SAP GRC (AC) Implementation Cheat Sheet -1

ABHISHEK KUMAR SHARMA – SAP S4 SECURITY, GRC CONSULTANT, MENTOR

Post Installation steps Connector Configuration
SAP software components
1. Check for the required Prerequisite: Need a user ID for RFC connection in PLUG-IN system (S4HANA/ECC). User ID should be
GRC system - GRCFND_A, GRCPINW SYSTEM or COMMUNICATION type and should be assigned with necessary (RFC) authorizations. Auth
Plug in system – GRCPINW (Non-HR) / GRCPIERP (HR) Objects starting with S_RFC* would give access to RFC related authorizations.
2. Check for BC sets related to *GRAC* and *MSMP* whether they Path for 1st 3 steps of Connector Configuration:
have been activated SPRO → GRC → Common Component Settings → Integration Framework
BC Set – Business Configuration Set – SAP Predefined 1) Create Connector (SM59)
default/Standard values Set up of RFC between Plug in system and GRC systems
T-code: SCPR20 2) Maintain Connectors and Connection Types
Table: SCPRACTST (SCPR*) A) Define Connectors: Source Connector & Logical Port should be same as Target connector
Naming Convention of the BC sets: 2. A.1) Define Subsequent Connector – This is required for JAVA systems only. Not required for ABAP
➢ GRAC*REQUEST*: Related to ARM system. Subsequent Connector is created by BASIS Team.
➢ GRAC*ROLE_MGMT*: Related to BRM B) Define Connector Groups – Create a Group
2. B.1) Assign Connector Groups to Group Types: Define your Connector group status as Logical
➢ GRAC*RA_RULESET*: Related to ARA
Group for AC
➢ GRAC*SPM*: Related to EAM
2. B.2) Assign Connectors to Connector Groups – Put the connector which you have created in Step 1
➢ GRC*MSMP*: Related to ARM under this Connector Group just created.
3.Check for all Services related to *GRAC* and *NWBC* are 3) Maintain Connection Settings
activated - SICF T-code Access Control related Integration Scenarios
4.SPRO→ GRC →General Settings →Activate applications in client AUTH: Related to BRM, ARA
Ensure GRC-AC is Active PROV: Related to ARM
5.SPRO → GRC → General Settings → Workflow → Perform ROLMG: Related to BRM
Automatic Workflow Customizing (SWU3) SUPMG: Related to EAM
Ensure everything looks GREEN here. Else approach BASIS team Path: SPR0 →GRC → Access Control
6. SPRO → GRC → General Settings → Workflow → Perform Task- 4) Maintain Configuration Settings- SPRO → GRC → AC → Maintain Configuration Settings
Specific Customizing Allows administrators to adjust various Parameters that control Access Control functionalities (check
Ensure every task is defined as Background or General Task. If it is Parameters and set values that aligns with organizational compliance and security policies.)
empty, define that as GENERAL Task. 5) Maintain Connector Settings- SPRO → GRC → AC →Maintain Connector Settings
Define Application Type, Environment and PSS. PSS stands for Password Self Service.
Synchronization Jobs 6) Maintain Mapping for Actions and Connector Groups (Same Path as in Step 4)
a) Maintain Connector Group Status → Enter your connector group name and make it active.
STEP: – SPRO → IMG → GRC → ACEESS CONTROL→ b) Assign default connector to connector group
SYNCHRONIZATION JOBS *Under one connector group, only 1 system can act as Default Connector for one Action.
Authorization Sync: Sync Backend System SU24 Data into GRC *All systems under connector group, should be mapped with all actions, but only one system can act
System. as Default Connector
Repository Object Sync: Sync Roles, Users & Profiles 7) MAINTAIN PLUG-IN SETTINGS – (Only Setting in Plug-in System) SPRO → IMG →GRC Plug-In →
Maintain Plug-In Configuration Settings – Maintain the Parameter Values
Rule Set
Use SAP Delivered Rule Set – Global Ruleset
Definition: Rule sets are collections of rules that identify potential Path For Rule Set - GRC → Access Control → Access Risk Analysis → SOD Rules → Generate SOD Rules
SoD conflicts. Each rule defines a combination of actions or
transactions that could lead to unauthorized activities or financial Copy SAP Delivered Rule Set to Create Custom Ruleset & Customize to suit your organization
misrepresentation if allowed by a single user. 1.Path For Rule Set - GRC → Access Control → Access Risk Analysis → SOD Rules →Download Rule Set
Purpose: Rule sets help organizations maintain internal controls and 2.Select Risk IDs applicable to your organization based on Business Process Involved
protect sensitive data. They act as a baseline for risk analysis and 3.Add Z before selected Risk ID and Functions, you can customize functions based on your
remediation. requirements
Rule Set Type: 4.Upload the File for New Custom Ruleset & Generate Rule Set
Global Rule Set: SAP-delivered, industry-standard rule set that offers NOTE: 1) If you have only one rule set initially which is GLOBAL, and you upload custom rule set with
a solid baseline. Consider starting with this. OVERWRITE, GLOBAL will be lost.
Custom Rule Set: A rule set you create from scratch, designed to 2) To retain GLOBAL and upload custom, you must use append.
address your organization’s specific risks and requirements.
Build Custom Rule Set from Scratch
Rule Set Setup Options:
Go to NWBC → Set Up → Access Rule Maintenance (Common Path for Below Steps)
1. Use SAP Delivered Rule Set – Global Ruleset.
1.Rule Sets → Create → Enter Rule Set Name & Description → Save
2. Copy SAP Delivered Rule Set to Create Custom Ruleset and
2.Functions → Create → Enter Function ID, Business Process, Description → Enter Actions &
customize to suit your organization.
Permissions (Functions need to have required Transactions & Authorizations)
3. Build Custom Rule Set from Scratch.
3.Access Risk → Create → Enter Access Risk ID, Business Process & Description → Add Functions →
Path For Rule Set - GRC → Access Control → Access Risk Analysis
Add New Created Rule set → Add Risk Owner for Risk ID
→ SOD Rules
4. Once All Risk IDs are maintained → Generate Rule Set
Generate SOD Rules After Rule Set is Created/Changed
NOTE – Rule Set Tips
MSMP Workflow Overview Start with the SAP-delivered Global Rule Set & customize to suit your organization.
SAP GRC User Provisioning involves an approval workflow to allow Use clear naming convention and description for your custom rule sets.
automation of the process. The key engine which drives this process Thoroughly test custom rule sets before moving them into production.
of the approval workflow is called MSMP – Multistage Multi Path.
Workflow components: Rule Types
•Initiator---Decides which path the request will follow Initiator Rule – Rule that directs the request to specific paths. When a request comes into the
•Rules-------Criteria evaluated for path decisions workflow, which path does it go down
•Path--------A linear group of stages which determine which Agent Rule – Rules that determine the approver; How are the approvers determined?
approvals are required Eg. Manager, Role Owner, Others
•Stage-------Defined approval action required Routing Rule – Rules that will route the request to other paths
The Initiator would determine the path each request will take. Each When a special circumstance is met (i.e., Detour), where does the request flow next?
request can be split onto multiple paths SoD Detours
Paths by System; Development vs. Production Notification Rule – Sends an email notification to appropriate reviewers
Paths based on role selections: Display vs. Update Who is notified of the request status?