpectedtosee.Examplesofimplicitsearchconstraintsincludeeffectivedaterangesofrulesandcontrols,schedulertimeframe,whethertherulesinquestionareinactivestatus,andsoon.
TheoverviewofCCMpresentedsofarpresentsaverymechanisticorhow-toapproachtomonitoring.Usefulasthatundoubtedlyistoyou,ourexperiencehasshownthatsuccessinCCMisbestachievedbythosewhobeginwithaclearbusinessgoalfortheirmonitoringefforts,andsystematicallyworktheirwaythroughtheCCMfeaturestofindthebestmeansofimplementingCCM.Inthenextsection,weoffersomehigh-leveladvicetohelpyoufindthebestpaththroughthiscomplicatedbutrewardingtopic.
Figure36NewJobStep3:SelectControls
9StructuredApproachtoContinuousControlsMonitoring
IfyouarenewtoCCM,youmaybeatalosstoknowwheretobegin.Regulatoryandpolicycompliance,frauddetectionandinternalcontrols,processoptimizationandoperationalcontrol,lossprevention,andsomanyotherworthybusinessgoalsmightbenefitfromCCM.Alllinesofbusinesscanprofitablybesubjecttomonitoring,too—HR,finance,supplychain,purchasing,logistics,andsooncanallhaveproblems,andcertainlyallhavetorespondtoregulatoryrequirements,meetinternalcontrolobjectives,andmaybevictimsofsometypeoffraudortheother.
SAPProcessControl10.1offerstendifferentmethodsofmonitoringbackendsystemsandprocesses.Theseoverlapinsomewaysandofferradicallydifferentmonitoringmethodsinotherways.Thesystemrequirements,performancecharacteristics,reliability,timeliness,skillsrequired,andsooncanbeverydifferent,andcustomerssometimesfindthemselvesgoingdownblindalleys.Theystartusingamonitoringtechnique,onlytodiscoverlaterthattheystrayedfaroutsidethesweetspotforthattechniqueandtrespassedwellintotheproperdomainofanother.Suchmisstepscanbecostly—theywastetimeandresources,leadtolostopportunities,andaffectreputations.
OurgoalhereistopresentaphilosophyandapproachtoCCMthathasmotivatedSAPProcessControlforthepastfewreleases.Obviously,thisisn’ttheonlypossibleapproachandgoal,norshoulditbe.Butifnothingelse,itprovidesyouwithoneapproach,withwhichyouarefreetoagreeordisagree;eitherway,wehopereadingthisgetsthoughtsflowing,andideasgerminatinginyourmind.Wehopethathavingreadthis,youcandefineyourownpreferredapproaches.Regardlessofhowcloselyyourapproachmatchesthepresentationhere,wehopetocontributetoyourthinking,andhencetoafruitfulimplementationofCCMinSAPProcessControl.
9.1TheNatureofERPControls
Enterpriseresourceplanning(ERP)processesingeneralfollowcertainpatternsofconfigurationanduse,whichweillustratewithahighlysimplifiedexampleofthepurchasingprocess,asshowninFigure37.
Figure37AbstractModelofthePurchasingProcess
Configurationsdefinewhatoptionsandchoicesareavailableforcreatingrequisitions,whatapprovalandpurchasingauthorizationsaregrantedtowhichusers,whatbudgetaryconstraintsaretobeimposedoncostcenters,whethertolerancesaretobeappliedtodifferencesbetweenPOsandinvoices,andsoon.Masterdatasettingsonvendors,forexample,mightallowaparticularvendor’sinvoicestobeacceptedwithminimalvalidationsorapprovalswhenthereisalong-establishedrelationshipcoupledwithfrequentpurchases.
Thestrengthoflong-establishedandreputedvendorssuchasSAPliesintheextensiveconfigurabilityoftheirprocessesandmasterdata.SAPboasts,withgreatjustification,thatfollowingitsrecommendedbestpracticesleadsitscustomerstohighlyreliablebusinessprocessimplementations.Companypoliciescanbeaccuratelycaptured,sothattransactionsthatviolateyourintentareprevented,withoutcostlyanderror-pronehumancontrolsandintervention.
Suchpreventiveandinherentcontrolsarethebestoptionavailabletobusinesses.Setthesystemsupright,andbadnewsisprevented—thevalueofthatcan’tbeoverstated.
Butwhatiftheconfigurationiswrong?Orworse,whatifaconfigurationisweakenedtoallowabadtransactionthrough,eitherasadeliberatefraudorasamistake?TheentirevaluepropositionofanexpensiveandcomplexERPsolutionrestsoncorrectlyconfiguringtheprocesses.
Asexplainedearlier,thebestcontrolsarethosebuiltintoaprocess.Suchcontrols—configurationsettings,really—allowvalidtransactionsthroughandpreventbadonesfrombeingcreated.Goodapplicationscoverawiderangeofreal-lifebusinessneedsinthisrespect,andgreatonesdosoinmostcases,overarangeofindustriesandlinesofbusiness.
9.2TheGoalofMonitoring
Whereprocessexpertshavefine-tunedERPapplicationstopreciselyreflecttheirbusinessneedsintheconfigurationsandmasterdatasettingsoftheirapplications,thebusinesscomestorelyonthesystemtoremaincomplianttoitsregulatoryneedsandpolicymandates.Thisnodoubtleadstoefficientandleanoperations,butareliabletool,ifcorrupted,cancausegreatharm.
Thefirstgoalofmonitoring,then,istoexplicitlymonitorthoseconfigurationswhich,ifinvalid,wouldcausegreatharm.Misconfiguredsalessettingscanexposethebusinesstoexcessriskofcustomerdefaults;weakenedoversightofvendorpaymentscanleadtofraud.
Insomecases,it’snotthesettingsthemselvesthatneedtobemonitoredbutexcessiveuseofcertainexceptionalsettings.Manybusinessesallowone-timevendoraccountstobeusedtoprocesspaymentsforrareexpensesasanefficiencymeasure.Butpayingthesamevendormultipletimes,orinlargeamounts,violatesthespiritofthisfacility.Quickpaymentstovendorsortardybillingofcustomerscostsverylittleeachtime,butapatternofsuchtransactionscanadduptosignificantcostsovertime.
Largebusinessesorthosethatfrequentlyundertakemergersandacquisitionsfaceanotherchallenge:afragmentedsystemlandscape.ManySAPcustomershavemultipleinstancesofthesameSAPapplicationactiveinproduction.Sometimesthereareevenversionmismatchesbetweentheseapplications.Nosingleconfigurationormasterdatarepositorycanreliablycapturetheintentofthebusiness.Insuchcases,thebusinesstendstodevelopelaboratemanualprocesses,analyticsolutionsviadatawarehousing,oramixofsuchapproachestoensurecompliance.
9.3EffectiveMonitoring
Whatcanyoumonitor?Thepossibilitiesareendless:allaspectsofabusinessaresupportedbyITsystems,andallofthesecanandshouldbemonitored.Monitoringcanbeexpensive:settingupSAPProcessControlandmaintainingthemonitoringscheduleitselfcantakealotofimplementationtimeandexpense.Furthermore,monitoringrulesimposeatimeandmemorycostonthesystemsbeingmonitored:monitoringqueriesusuallyarequicktorunindividually,butthemoreyoumonitor,themoretimeandmemoryburdensareplacedonyoursystems.
Effectivemonitoring,then,mustbeginwitharisk-based,quantitativeapproach.Whatsituationsexposethebusinesstothegreatestriskofnoncompliance?Whichriskshavethelargestimpactintermsoffinanciallosses,fines,reputationloss,andsoon?Astructuredapproachtothesequestionscanquicklyfocustheorganizationonthemostsensitivedatatobemonitored.
Secondly,aclearunderstandingofthebusinessgoalshelpsidentifythebestmethodofmonitoring.Istheproblemcausedbybadtransactionsorimproperconfigurations?Arerolesandauthorizationscleanlycompartmentalized?Afterbadsituationsareidentified,whatcorrectiveactionsarepossible?Howwillthesebeassignedandtracked?Howcantheorganizationlearnandavoidrepeatingpastmistakes?
Acoupleofcustomerexamplesmightmakethisabitclearer.Onelargebottlerinacompetitiveindustrysoughttotracksalesperformancebymeasuringtheratioofthenumberofcustomersrecentlypurchasingtototalnumberofcustomers.Thisiscertainlyavalidmetric,andalownumberpoints,perhaps,toineffectiveorinsufficientmarketing.ButnotethatdetectingthisismoreproperlyaSAPRiskManagementKeyRiskIndicator(KRI)monitoringopportunity—whentheriskisidentifiedastoohigh,theresponseisinitiatedbyuppermanagement,andthestepstakencan’tbetrackedinSAPGRCapplications.
Ontheotherhand,duplicatepaymentstovendors,misconfiguredcreditchecks,laxpaymenttermsenforcement,andsooncanallbetracedtoindividualsettingsortransactions.Thesecanthenbecorrectedattheveryleastgoingforward.Remedialactionscanbeprescribed,assignedtospecificresponsibleindividuals,andtracked.ThesearemoreproperlythedomainofSAPProcessControlCCM.
9.4TheImportanceofProperConfigurationsandMasterDataSettings
Asoutlinedintheprevioussection,properconfigurationsandmasterdatasettingsyieldgreatdividendsbypermittinggoodtransactionsandpreventingbadones.Conversely,misconfigurationsandbadmasterdatasettingsexposethebusinesstoerrorsandfraud,causinglosses,adverseregulatoryaction,fraud,andsoon.
SAPcustomersareparticularlyinterestedintheseexamplesbecauseoneofthebiggestvirtuesofSAPERP(andrelated)applicationsistheirextremedegreeofconfigurability.ElaborateconfigurationsmakeSAPapplicationsdifficulttosetup,butonceproperlyconfigured,SAPapplicationsareextremelyreliable.
SAPGRChasinvestedheavilyindevelopingmonitoringtechniquesspecificallytailoredtosuchsettings.SAPapplicationsofferaveryuniquefeatureforconfigurationsandmasterdata:changetrackingataverydetailedlevel.Indeed,thegranularityofchangetrackingofconfigurationsisitselfconfigurable.
SAPProcessControlcanreconstructpastconfigurationandmasterdatasettingsfromsuchchangelogs,anddoessotransparentlytotheusersofSAPProcessControl.TheruledesignerinSAPProcessControlmerelycapturesthebusinessintentintherule:whatmakesaconfigurationsettingvalid(orrather,howtoidentifyinvalidsettings).SAPProcessControlthenappliesthislogicnotonlytoconfigurationsineffectwhentheruleisrunbuttoreconstructedpastsettingsaswell,overtheentiretesttimeperiod.
Whereappropriate,suchchangelogmonitoringrulesrepresentthebestreturnoninvestmentforSAPProcessControlcustomers.Themonitoringrulesimposeverylittleburdenonthebackendsystem(configurationandmasterdatatablesaren’tlarge),andduetoreliabilityofthechangetrackingmechanisms,therulesneednotrunveryfrequently.
9.5Transactions
Sometimes,it’snotpossibletosetconfigurationsandmasterdatatofullyimplementcontrols.Perhapsthesystemlandscapeisfragmented,withmultiplesystemsimplementingasinglebusinessprocess—acommonenoughsituationinpractice,especiallyforbusinesseswhichoftenundertakemergersandacquisitions.Insomeothercases,thelogicofthecontrolissimplyoutsidethecapabilitiesoftheconfigurations.
Whateverthereason,ifconfigurationormasterdatamonitoringisn’tsufficienttotheneeds,transactionmonitoringistheonlyoption.Thetechniquesaresimilar,exceptthatchangetrackingoftransactionsistypicallyneverenabledfortransactions,primarilyduetohighvolumeofdata.Anotherreasonisthatapplicationsoftenencodespecialmechanismstotrackchangestotransactions,sochangesaretrackedinaseparatetable.
Transactionmonitoringisthenmainlyamatterofqueryingseveraltables,andusuallyinvolvesjoinstomasterdatatables.Thisisthemaindisadvantagetotransactionmonitoring:computationalexpense.SAPGRCadvisescustomerstousethemostefficienttechniquepossiblefortransactionmonitoring,duetotheriskofhighvolumeorcomputationallyexpensivetablejoins.Forinstance,configurablerulesareveryeasyforSAPProcessControluserstosetupandtest.Butbecausetheyinvolveadditionallayersofinterpretation,theyarerarelythemostefficientquerymechanism.SAPQueriesinthebackendaredefinitelymoreefficient.
Insomecases,suchasthoseinvolvingpoolorclustertables,SAP’sOpenSQL(whichunderliesbothSAPProcessControlconfigurablerulesandSAPNetWeaverqueries)isn’tanoption,andABAP-codedqueriesaretheonlychoice.Insomecaseswithmultiplejoins,usingalittleABAPtocleverlysequenceornestSQLcanyieldlargetimesavings.
Inourexperience,it’sbesttostartwithconfigurablerules,wherefeasible,totesttheconceptsonasmalltestsystem.Thenproperperformance/loadtestingmightsuggestashifttoSAPqueries,ABAPreports(seethenextsection),andSAPBWqueries(whereallofthecomputationalburdenisshiftedtoofflinesystems).Withthe10.1release,it’salsopossibletoleveragethehighspeedandlargevolumecapabilitiesoftheSAPHANAin-memorydatabase.
9.6ReportsandAnalytics
Overtheyears,SAPhasdevelopedmanyreportsforSAPERP(andsimilar)customers.ManySAPcustomershavealsoinvestedtimeandmoneytodeveloptheirownreports.Whereused,thesereportspresumablyreflectcustomers’practicesfor(manual)monitoringoftransactions.Ifsuchareportisusefulandperformswellenoughforacustomer’sregularuse,itobviouslyhasvalueasadatasourceforSAPProcessControlCCM.
Analyticsisanotherareawherecontentbeingdeveloped,bySAP,partners,orcustomers,canbeleveragedformonitoring.Thisisespeciallytruewherethemonitoringlogicinvolvesstatisticalanalysisofdatatodeterminedeficiencythresholdsformonitoring.
Usage,Service,andLegalNotes
NotesonUsage
ThisE-Biteisprotectedbycopyright.BypurchasingthisE-Bite,youhaveagreedtoacceptandadheretothecopyrights.YouareentitledtousethisE-Biteforpersonalpurposes.Youmayprintandcopyit,too,butalsoonlyforpersonaluse.Sharinganelectronicorprintedcopywithothers,however,isnotpermitted,neitherasawholenorinparts.Ofcourse,makingthemavailableontheInternetorinacompanynetworkisillegal.
Fordetailedandlegallybindingusageconditions,pleaserefertothesectionLegalNotes.
ServicePages
Thefollowingsectionscontainnotesonhowyoucancontactus.
PraiseandCriticism
WehopethatyouenjoyedreadingthisE-Bite.Ifitmetyourexpectations,pleasedorecommendit.Ifyouthinkthereisroomforimprovement,pleasegetintouchwiththeeditoroftheE-Bite:MeaganWhite.
Wewelcomeeverysuggestionforimprovementbut,ofcourse,alsoanypraise!YoucanalsoshareyourreadingexperienceviaTwitter,Facebook,oremail.
TechnicalIssues
Ifyouexperiencetechnicalissueswithyoure-bookore-bookaccountatSAPPRESS,pleasefeelfreetocontactourreaderservice:[email protected].
AboutUsandOurProgram
Thewebsitehttp://www.sap-press.comprovidesdetailedandfirst-handinformationonourcurrentpublishingprogram.Here,youcanalsoeasilyorderallofourbooksande-books.InformationonRheinwerkPublishingInc.andadditionalcontactoptionscanalsobefoundathttp://www.sap-press.com.
LegalNotes
ThissectioncontainsthedetailedandlegallybindingusageconditionsforthisE-Bite.
CopyrightNote
Thispublicationisprotectedbycopyrightinitsentirety.AllusageandexploitationrightsarereservedbytheauthorandRheinwerkPublishing;inparticulartherightofreproductionandtherightofdistribution,beitinprintedorelectronicform.©2016byRheinwerkPublishingInc.,Boston(MA)
YourRightsasaUser
YouareentitledtousethisE-Biteforpersonalpurposesonly.Inparticular,youmayprinttheE-Biteforpersonaluseorcopyitaslongasyoustorethiscopyonadevicethatissolelyandpersonallyusedbyyourself.Youarenotentitledtoanyotherusageorexploitation.
Inparticular,itisnotpermittedtoforwardelectronicorprintedcopiestothirdparties.Furthermore,itisnotpermittedtodistributetheE-BiteontheInternet,inintranets,orinanyotherwayormakeitavailabletothirdparties.Anypublicexhibition,otherpublication,oranyreproductionoftheE-Bitebeyondpersonaluseareexpresslyprohibited.TheaforementioneddoesnotonlyapplytotheE-Biteinitsentiretybutalsotopartsthereof(e.g.,charts,pictures,tables,sectionsoftext).Copyrightnotes,brands,andotherlegalreservationsmaynotberemovedfromtheE-Bite.
LimitationofLiability
Regardlessofthecarethathasbeentakenincreatingtexts,figures,andprograms,neitherthepublishernortheauthor,editor,ortranslatorassumeanylegalresponsibilityoranyliabilityforpossibleerrorsandtheirconsequences.
Imprint
ThisE-Biteisapublicationmanycontributedto,specifically:
EditorMeaganWhiteCoverDesignGrahamGearyProductionE-BookKellyO’CallaghanTypesettingE-BookSatzPro,Krefeld
ISBN978-1-4932-1341-2
©2016byRheinwerkPublishingInc.,Boston(MA)1stedition2016Allrightsreserved.Neitherthispublicationnoranypartofitmaybecopiedorreproducedinanyformorbyanymeansortranslatedintoanotherlanguage,withoutthepriorconsentofRheinwerkPublishing,2HeritageDrive,Suite305,Quincy,MA02171.
RheinwerkPublishingmakesnowarrantiesorrepresentationswithrespecttothecontenthereofandspecificallydisclaimsanyimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.RheinwerkPublishingassumesnoresponsibilityforanyerrorsthatmayappearinthispublication.
“RheinwerkPublishing”andtheRheinwerkPublishinglogoareregisteredtrademarksofRheinwerkVerlagGmbH,Bonn,Germany.SAPPRESSisanimprintofRheinwerkVerlagGmbHandRheinwerkPublishing,Inc.
AllofthescreenshotsandgraphicsreproducedinthisE-Bitearesubjecttocopyright©SAPSE,Dietmar-Hopp-Allee16,69190Walldorf,Germany.
SAP,theSAPlogo,ABAP,Ariba,ASAP,Duet,hybris,SAPAdaptiveServerEnterprise,SAPAdvantageDatabaseServer,SAPAfaria,SAPArchiveLink,SAPBusinessByDesign,SAPBusinessExplorer(SAPBEx),SAPBusinessObjects,SAPBusinessObjectsWebIntelligence,SAPBusinessOne,SAPBusinessObjectsExplorer,SAPBusinessWorkflow,SAPCrystalReports,SAPd-code,SAPEarlyWatch,SAPFiori,SAPGanges,SAPGlobalTradeServices(SAPGTS),SAPGoingLive,SAPHANA,SAPJam,SAPLumira,SAPMaxAttention,SAPMaxDB,SAPNetWeaver,SAPPartnerEdge,SAPPHIRENOW,SAPPowerBuilder,SAPPowerDesigner,SAPR/2,SAPR/3,SAPReplicationServer,SAPSI,SAPSQLAnywhere,SAPStrategicEnterpriseManagement(SAPSEM),SAPStreamWork,SuccessFactors,Sybase,TwoGobySAP,andTheBest-RunBusinessesRunSAPareregisteredorunregisteredtrademarksofSAPSE,Walldorf,Germany.
AllotherproductsmentionedinthisE-Biteareregisteredorunregisteredtrademarksoftheirrespectivecompanies.
TheDocumentArchive
TheDocumentArchivecontainsallfigures,tables,andfootnotes,ifany,foryourconvenience.
Figure1SAPGRC10.1intheSystemLandscape
Figure2SAPProcessControlComponentModel
Figure3ContinuousControlsMonitoringProcessFlow
Figure4RuleSetupTabforSAPProcessControl
Figure5IMGPageShowingContinuousMonitoring
Figure6ConnectorTypes
Figure7DefineConnectors
Figure8AssigningaConnectortoaConnectorGroup
Figure9Scenario-ConnectorLink
Figure10Scenario-ConnectorDetails
Figure11SAPHANADatabaseConnector
Figure12DataSourcesList
Figure13DataSourceCreation:Step1
Figure14DataSourceStep2:TechnicalSettings
Figure15DataSourceConfigurationStep2:SAPQueryType
Figure16DataSourceStep2:TargetConnectors
Figure17DataSourceStep1:QueryLookup
Figure18DataSourceStep2:QueryParameters
Figure19DataSourceStep3:AdditionalConnectors
Figure20BusinessRuleCreationInitialScreen
Figure21BusinessRuleCreation:DataSourceSearch
Figure22BusinessRuleCreationContinued
Figure23BusinessRuleCreation:BasicInformation
Figure24BusinessRuleExceptionCategoryAnalysisTypes
Figure25BusinessRule:FilterConditions
Figure26BusinessRule:DeficiencyCriteriaSelection
Figure27BusinessRule:DeficiencyAnalysisTypes
Figure28BusinessRule:DeficiencyThresholds
Figure29BusinessRule:AdHocQuery
Figure30DataSourceTypes
Figure31BusinessRuleAssignment:FindLocalControl
Figure32ContinuousMonitorScheduler
Figure33AssigningaJobType:CreateJobProcess
Figure34NewJob:Step1
Figure35NewJobStep2:Regulation
Figure36NewJobStep3:SelectControls
Figure37AbstractModelofthePurchasingProcess
Footnotes
