GRC 10.0 - Post Installation Guide

GRC 10.0 Post-Installation

Customer Solution Adoption

June 27th 2011

Version 1.4

Purpose of this document

This guide covers the basic steps required for the post-installation of GRC

in general, before performing the solution specific (e.g. AC, PC or RM)

post-installation tasks.

© 2011 SAP AG. All rights reserved. 3

Disclaimer

This presentation outlines our general product direction and should not be relied on in

making a purchase decision. This presentation is not subject to your license agreement

or any other agreement with SAP. SAP has no obligation to pursue any course of

business outlined in this presentation or to develop or release any functionality

mentioned in this presentation. This presentation and SAP's strategy and possible future

developments are subject to change and may be changed by SAP at any time for any

reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no

responsibility for errors or omissions in this document, except if such damages were

caused by SAP intentionally or grossly negligent.


Topics

1.Client Copy

2.Activating Applications in Client

3.Check SAP ICF Services

4.Activating BC Sets

5.Creating the Initial User in the ABAP System

6.Activate Profile of Roles Delivered by SAP

7.Activate Common Workflow


Client Copy

For more information specific to GRC 10.0, see SAP Note: 1505255.

See http://help.sap.com and search for Client Copy.

http://help.sap.com/


Topics

1.Client Copy








Activating Applications in Client 1/3

Call the customizing with transaction

SPRO

Choose SAP Reference IMG

Expand the Governance, Risk and

Compliance > General Settings node

and choose Activate Applications in

Client



Choose New Entries



Click the first row and select the GRC solution(s) required for your project

Then choose the Active checkbox

Click Save

Note: you may have to create a transport request


Topics

1.Client Copy








Check SAP ICF Services 1/4

Call transaction SICF

Click the Execute icon



Expand the node default_host -> sap -> public

Right click public and choose Activate Service

Choose Activate Service for all sub-nodes



Proceed likewise with the node default_host -> sap -> bc

Activate all sub-nodes too



Now activate the node default_host -> sap -> grc

Also activate all sub-nodes


Topics

1.Client Copy








Activating BC Sets 1/5

Call transaction SPRO again

Click SAP Reference IMG

Click Existing BC Sets in the next screen



Select a BC Set

Click “BC Sets for Activity”



From the menu choose Goto Activation Transaction

These BC sets can also be activated via transaction code SCPR20



Activate the corresponding BC sets.

Proceed likewise for all required PC, RM, and/or AC BC sets

For a complete list of BC Sets please refer to the PC/RM/AC install guide!



When activating always use “Expert” mode


Topics

1.Client Copy








Creating the Initial User in the ABAP System

Call transaction SU01, create a user

Assign following role to access GRC applications, such as AC

SAP_GRC_FN_BASE

Assign following power user role to the person doing the customization of the product

SAP_GRC_FN_ALL

Assign following role to the business users

SAP_GRC_FN_BUSINESS_USER

Assign following role if you use NWBC as front end UI instead of Portal

SAP_GRC_NWBC


Topics

1.Client Copy








Activate Profile of Roles Delivered by SAP

• Activate profile of roles delivered by SAP via transaction PFCG if you want to use them

directly

• For the list of the roles, please refer to Security Guide - here is an example of the SAP-GRC-

NWBC role

• Please use transaction “SUPC” for mass profile generation in case you want to generate

profiles for multiple roles


Topics

1.Client Copy








Activate Common Workflow

Call transaction SPRO again

Click SAP Reference IMG

Access Workflow node under

Governance, Risk and Compliance >

General Settings

Execute Perform Automatic Workflow

Customizing



Perform Automatic Workflow Customizing (1/2)

Execute Perform Automatic

Workflow Customizing

Make sure that all tasks are green

after the generation as show in the

screenshot

Note: you may have to create a

transport request

During the activation procedure you

might receive an error message,

then check the created system user

„WF-BATCH“ in SU01 if the user

has sufficient roles assigned – see

SAP Note 1251255 and the GRC

Security Guide.

You may need to run program

RHSOBJCH to fix HR control tables

https://service.sap.com/sap/support/notes/1251255



Perform Automatic Workflow Customizing (2/2)

Maintain the Prefix Numbers to your needs or like shown in the screenshot



Perform Task-Specific Customizing 1/5

Execute Perform Task-

Specific Customizing

Expand the GRC node.

Click the Assign Agents

link at the right side of the

GRC node.

Note: if no folders are visible below the “GRC“ folder please run report “RS_APPL_REFRESH” in SE38




Assign Task as General

Task via Task Attribute.

Make sure all tasks that are

not using Background

task have been assigned

as General Task.




Click Activate event

linking




Click the Properties

icon

Set the Linkage

Status to No

errors

Make sure Event

linkage activated

is checked.

Set Error feedback

to Do not change

linkage

Be sure to activate

all WS.




Repeat the first four

steps to activate the

solutions you need (e.g.

for Access Control

“GRC-AC”)

Note: task-specific

customizing for GRC-AC

is not available in case

you have the GRC plug-

ins installed in your GRC

system, check the

Appendix for perfoming

the customizing in this

case


Activate Crystal Reports

In IMG you need to

check this option to be

able to see report

tables also as Crystal

Reports


Appendix – Task-Specific customizing with plugins

In case you have the GRC plugins installed also in the central GRC instance the

task-specific customizing for Access Control is not visible in IMG as shown below.



Event Linkage (1/2)

Go to transaction SWE2 and maintain the following linkages by double clicking on

each line in Change mode.



Event Linkage (2/2)

Set these parameters per event linkage item



Assign Agents (1/4)

Go to transaction PFTC and select the type and task as shown below, you need

to repeat the whole process for each item.

Access Request Approval Workflow WS76300056

User Access Review Workflow WS76300082

Function Approval Workflow WS76300084

Mitigation Control Maintenance WS76300088

Risk Approval Workflow WS76300085

SOD Risk Review Workflow WS76300081

Role Approval Workflow WS76300080

Fire Fighter Log Report Review WF WS76300089

Control Assignment Approval Workflow WS76300087

Role Assignment Review Workflow WS76300086

Display Approval webdynpro Appl TS 76307918

Display Role Approval App TS 76307944

user access review approval task TS 76307964

Role approval UI task TS 76307966

GRAC Read Stage TS 76307967

GRAC Read Stage TS 76308011

GRAC Diaplay Approval for AR TS 76308013

Access Request Approval dialog TS 76308021

Access Request Approval dialog TS 76308026

SPM Audit Review Approval TS 76308028

RAR Rule for Function Approval TS 76308029


Display Approval webdynpro RAR Risk TS 76308038


Role assignement dialog step TS 76308056

Control assignment approval dialog TS 76308057



Assign Agents (2/4)

Then go to Additional Data Agent assignment Maintain. If the “Transfer

container elements” window shows answer always “No”



Assign Agents (3/4)

Now select “Attributes” and change the task to General Task



Assign Agents (4/4)

After you have changed all tasks you need to activate the workflows tasks using

transaction SWDD


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

GRC 10.0 - Post Installation Guide

Documents

Transcript of GRC 10.0 - Post Installation Guide