This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07 and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

  • Backend Plugin Upgrade
    • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
    • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
  • SU25 and Web dynpro components upgrade
    • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
    • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement

 

  • Mass user locking
    • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
    • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.

 

  • Agent not found access requests ending into error or completing without role owner approval
    • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
    • Before go live update all role approvers as Role Owners in Access control owner list.

 

  • Dumps in system while clicking on link in email received from GRC
    • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

    • Please check for OSS note 1888486 if applicable for your system to fix issue

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!

 

Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.

 

We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!

 

It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.

 

Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?

 

As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).

 

I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).

 

So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.

 

My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?

 

I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security - I did not forget them as that was me.

 

My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.

 

Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.

 

Regards

Colleen

 

P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC


Since GRC 5.3 was on Java stack, customization of GRC screen was not possible on greater extend. As GRC 10.0 is on ABAP stack we have the flexibility of Customization of NWBC as the per the client requirement and you can customize the NWBC to provide access which are not delivered through SAP GRC ABAP Roles.

 

“Whatever you want see in NWBC choice is yours to enable it”

 

With this customization of NWBC launch pad we can do the followings provided for you:

 

  1. We can access all SAP systems
  2. Execute  all backend system reports ex: SUIM, SE16 reports
  3. Customize the GRC screens (SPRO) from NWBC itself, no need to login to ABAP and use SPRO T-code
  4. Create users & roles, develop and configure MSMP by using NWBC.
  5. BI related reports and queries  and many mores …….

 

Hence you might not need to use SAP GUI since we can customize the NWBC.

 

Below NWBC customization can be achieved from web based NWBC (internet explorer). You need to make sure that you have one alias name created for each SAP system (ECC/Portal) from SAP Enterprise Portal (SAP EP) as a portal administrator.

 

Below are  few examples of customization of NWBC:

 

  1. Accessing Backend systems
  2. Table Access
  3. MSMP Access
  4. BRF Plus Access
  5. Merging NWBC and SAP Login Screen in internet explorer

 

 

 

Step 1.


   Go to SPRO --> Governance, Risk and Compliance --> Configure LaunchPad for Menus


               Image 1.JPG


You can see below launch pad and GRC (AC, PC & RM) related Roles and Description. Before customizing, we need to decide in which work center we have to put customized menus/links in NWBC. I have chosen My Home work center in NWBC. For My Home work center choose GRACHOME role (see below).

 

Select GRACHOME Role and double click or choose edit button.


               Image 2.JPG


Step 2:

 

Select New Folder to create Main Menu in Work center and enter text which ever you need.
Here I have given the text My Company Access (showed in screen) and the same will show in NWBC as Main menu. System will provide default Icon for our customized menu. Save the screen.


Note: You can change the folder name whenever you wish to change.

              Image 3.JPG

               Image 4.JPG

 

Step 3:

 

Choose newly create Folder name (My Company Access) and select New Application button.

 

Provide the name of Menu/Link which can be execute from NWBC. Ex Table Access

 

Select any one of Application Category based on your requirement and find below few of SAP provided Application Categories

 

BEx Analyzer
BI Enterprise Report
BI Query
BI Webtemplete
Cristal Report
Infoset query
KM Document
Managers Desktop
Transaction
Portal Page
Webdynpro ABAP

 

I have selected Application Category as Transaction, once you select Application Category as Transaction, system will request for transaction code. See below:

 

Note: For one application, you can select only one transaction or one application category.

 

As mentioned above, please select System Alias and in this example System Alias is SAP-GRC-AC or Local.

 

               Image 5.JPG

Click on Advanced Parameters tab

 

GUI TYPE: This is optional and you can select which ever you need.

 

               Image 6.JPG

Step 4

Link to a Repository Application

 

To add existing SAP Repository objects to our newly created custom folder, kindly follow the process mentioned below:

 

Select My Company Access (newly created one) and click Link to a Repository Application, system will prompt a launch pad window (marked in green color) to select existing role. See below example where I have selected GRCIAREPOS.

 

Double click on Role GRCIAREPOS

 

Once you link your Custom folder with SAP Repository Application, you can also add SAP standard links to our Custom Folder.

               Image 7.JPG

Once you double click Role GRCIAREPOS, you can see below screen:

               Image 8.JPG

Drill down the GRC_AccessControl Menu and select the relevant role which you want to have in the customized screen and drag in into our custom folder “My Company Access”.

 

This option gives us to restrict the access from NWBC apart from authorizations.

               Image 9.JPG

 

Add Separator if you wish to differentiate Custom objects and SAP objects.

 

Select folder My Company Access and select button Add Separator. Now you can move the links/menu and separator wherever you need.

 

               Image 10.JPG

You can see the below screens for NWBC with customizing and without customizing

 

 

NWBC without Customizing


               Image 11.JPG

 

NWBC Customizing with custom menus

 

               Image 12.JPG

 

Example 1: Access SAP system from NWBC


Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER

 

               Image 13.JPG

 

  1. Save and execute NWBC. Go to My Home --> click link SAP Backend system

 

               Image 14.JPG

One new window will open for SAP backend system and click start SAP Easy Access. This SAP will open in internet explorer

 

               Image 15.JPG

 

You can see the SAP screen in Internet Explorer/NWBC

 

               Image 16.JPG

 

Example 2: Accessing SAP Backend Tables & Reports from NWBC

Same steps you need follow : Create New Application --> Provide link name as Table acces --> select Transaction in Application Category ---> Provide T-Code SE16


Save--> Refresh NWBC and execute

 

               Image 17.JPG

               Image 18.JPG    

 

Example 3: Opening MSMP from NWBC

 

Same Steps we need follow for this example also

               Image 19.JPG

    Example 4: Opening BRF + application from NWBC

               Image 20.JPG

 

               Image 21.JPG

               Image 22.JPG

 

If you select MSMP Configuration link you will redirect to below screen without any internet explorer link option

 

Most important customization: Merging NWBC and SAP Screen in internet explorer

 

Configuring SAP screen and NWBC in one page

 

As explained in above (already given in example 1)


Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER and System alias is               SAP-GRC-AC


               Image 13.JPG

Go to Advance Parameters


In advance parameters select GUI Type : SAP GUI for HTML

Select Initial Screen in Entries Once started Option

Portal parameter: select  INPLACE Inplace


               Image 23.JPG

Save and execute in NWBC

 

Once you refresh NWBC, you can see the link "SAP Backend system"

 

               Image 28.jpg

Click SAP Backend system link and you will find below screen:

Here you can execute all SAP transactions

 

               Image 24.JPG

Click Start SAP SAP Easy Access button


You will see below SAP screen similar to SAP GUI Screen.

In this screen every thing is same as SAP GUI however you can also see the NWBC menus. Both SAP screen and NWBC are merged in the same screen.

 

Even if we do not have SAP GUI, we can login to SAP backend system by using this customization. This customizing will be useful for small devices such as smart phones & Tablets. In soon we can able to execute SAP from small devices based on accessibility and Network (Already SAP launched Android App for FF ID approve)

               Image 25.JPG

Executing SAP transactions from NWBC.

In this example I have executed PFCG and whatever transactions you execute, you can able to see NWBC work centers in the same screen.

 

               Image 29.jpg

 

Conclusion

 

In this way we can customize the NWBC without any ABAP and Java knowledge and whenever we need, we can design and change the screens without taking much time

 

SAP has provided flexibility to do the customization of NWBC based on the client requirement.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.


These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as "Z_".


SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:


  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.

 

BC Set ID

BC Set description

GRAC_RA_RULESET_COMMON

Rule Set for Common rules

GRAC_RA_RULESET_JDE

BC Set for AC Rules for JDE

GRAC_RA_RULESET_ORACLE

BC Set for AC Rules for ORACLE

GRAC_RA_RULESET_PSOFT

BC Set for AC Rules for PeopleSoft

GRAC_RA_RULESET_SAP_APO

BC Set for AC Rules - SAP APO

GRAC_RA_RULESET_SAP_BASIS

BC Set for AC Rules - SAP BASIS

GRAC_RA_RULESET_SAP_CRM

BC Set for AC Rules for SAP CRM

GRAC_RA_RULESET_SAP_ECCS

BC Set for AC Rules for SAP ECCS

GRAC_RA_RULESET_SAP_HR

BC Set for AC Rules for SAP HR

GRAC_RA_RULESET_SAP_NHR

BC Set for AC Rules for SAP R3 less HR Basis

GRAC_RA_RULESET_SAP_R3

BC Set for AC Rules for SAP R3

GRAC_RA_RULESET_SAP_SRM

BC Set for AC Rules for SAP SRM


 

The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

 

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

BC Set Example.jpg

 

SAP provides download and upload functionality via two (2) transactions:


GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.


grac_download.jpg


88.jpg

 

 

The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.


 

The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.

 

 

 

 

09.jpg                     

Business Process:


Business Process defines the business process, language, and business process description.


business_process_1.jpg


NWBC Business Process correlation:


61.jpg


Function:


Function defines the function, language, function description and single or cross system reference.


function_2.jpg


NWBC Function correlation:


62.jpg


Function Business Process:


Function to Business Process associates functions to business processes.


3.jpg


NWBC Function to Business Process correlation:


63.jpg

Function Actions:


Function to Actions associate’s functions to t_codes and if the function is active or inactive.


4.jpg

NWBC Function to Actions correlation:


64.jpg


Function Permissions:


Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.


5.jpg



NWBC Function to Permissions correlation:


65.jpg

Rule Set:


Rule Set defines the rule set, language and rule set description.


6.jpg


NWBC Rule Set correlation:


66.jpg


Risk:


Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.


7.jpg


NWBC Risk correlation:


67.jpg


Risk Description:


Risk Description defines the risk, language and risk description.


99.jpg


NWBC Risk Description correlation:


68.jpg



Risk Rule Set Relationship:


Risk Rule Set Relationship associates risks to a rule set.


9.jpg


NWBC Risk Rule Set Relationship correlation:


69.jpg


Demo of how to download a rule set in SAP Access Control 10.1:


GRAC_DOWNLOAD_RULES


Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.

 


Demo of how to upload a rule set in SAP Access Control 10.1:


GRAC_UPLOAD_RULES


Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.

 


Merging Rule Sets:


I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.


That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:


Key takeaways for mass modification of rule set:



    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:

 

                                                   

Active

Non-Active

0

1



The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.


In Offline Workflow Process, a generic dump happens when delivering the PDFs to the recipients. In ST22, we can see the following Short Dump:


ASEER.JPG


This short dump does not say what is the issue and how to resolve it. Below, I have separated the different issues I found for this generic message and how to resolve it:



Possible causes and solutions:

 

Valid E-mail address:

    • The users who receive the work items do not have a valid e-mail address in SU01. The e-mail is not delivered and the number of dumps in ST22 is huge.
    • More information on how to find the recipients or senders without e-mail address on the link: http://wiki.scn.sap.com/wiki/x/QwEjFg
    • SOLUTION: All the recipients and senders must have a valid e-mail address in SU01



Risk Management Inactive:

    • If you do not use Risk Management (you have disabled the application in SPRO), you can have an authorization issue when submitting the PDF to the users (a sub process assignment for example). The issue will not be visible so the same message will return (assertion_failed) in ST22.
    • SOLUTION: The following SAP note must be applied -> 1998579 - ASSERTION_FAILED in CL_GRFN_OWP_DELIVER

 

 

GRFN_OWP_SUB_JOB_SENDER is scheduled:

    • ABAP program name: GRFN_OWP_SENDER is scheduled with program name as GRFN_OWP_SUB_JOB_SENDER. The program will be cancelled as there is no Work Item to be delivered.
    • Error message is: Failed to load header of work item
    • More information on how to find this error message on the link: http://wiki.scn.sap.com/wiki/x/mYI5Fg
    • SOLUTION: cancel the background job GRFN_OWP_SUB_JOB_SENDER and leave just GRFN_OWP_SENDER

 

 

No Physical Content:

    • Physical content not found for document is the error message
    • It means that the file requested is not available or not found in the client.
    • SOLUTION: Users must check the file name and content in the system.

 

Adobe Services:


Failed to get OWP sender e-mail address:


 

                      1. Execute the transaction "SPRO".

                         2. Navigate through Governance, Risk and Compliance -> Process Control -> Offline Work Process -> Configure Email Inbound Process.

                         3. Insert a row with Communication Type as Internet mail.

                         4. Enter a valid Email Address in the recipient address column.

                         5. Enter the document class as "*".

                         6. Enter the Exit name - "CL_GRFN_OWP_DELIVER".

                         7. Enter the call sequence.

                         8. Save the settings.


GRC 10.0 - GRC Request with both System and Role Line Items

 

Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.

 

 

End user logs on to GRC and will add both System and Role LineItems to the request.

 

1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.

 

 

2. MSMP configuration should look as shown below.

 

 

 

 

Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.

 

Recently, I came across with an unique issue where I was not able to transport the SoD rule set across the clients.

 

  • SoD transport issues with GRC AC10.0 SP14

While creating the Transport Request as Customized, the system was throwing an error and so asking to create the Transport Request as Workbench Request (I understand, you all would be amazed the same way as I got). It doesn't really require creating WB-TR to transport SoD across clients but just to give it a try, I created the same (WB-TR), then the system started behaving in strange way, It didn't even allow me to enter the WB-TR.

Transport issues.png

 

After a couple of try over the same and struggling for it and in absence of any supportive solutions over SDN/SCN/Google, decided to reach-out to SAP.

They provided the SAP Note: , but to the system version; GRCFND_A - SP14 and SAPNW 740 with version11 and as I was on version10, so couldn't apply the same and then requested SAP to provide the compatible note which I got today and in fact, released as of toady. The SAP Note: 1991730 - Not able to create transport for SoD Rules after upgrading to NW 740 SP04 AC 10.0 (http://service.sap.com/sap/support/notes/1991730) So, now fianlly able to rectify the original issue with the Transport SoD rule-sets.

 

 

  • SoD Transport issues with GRC AC 10.1 SP04/05

For those who are on AC 10.1 with SP04, I am sure they would encounter with the similar issues whilst transporting the SOD rule sets across clients/systems, as I did

With getting no solution from anywhere had decided to reach out to SAP seeking for the solution and it was so quick  and perfect solution. They recommended to implment http://service.sap.com/sap/support/notes/1968082

 

This note is applicable to GRC AC 10.1 with SP04 so is for SP04

 

I had almost forgotten to update this information until now when I saw a thread claiming to have encountered with the same issue.

Thinking of this could be new/helpful to others, I am sharing this to you.

 

Cheers,

Ameet Kumar

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of user assignments to firefighter IDs. I have grouped them into four steps Assign, Usage, Delete and Review. Please see for each step expected Tasks and who is involved. Please see also my blog post about Firefighter ID lifecycle if you are interested to get more information in this regard.


The RACI matrix shows who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

 

 

Assignment of User to Firefighter ID

 

Tasks

  • Request FF ID assignment
  • Define validity of assignment
  • Assign user to FF ID
  • Define FF controller and method of notification

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_User_Assign.png

 

 

Usage of Firefighter ID

 

Tasks

  • Usage of Firefighter
  • Check Firefighter logfiles

 

Involved functions

  • Firefighter ID user
  • Firefighter controller

RACI_FFID_User_Usage.png

 

 

Deletion of Firefighter ID assignment

 

Tasks

  • Delete Firefighter ID assignment

 

Involved functions

  • Firefighter owner
  • SAP GRC responsible

RACI_FFID_User_Delete.png

 

 

Review of Firefighter ID assignment

 

Tasks

  • Review if Firefighter ID assigment is still correct
  • Define actions if necessary

 

Involved functions

  • Firefighter owner
  • Firefighter controller
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_User_Review.png

 

Please contribute and share your opinion as comment to improve the quality of this document.

 

Thanks and regards,

Alessandro

Knowledge, Skill & Performance Assessments and Tests are more critical than ever, especially within such industries as Utilities, Financial Services, Public Sector, and High Tech where knowledge needs to be assessed through testing and certifications on a regular basis.

Regulatory bodies and their requirements on such testing and assessment vary by Industry and country - please see here some examples: FDA Compliance (21 CFR Part 11), SOX (Sarbanes-Oxley), OSHA (Occupational Safety and Health Administration), AGG (Allgemeines Gleichgestellunggesetz) or GMP (Good Manufacturing Practice).

 

SAP Education added recently the assessment technologies powerhouse Questionmark to its portfolio under the brand: SAP Assessment Manager - so I thought this might also be of interest for the GRC Space on SCN.

 

Please find here a selection of Infosources on the general background as well as on the SAP Assessment Manager

  • Intro Blog to SAP Assessment Manager with press-release, video etc. by Stewart Davis
  • Blogpost on "Making a business case for “testing out” of training/ Online assessments in compliance #1" by John Kleeman
  • If you want to see customer case studies, demos and further details please register to one of our webinars. The first one is german speaking - taking place this friday 14.00 and accessible here. Further englishspeaking webinars will follow.

 

Hope this info was useful. Please use the comments section to share your feedback and questions.

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of Firefighter IDs. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.


I have additionally added the RACI matrix to see who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

Lifecycle_Mitigating_Control.png

 

Creation of Firefighter ID

Tasks

  • Define the necessary access rights of the FFID
  • Define the responsibilities (Ownership, Controller)
  • Create Firefighter ID

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Create.png

 

Changing of Firefighter ID

 

Tasks

  • Define the necessary changes in access rights
  • Define changes in resonsibilities (Ownership, Controller)
  • Define changes of Firefighter ID (e.g. validity)

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Change.png

 

Deletion of Firefighter ID

 

Tasks

  • Delete the Firefighter ID
  • Document the decision of the deletion
  • Archive belonging firefighter logfiles

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible

RACI_FFID_Delete.png

 

Reviewing of Firefighter ID

 

Tasks

  • Review validity
  • Review firefighter ownership and controller
  • Check proper access rights

 

Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner

RACI_FFID_Review.png

 

If you want to have further information or contribute in this blog post do not hesitate to contact me or reply to this post directly.

Process Control is totally dependent on the standard frequencies and timeframes provided by SAP in General Settings -> Key Attributes -> Maintain Timeframe frequencies/Maintain Timeframes. When creating custom timeframes, customers need to keep frequencies always active and timeframes always available if any task was previously created with a specific custom timeframe.

 

 

When a plan is created, it is dependant of the timeframe chosen. Everytime users open planner, all the tasks are validated according to the timeframe chosen on their creation.

 

 

Sometimes, An ASSERTION_FAILED dump is raised by the system highlighting class CL_GRFN_API_TIMEFRAME and method GET_FREQ when accessing planner.

 

If you face the symptom described above, you can check the following SAP note:

 

 

SAP Note: 1970216: ABAP Dump when accessing Planner

 

 

If it was not possible to find the missing or inactive timeframe, there is a wiki page which explains how to find it:

 

 

http://wiki.scn.sap.com/wiki/x/kIeoFQ

SAP Fraud Management uses a modular architecture so that partners and customers can extend the solution with new detection rules and investigation features. You can quickly adapt SAP Fraud Management to address new customer-specific fraud scenarios.


SAP has now released the SAP Fraud Management Enablement Sessions, a set of videos that explain how to extend SAP Fraud Management with new detection rules and investigation features. With these videos, you can get up to speed on SAP Fraud Management extension concepts and implementation quickly, so that you can get a fast start on enhancement projects.


The following videos in the series SAP Fraud Management Enablement Sessions are on offer (it takes a couple of seconds to start the video player - don't be alarmed if you have to wait a short while). The Enablement Sessions build on one another. View the entire series if you are newbie to SAP Fraud Management, or skip to the video that helps you with your current task.

 

The SAP Fraud Management Enablement Sessions are as follows:

 

  • Introduction - Here, you'll get an overview of the Enablement Sessions and a quick introducton to SAP Fraud Management.
  • Data Modeling for Detection - This session explains how detection is modeled in SAP Fraud Management, how to create your own detection data model, and how to set up the data model in Customizing.
  • Implementing Detection Methods - Here, you'll learn how to implement a detection method in SAP Fraud Management. The solution uses detection methods to find specific irregularities, using SQLscript procedures to harness the speed and power of SAP HANA.
  • Creating and Calibrating Detection Strategies - A detection strategy groups related detection methods to search for signatures of business irregularities and potential fraud. This video explains how to set up and optimize detection strategies using SAP Fraud Management Calibration. You'll also learn about alerts in SAP Fraud Management.
  • Extending the Network Analyzer - In this video, you'll learn how to set up the Network Analyzer provided by SAP Fraud Management to analyze your own detection data model. The Network Analyzer is a powerful investigation tool for graphically displaying relationships in the data, such as relationships between suspicious purchase orders and potentially fraudulent vendors.


You can also turn to the Extensibility Guide for SAP Fraud Management for support in your enhancement projects. Here is the Wiki version of this posting.

SAP Fraud Management Release 1.1 SP02, powered by SAP HANA, has been released as of February 10, 2014 together with a new solution, SAP Audit Management, powered by SAP HANA.

 

SAP Fraud Management, in General Availability since September 2013, and SAP Audit Management, in General Availability as of February 10, 2014, share infrastructure and can use one another's features. The solutions offer advanced HTML5 user interfaces that have been designed together with users for efficiency and user-friendliness. The modular infrastructure shared by the applications makes it possible to extend them. For example, SAP Fraud Management can be extended to address customer-specific fraud scenarios. The ability of SAP HANA to offer real-time analysis of large volumes of data allows new approaches to assurance and compliance issues.

 

The two solutions belong for technical reasons to a new product, SAP Assurance and Compliance Software. In a previous version of this blog, this product was incorrectly accorded a higher status than it actually has.  The product provides an organizational wrapper for the SAP Fraud Management and SAP Audit Management solutions. Installation and upgrade guides and installation components in the Service Marketplace and SAP Maintenance Optimizer appear under the product name SAP Assurance and Compliance Software. Actually licensable and directly usable are the two solutions, SAP Fraud Management and SAP Audit Management. The two solutions can be used together or separately.

 

The solutions of SAP Assurance and Compliance are integrated with SAP Governance, Risk and Compliance. SAP Fraud Management, for example, can create a corresponding ad-hoc issue in SAP GRC Process Control (GRC-SPC) when a fraud alert is closed with the finding 'Proven Fraud'.

 

The solutions can be deployed on-premise as well as in the cloud.

SAP Fraud Management Release 1.1 SP02, powered by SAP HANA, has been released together with a new solution, SAP Audit Management, powered by SAP HANA, as of February 10, 2014.

 

SAP Fraud Management, in General Availability as of September, 2013, and SAP Audit Management, in General Availability as of February 10, 2014, share infrastructure and can use each other's features. The solutions offer advanced HTML5 user interfaces that have been designed together with users for efficiency and user-friendliness. The lightweight infrastructure shared by the applications makes it possible to extend the applications, for example, to address customer-specific fraud scenarios with SAP Fraud Management. The ability of SAP HANA to offer real-time analysis of big data allows new approaches to assurance and compliance issues.

 

The two solutions belong for technical reasons to a new product, SAP Assurance and Compliance Software. In a previous version of this blog, this product was incorrectly accorded a higher status than it actually has. The product provides only a technical wrapper for the SAP Fraud Management and SAP Audit Management solutions. Installation and upgrade guides and installation components in the Service Marketplace and SAP Update Manager appear under the name SAP Assurance and Compliance Software. But the two solutions are usable separately or together and are searchable in SAP web sites under their own names as well as under the new product name.

 

The solutions of SAP Assurance and Compliance are integrated with the SAP Governance, Risk and Compliance Suite. SAP Fraud Management, for example, can create a corresponding ad-hoc issue in SAP GRC Process Control (GRC-PC) when an SAP Fraud Management alert is closed with the finding 'Proven Alert'.

 

The solutions can be deployed on-premise as well as in the cloud.

Alessandro Banzer

Risk Lifecycle

Posted by Alessandro Banzer Feb 23, 2014

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of Risks. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.

 

On request I have additionally added the RACI matrix to see who is Responsible, Accountable,Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

 

Creation of Risks

 

Tasks

  • Define the SoD risk on business level (e.g. with internal auditors)
  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
  • Implement the risk within SAP GRC AC
  • Validate the risk analysis results

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Create.png

 

Changing of Risks

 

Tasks

  • Define the changes within the SoD risk on business level (e.g. with internal auditors)
  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
  • Change the risk within SAP GRC AC
  • Validate the risk analysis results

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Change.png

 

Deletion of Mitigation Controls

 

Tasks

  • Delete risks within SAP GRC AC which are not valid anylonger
  • Document the deletion of the risk and especially the decision to delete the risk

 

Involved functions

  • Risk owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Delete.png

 

Reviewing of Risks

 

Tasks

  • Analyse if maintained risks within SAP GRC are still valid
  • Define actions to take because of:
    • New business processes
    • Changes in the IT system
    • Changes in the Internal Control System

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Review.png

 

If you want to have further information or contribute in this blog post do not hesitate to contact me directly.

Actions

Filter Blog

By author:
By date:
By tag: