SAP Security GRC Access Controls Configuration INTEGRATED BUSINESS MANAGEMENT PROGRAM
Project ID
iBM
Document Owner
SAP Security
Document Date
24 May 2017
Document Version
1.0
Document Status
Final
Document Control Document Revision History Version
Date
Name
Description
0.1
23/05/2017
Warren Lui
Initial Draft
0.2
14/07/2017
Warren Lui
Update with GRC Access Controls
1.0
24/09/2019
Warren Lui
Final
Contents
INTEGRATED BUSINESS MANAGEMENT PROGRAM ................................................................................................................... 1 1
2
GRC Access Control Configuration ............................................................................................................................................ 4 1.1
Activating GRC Access Controls ....................................................................................................................................... 4
1.2
Maintain Integration Framework ..................................................................................................................................... 4
1.2.1
Maintain Connectors and Connection Types ......................................................................................................... 4
1.2.2
Maintain Connector Settings ........................................................................................................................................ 7
1.3
Maintain Access Control Connector Settings ...........................................................................................................11
1.4
Maintain Access Control Actions and Connector Groups ....................................................................................12
1.5
Maintain GRC Access Control Configuration Settings ..........................................................................................12
1.6
Maintain GRC Access Control Configuration Settings – Plug-in system........................................................14
1.7
Maintain GRC Access Control Configuration Settings – Reason codes..........................................................15
Emergency Access Management ..............................................................................................................................................16 2.1
3
4
GRC AC EAM Log Review Workflow .............................................................................................................................16
2.1.1
Perform Automatic Workflow Customizing ..........................................................................................................16
2.1.2
Enable GRC AC specific Event Linking ....................................................................................................................19
2.1.3
Activate MSMP BC Set ..................................................................................................................................................20
2.1.4
Maintain MSMP Workflows ........................................................................................................................................21
2.1.5
Enable GRC Firefighter Workflow Escalations ......................................................................................................24
2.1.6
Enable Escape Path .........................................................................................................................................................27
2.1.7
Enable Workflow for Controllers ...............................................................................................................................28
2.1.8
Enable Email Reminders ...............................................................................................................................................29
2.1.9
Customise Email Messages .........................................................................................................................................30
Access Risk Analysis .......................................................................................................................................................................33 3.1
Activate ARA Default Ruleset ..........................................................................................................................................33
3.2
Update ARA Ruleset with New Connector .................................................................................................................34
3.3
Generate Rulesets ................................................................................................................................................................36
Schedule Background Jobs .........................................................................................................................................................38 4.1
Schedule GRC Synchronization jobs .............................................................................................................................38
5
Firefighter User Exit ........................................................................................................................................................................38
6
Activate SICF......................................................................................................................................................................................38
1
GRC ACCESS CONTROL CONFIGURATION
1.1 ACTIVATING GRC ACCESS CONTROLS SPRO - Governance, Risk and Complaince -> General Settings -> Activate Applications in Client
Check Active box for GRC-AC
1.2 MAINTAIN INTEGRATION FRAMEWORK 1.2.1
Maintain Connectors and Connection Types
SPRO - Governance, Risk and Compliance -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types
Add Connection Type ZSAP_ERP
Connection type. Select Define Connectors and enter the following details Target connector: ECPCLNT010 Connection Type: ZSAP_ERP Logical Port: ECPCLNT010 Max No. of BG WP: 3
Define Connector Group and add new connector group. Conn.Group: ERP Connector Group Con.Type: ZSAP_ERP
Assign Connector Groups to Group Types. Connector Group Typ: Logical Group
Highlight Connector Group. Select Assign Connectors to Connector Groups. Enter Target Connector Target Connector ECPCLINT010
Connection Type ZSAP_ERP
1.2.2
Maintain Connector Settings
SPRO - Governance, Risk and Complaince -> Common Component Settings -> Integration Framework -> Maintain Connector Settings.
Update Connecter settings for the following 4 integration scenarios. - AUTH (Authorization Management) - PROV (Provisioning) - ROLEMG (Role Management) - SUPMG (Super user Privilege Management) Due to some interdependencies related to certain scenarios in GRC AC10.0 it is required to maintain a Scenario to Connector link for all 4 scenarios available for Access Controls in version 10: If all the integration scenarios are not linked to the connector then it may cause some issue so it is a mandatory configuration step. Maintain Integration Scenario - SUPMG
Highlight Sub Scenario SUPMG and select Scenario-Connection type Link
Check and update Connection type.
Select Scenario-Connector Link. Update the following Target Connector Connection Type Target Connector ECPCLNT010
Con.Type ZSAP_ERP
Connection Type Text SAP ERP Systems
Repeat steps for Maintain Integration Scenario – ROLMG
Target Connector ECPCLNT010
Con.Type ZSAP_ERP
Connection Type Text SAP ERP Systems
Repeat steps for Maintain Integration Scenario – PROV
Target Connector ECPCLNT010
Con.Type ZSAP_ERP
Repeat steps for Maintain Integration Scenario – AUTH
Connection Type Text SAP ERP Systems
Target Connector ECPCLNT010
Con.Type ZSAP_ERP
Connection Type Text SAP ERP Systems
1.3 MAINTAIN ACCESS CONTROL CONNECTOR SETTINGS
SPRO -> Governance, Risk and Compliance -> Access Control -> Maintain Connector Setting. Maintain Target Connector: ECPCLNT010 Application Type: 1 Environment: Production PSS: Yes
1.4 MAINTAIN ACCESS CONTROL ACTIONS AND CONNECTOR GROUPS SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Mapping for Actions and Connector Groups
Maintain Mapping for actions and Connector Groups Conn.Group ERP ERP ERP ERP ERP
Action 1 2 3 4 5
Target Connector ECPCLNT010 ECPCLNT010 ECPCLNT010 ECPCLNT010 ECPCLNT010
Default X X X X X
1.5 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS SPRO-> Governance, Risk and Compliance -> Access Control -> Maintain Configuration Settings
Specify the 'Parameter ID' values for parameters in each of the following 'Parameter Groups':
Change Log
Mitigation Risk Analysis Emergency Access Management Management Dashboard Reports
Parm Group Change Log
Param ID 1001
Parameter Value YES
Priority 0
Change Log Change Log
1002 1003
YES YES
0 0
Change Log
1004
YES
0
Change Log Change Log Change Log
1005 1006 1007
YES YES YES
0 0 0
Change Log Mitigation
1008 1011
YES 365
0 0
Mitigation
1012
NO
0
Mitigation
1013
NO
0
Risk Analysis
1021
NO
0
Risk Analysis
1023
02
0
Risk Analysis
1024
3
0
Risk Analysis
1026
A
0
Risk Analysis
1027
YES
0
Risk Analysis Risk Analysis Risk Analysis Risk Analysis
1028 1029 1030 1031
NO NO NO YES
0 0 0 0
Risk Analysis
1032
YES
0
Risk Analysis
1033
YES
0
Risk Analysis
1035
NO
0
Risk Analysis
1036
NO
0
Risk Analysis Spool
1053
D
0
Description Enable Function Change Log Enable Risk Change Log Enable Organization Rule Log Enable Supplementary Rule Log Enable Critical Role Log Enable Critical Profile Log Enable Rule Set Change Log Enable Role Change Log Default expiration time for mitigating control assignments (in days) Consider Rule Id also for mitigation assignment Consider System for mitigation assignment Consider Org Rules for other applications Default report type for risk analysis Default risk level for risk analysis Default user type for risk analysis Enable Offline Risk Analysis Include Expired Users Include Locked Users Include Mitigated Risks Ignore Critical Roles & Profiles Include Reference user when doing user analysis Include Role/Profile Mitigating Controls in Risk Analysis Send email notification to the monitor of the updated mitigated object Show All Objects in Risk Analysis Spool Type
Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management
4000
1
0
Application type
4001
30
0
4002
NO
0
Default Firefighter Validity Period (Days) Send Email Immediately
4003
YES
0
Retrieve Change Log
4004
YES
0
Retrieve System log
4005
YES
0
Retrieve Audit log
4006
YES
0
4007
YES
0
Emergency Access Management Emergency Access Management Emergency Access Management Emergency Access Management
4008
NO
0
4009
YES
0
4010
ZX80P00:FF_FIREFIGHT ER_ID:00 Yes
0
Retrieve OS Command log Send Log Report Execution Notification Immediately Send FirefightId Login Notification Log Report Execution Notification Firefighter ID role name
4015
0
Enable Decentralized Firefighting
1.6 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS – PLUG-IN SYSTEM SPRO->Governance, Risk and Compliance (Plug-In)->Access Control->Maintain Plug-In Configuration Settings
Param Id 1000 1001 4000 4001 4008 4010
Sequence 0 0 0 0 0 0
Parameter Value ECPCLNT010 GRPCLNT010 1 30 YES ZX80P00:FF_FIREFIGHTER_ID:00
Short Description Please maintain Plug-in Connector Please maintain GRC connector Application type Default Firefighter Validity Period (Days) Send Firefight ID Login Notification Firefighter ID role name
1.7 MAINTAIN GRC ACCESS CONTROL CONFIGURATION SETTINGS – REASON CODES NWBC -> Access Management -> Emergency Access Maintenance -> Reason Codes
Add Reason Codes Reason Code 01 Support - Incident/Work Order 02 Support - Change Request 03 Support - Investigation 04 Support - Admin (BASIS) 05 Support - Admin (Security 20 Project - IBM Cutover Activities 50 SBS - Procurement Admin
2
Description Changes Associated with an Incident or Work Order Changes Associated with a Change Request / Change Request Number Display / Read tasks where 'Normal' User-ID is not authorized Basis Administration / Housekeeping Tasks Security Administration / Housekeeping Tasks iBM Project-Planned Cutover Tasks SBS-Procurement Administration-Access to Maintain Pur Reqs
EMERGENCY ACCESS MANAGEMENT
2.1 GRC AC EAM LOG REVIEW WORKFLOW 2.1.1
Perform Automatic Workflow Customizing
SPRO ->Governance, Risk and Compliance-> General Settings->Workflow->Perform Automatic Workflow Customizing
Ensure that workflow settings are maintained.
SPRO ->Governance, Risk and Compliance-> General Settings->Workflow->Perform Task-Specific Customizing Enable GRC AC specific Workflow under folder GRC->GRC-AC
Assign Task as General Task via Task Attribute. Make sure all tasks that are not using Background task have been assigned as General Task.
Ensure EAM Audit Review Tasks are enabled e.g. TS 76308028 WS 76300089
2.1.2
Enable GRC AC specific Event Linking
Click Activate event linking
2.1.3
Activate MSMP BC Set
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control> Workflow for Access Control-> Activate MSMP Content for AC
Activate BC Set GRC_MSMP_CONFIGURATION
Activate using “Expert” Mode.
2.1.4
Maintain MSMP Workflows
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control> Workflow for Access Control-> Maintain MSMP Workflows
Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT Click display/change and select next
Select Maintain Paths Select Step 001 and click “Modify Task Settings”
Agent ID: GRAC_SPM_CNTRL_AGENT Approval Type: Any One Approver Forward Allowed: Yes Confirm Approval: Yes Comments Mandatory: Approval Notification: Approver
Ensure Stage Configuration is also updated.
Select Generate Versions You will need to save and activate this workflow. You can use simulate first, this will validate if there is an issue with the workflow.
2.1.5
Enable GRC Firefighter Workflow Escalations
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control> Workflow for Access Control-> Maintain MSMP Workflows
Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT Click display/change and select next
Select Maintain Paths Select Step 001 and click “Modify Task Settings” Update the following fields: Escalation Time Mins: 20,160 Escalation Type: Escalate to Specified Agent
Ensure Stage Configuration is also updated.
Navigate to Step 3 (Maintain Agents) Create Escalation Manager Agent Agent IDL ZGRAC_ESCALATION_MANAGER Agent Name: Escalation Manager
Agent Purpose: Approval Agent Type: Directly Mapped Users Approver Group ID: Escalation Manager
Add the Approver User and Approver ID
2.1.6
Enable Escape Path
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control> Workflow for Access Control-> Maintain MSMP Workflows
Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT Click display/change and select next
Navigate to Step 3 (Maintain Agents) Define Agent for Security Team ZGRAC_SEC_TEAM Agent Name: Security Team Agent Purpose: Approval Agent Type: PFCG Roles Role: YX:P00:SEC_ADM_HR:PRD_NM
Navigate to Step 1 (Process Global Settings) Add Escape Condition for the workflow process SAP_GRAC_FIREFIGHT_LOG_REPORT
2.1.7
Enable Workflow for Controllers
In the GRC application, all the controllers need to be adjusted. The notification by email needs to be switched with “Workflow” Select "Controllers" under Emergency Access Maintenance
Select Controller and Click "Open" Enable Notification By "Workflow"
2.1.8
Enable Email Reminders
Schedule Job GRFNMW_BATCH_EMAIL_REMINDER to send email reminders. MSMP Process ID: Fire Fighter Log Report Review Workflow Period (in days) 7 Don't Remind Again (in days): 0Template ID: ZGRAC_NOTIFICATION Variant: ZSPM_WORKFLOW
2.1.9
Customise Email Messages
Creating a New Template ID SE61 – Maintain Document Text Select Document Class General Text
ZGRAC_MSMP_REMINDER Enter the following Text There are GRC (Firefighter) workitem(s) in your work inbox that are yet to be actioned. Please perform the necessary actions.
GRC Inbox NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox
This reminder has been sent for any GRC (Firefighter) workitem(s) that have not been actioned after 7 days, any GRC (Firefighter) workitem(s) that have not been actioned after 14 days will be escalated.
Kind regards, Access Control Administrator Creating a New Template ID SE61 – Maintain Document Text Select Document Class General Text
ZGRAC_MSMP_LOGRPT_NEWWORKITM Enter the following Text There are new Firefighter workitem(s) in your work inbox. Please review and perform the necessary actions. Workitem can be reviewed by accessing the
GRC Inbox
GRC Inbox NWBC>Workspace>Tools>System Access Controls>Emergency Access Management>Work Inbox
Kind regards, Access Control Administrator SM30 - Maintain table GRFNVNOTIFYMSG Create new Notification Message ZAC_SPM_LOGRPT_NEWWI
Create new Notification Message ZAC_SPM_REMINDER
The configuration tool can be launched in IMG under Governance, Risk and Compliance-> Access Control-> Workflow for Access Control-> Maintain MSMP Workflows
Select the workflow SAP_GRAC_FIREFIGHT_LOG_REPORT Click display/change and select next
Navigate to Step 4 (Variables and Templates Create a new Notification Template ZGRAC_LOGRPT_WORK_ITEM Message Class: ZAC_SPM_LOGRPT_NEWWI Docu. Object: ZGRAC_MSMP_LOGRPT_NEWWORKITM
Create a new Notification Template ZGRAC_NOTIFICATION Message Class: ZAC_SPM_REMINDER Docu. Object: ZGRAC_MSMP_REMINDER
3
ACCESS RISK ANALYSIS
3.1 ACTIVATE ARA DEFAULT RULESET Default Risk Analysis and Remediation (RAR) rulesets are delivered via BC Sets. Activate BC sets. Note: use the “expert mode” during the activation of theses BC sets Execute transaction SCPR20 Activate GRAC_RA_RULESET_COMMON
Activate GRAC_RA_RULESET_SAP_R3
3.2 UPDATE ARA RULESET WITH NEW CONNECTOR Depending on the BC Set that was activated, the connector needs to be adjusted to map the the connecters defined in section 2 and 3. The system defined in all functions need to be changed.
To update the rules to work with the connecters defined in section 2 and 3 we will download and upload rules back into GRC system. When uploading there is an option to select the connector to use. SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Download SoD rules
SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Upload SoD rules
3.3 GENERATE RULESETS SPRO->Governance, Risk and Compliance->Access Control->Access Risk Analysis->SoD Rules->Generate SoD Rules
Select Risk ID which needs to be generated
NWBC->Rule Setup->Access Rule Maintenance->Access Risks Highlight Risk ID that needs to be generated. Click Generate Rules
Risk AP00 BS00
Description APO Basis
Generate No Yes
CA00 CR00 EC00 FI00 HR00 MM00 PM00 PR00 SD00 SR00
4
Cross Application CRM Consolidation Finance HR and Payroll Materials Management Plant Maintenance Procure to Pay Order to Cash EBP and SRM
No No No Yes Yes Yes No Yes Yes No
SCHEDULE BACKGROUND JOBS
4.1 SCHEDULE GRC SYNCHRONIZATION JOBS The following background jobs need to be scheduled in the system Job Repository Object Sync Repository Object Sync Action Usage Synch Firefighter Log Synch Firefighter Workflow Reminder
5
Job Name / Program GRAC_REPOSITORY_OBJECT_SYNC
Frequency Weekly (Full)
User ID B_GRC_SEC
GRAC_REPOSITORY_OBJECT_SYNC
Daily (Increment)
B_GRC_SEC
GRAC_ACTION_USAGE_SYNC GRAC_SPM_LOG_SYNC_UPDATE GRAC_SPM_WF_REMINDER
Daily Hourly Daily
B_GRC_SEC B_GRC_SEC B_GRC_SEC
FIREFIGHTER USER EXIT
Apply OSS Note 1545511 Firefighter User Exit This note will prevent users from logging onto SAP using a SAP account which is identified as a firefighter account.
1545511.pdf
6
ACTIVATE SICF
ACTIVATE SICF /sap/bc/webdynpro/SAP/GRAC_UI_SPM_AUDIT_WF