September, 2009

Regional Implementation Group

Document Version 2.0

SAP BusinessObjects Risk Management 3.0

Security Concepts

Intended Audience and Purpose

© SAP 2008 / Page 2

This document is intended for use by

Technical Consultants, Solution

Consultants and System Administrators

It‟s purpose is to give a general

overview of the various roles in the

frontend, the backend and the

application, showing how they interact

with each other to enable employees to

perform their daily duties and to form

security for the Risk Management

application

Roles in Risk Management 3.0

© SAP 2008 / Page 3

Risk Management 3.0 has three places where roles are defined to form the

authorizations necessary for the users to perform their functions.

The Back-end

The backend roles enable the user to perform basic tasks in the Portal front-

end. The back-end roles also allow power users to perform any configuration

changes needed. The back-end roles are defined in the ABAP back-end

system

The Front-end

As with all applications that use the Portal, there needs to be a user created on

the Portal and this user needs to have a role assigned to them. The Front-end

user ID and Back-end user ID‟s must be identical unless the UME is shared (in

which case they are by nature)

The Application

A new concept for Risk Management is the introduction of the application role.

This role is defined on the organization structure or on the Risk or Activity itself

and controls what the users can and cannot see in the application. This is

done in the application on the Portal

Back-end: ABAP Specific Roles

© SAP 2008 / Page 4

The following roles must be used for every business user. Without them, the users will

see a basic menu structure in the Portal and nothing more

SAP_GRC_FN_BASE

SAP_GRC_FN_BUSINESS_USER

© SAP 2009 / Page 5

Back-end: Other ABAP Roles

SAP_GRC_FN_ALL

This is the power user role. The role can access both the front end and back

end. It does not use entity‒level security and therefore bypasses the

authorizations from the SAP_GRC_FN_BUSINESS_USER role

SAP_GRC_FN_DISPLAY

This role is used for entity-level authorization to grant display access for all

entities without a role assignment on the org. structure

SAP_GRC_RM_CUSTOMIZING

This role can access the NetWeaver ABAP Server. This role contains all

necessary authorizations in order to perform the customizing settings for the

application

Front-end: Portal Specific Role

© SAP 2008 / Page 6

The following role must be used for every Portal user. Without it, there will be nothing

for the users to see in the Portal, not even a menu.

GRC Risk Management -

pcd:portal_content/com.sap.pct/com.sap.grc.rm.Enterprise_Risk_Management/com.sa

p.grc.rm.roles/com.sap.grc.rm.Role_All

Front-end: Portal Content Permissions

© SAP 2008 / Page 7

Content Administration -> Portal Content -> Portal Content

Right click on Enterprise Risk Management

Open -> Permissions

The User or Group should be assigned no administrator rights (ie “none”) and the

“End User” flag should be set

Once the User has been maintained here, they will have the ability to access the

Portal content.

Users have to be

given permission to

view the Portal content.

This is a security feature

at the Portal level

Application Specific Roles

© SAP 2008 / Page 8

The Application Roles are created using transaction PFCG in the ABAP Back-

end. Their usage is defined in the IMG and assigned in the application

Application Roles – Definition This is done in the IMG by the implementation team in the Back-end system.

The path for this transaction is: GRC Risk Management -> General Settings ->

Maintain Entity Role Assignment

This transaction defines where the application roles appear in the Risk

Management application

Application Roles - Assignment

This done by the Business Users on the Front-end in the application itself. Roles

can be assigned to users on the Organization Structure or on the Risk / Activity /

Opportunity

Users assigned to roles on the Org. Structure are able to see the node they

have been assigned to and perform the tasks associated with the roles at that

node. They are also able to display the nodes above the one they are assigned to

Users not defined on the Org. Structure are not entitled to view the Org.

Structure, but are able to view Risks, Opportunities or activities they are assigned

to

Application Specific Roles: Definition

© SAP 2008 / Page 9

Corporate roles are defined at the root node and roles assigned to users here are

valid through the whole org structure. These roles do not appear in lower level nodes

Orgunit roles appear in the nodes below the root node. Roles assigned to users here

are valid for that node, and as of SP04, subsequent lower nodes

The Activity, Opp and Risk

roles are not assigned on the

Organization Structure, but on

the Activity, Opportunity and

Risk respectively

Setting the „Unique‟ flag

restricts the role to a single

user per entity – this means,

for example, if the flag was set

for „Risk Owner‟, that each risk

has only one „Risk Owner‟. Of

course, there are as many risk

owners as there are risks

Application Specific Roles: Assignment

© SAP 2008 / Page 10

Certain roles are defined

on the Organization Structure

Others are defined on the

Risk / Opportunity / Activity

Portal Navigation: What can users see?

© SAP 2009 / Page 11

4

1

3

2

1 – Navigation Menu Always visible (determined by Portal role)

2 – Work Centers Always visible (determined by Portal role)

3 – Menu Groups Visible depending on the Application Role assigned to the

user and the back-end role SAP_GRC_FN_BASE

4 – Menu Items Visible depending on the Application Role assigned to the

user and the back-end role SAP_GRC_FN_BASE

Note – The Menu

Group and Menu Items

are configurable in the

IMG

What Users Can Do

© SAP 2008 / Page 12

The following slides illustrate what functions users can perform with the various

application roles delivered with Risk Management 3.0

The following slides show the standard delivered functions of each role. These

roles can be customized to reflect customers interpretations of each role

Risk Owner, Activity Owner and Opportunity Owner have been grouped together

as they are very similar in nature

Note

These slides do not show what the user can and cannot do within the

transactions, just which transactions they have access to

Note 1356150 needs to be applied in order for the roles to behave as

described in this document

What Users Can Do:

My Home

© SAP 2008 / Page 13

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Work Inbox

Analytics Dashboard

Top Risks

Propose Risk

Report Incident

Search Documents

CRM – Central Risk Manager

URM – Unit Risk Manager

Auditor – Internal Auditor

What Users Can Do:

Risk Structure

© SAP 2008 / Page 14

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Organizations

Risk Classification

Consistency Check

Activity Hierarchy

Opportunity Classification

Objectives Hierarchy

What users can do:

Risk Assessment

© SAP 2008 / Page 15

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Risk and Opportunity

Management

Response and Enhancement

Plan Management

Incident Management

Top Risks

Incident Report

Scenario Analysis

Scenario Analysis using Monte

Carlo

Activity Management

Questions Library

Survey Library

Survey Results

What users can do:

Risk Monitoring

© SAP 2008 / Page 16

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Key Risk Indicator Template

Key Risk Indicator

Implementation

Planner

What Users Can Do:

User Access

© SAP 2008 / Page 17

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Mass Role Assignment for

Risks, Opportunities and

Activities

Mass Role Assignment for

Orgunits

Replacement / Removal

Central Delegation

Own Delegation

What Users Can Do:

Reporting

© SAP 2008 / Page 18

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Risk Reporting

Risks per Risk Category

Risks per Activity

Category

Risks per Objective

Risks per Organizational

Unit

Top Risks

Risk Impact Details

Risk Mitigation Details

Risk Summary

What Users Can Do:

Reporting II

© SAP 2008 / Page 19

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Opportunity Reports

Opportunity per

Opportunity Category

Opportunity Benefit

Opportunities &

Enhancement Plans

Audit and Analysis

Activity History

Risk History

Influence Factors

Incident Management

Incident Overview

What Users Can Do:

Reporting III

© SAP 2008 / Page 20

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Opportunity Reports

Opportunity per

Opportunity Category

Opportunity Benefit

Opportunities &

Enhancement Plans

Audit and Analysis

Activity History

Risk History

Influence Factors

Incident Management

Incident Overview

What Users Can Do:

Reporting IV

© SAP 2008 / Page 21

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Authorization Reports

User Authorization

Analysis

Entity Authorization

Analysis

Role Authorization

Analysis

Object Authorization

Analysis

Key Risk Indicator

KRI for Risk

KRI History

Print Reports

Print Reports

What Users Can Do:

Reporting V

© SAP 2008 / Page 22

Menu Item CRM URM AuditorOrganization

OwnerCEO / CFO

System

Admin

Risk Owner

Activity Owner

Opportunity Owner

Dashboards

Heatmap

Overview

© SAP 2008 / Page 23

Contact and more Information

Regional Implementation GroupSAP Business Objects Governance, Risk, and Compliance Solutions

SDN/BPX: https://www.sdn.sap.com/irj/bpx/grc

Email: grc_rig@sap.com

© SAP 2009 / Page 24

Thank you!

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POW ER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services , if any. Nothing herein should be construed as constituting an additional warrant.

Copyright 2009 SAP AG

All Rights Reserved