SAP Governance, Risk & SAP Governance, Risk & ComplianceCompliance
Access Control 5.3Access Control 5.3
GRC Overview
Why GRC? Why GRC? We need audit teams to know user access and
authorization controls. Request for emergency access (with all admin rights) is
unexpected, cant be monitored and controlled. Detection of violations (improper authorizations) for users
is difficult. Whether user authorizations are fallows standard rules.
Approval for access from manager takes time, access requests and approvals monitoring is difficult.
User life cycle and authorization management process is manual , so it is error prone.
What is GRC? What is GRC? SAP Governance, Risk, and Compliance solutions help
companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.
What is GRC? What is GRC? SAP Governance, Risk, and Compliance solutions help
companies comply with Sarbanes-Oxley and other regulatory mandates by enabling organizations to rapidly identify and remove access and authorization risk from IT systems, and embed preventive controls into business processes to stop future Segregation of Duties (SoD) violations from occurring.
SAP GRC ComponentsSAP GRC Components SAP GRC Access Control SAP GLOBAL TRADE SERVICES SAP PROCESS CONTROL SAP RISK MANAGEMENT
What is GRC Access Control ? What is GRC Access Control ? SAP GRC Access Control is an application that provides end-to-end
automation for detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance.
What is GRC Access Control Versions What is GRC Access Control Versions SAP GRC Access Control 4.0 / 5.1 SAP GRC Access Control 5.1 SAP GRC Access Control 5.2 SAP GRC Access Control 5.3
Product architecture (For 5.1 above versions)Product architecture (For 5.1 above versions)
Each Access Control product requires the following two components:
A common ABAP-based component that resides on your SAP ERP server. This component is called a “Real-Time Agent,” or RTA. The RTA accesses data from your SAP system and communicates with the front-end Java component, to allow you to see and make changes to that data.
A Java-based component that resides on your web application server. This component provides the user interface you use to make changes in your SAP database. The Java component sends data queries and revised data to the ABAP component, which connects directly to the SAP database.
While each Java-based component provides a unique user interface for each Access Control product, the ABAP-based RTA component is not unique for each Access Control product.
SAP GRC Access Control 5.3 suite featuresSAP GRC Access Control 5.3 suite features Risk Analysis and Remediation (formerly known as
Virsa Compliance Calibrator), which supports real-time compliance to detect, remove, and prevent access and authorization risk by controlling violations before they occur.
Compliant User Provisioning(formerly known as Virsa Access Enforcer), which automates provisioning, tests for Segregation of Duties issues, and streamlines approvals to unburden IT staff.
Enterprise Role Management (formerly known as Virsa Role Expert), which standardizes and centralizes role creation and maintenance.
Super user Privileged Management (formerly known as Virsa Firefighter), which enables users to perform emergency activities outside their roles as a “privileged user” in a controlled and auditable environment.
PrerequisitesPrerequisites In order to install Access Control 5.3 on your system, verify the
following components are installed on your server: SAP Net Weaver 7.0 (2004s) SP12 SAP Internet Graphics Service (SAP IGS) for the graphs to be
displayed on Management Reports.
For ERP systems that will install Access Control Real Time Agents (RTA) the following prerequisites must be met:
For SAP ERP System 4.6C, the system must be at level Support Pack Stack 55
For ERP 4.70 system, the system must be at Support Pack Stack level 63
For ERP 04 system, the system must be at Support Pack Stack level 21
For ERP 6.0 system, the system must be at Support Pack Stack level 13
1.1. Down load & Down load & Installation Installation To download the Access Control v5.3 for installation, go to the SAP
Software Distribution Center on SAP Service Marketplace at http://service.sap.com/swdc -> Download -> Installation and Upgrades -> Entry by Application Group -> SAP Solutions for Governance, Risk and Compliance -> SAP GRC ACCESS CONTROL
1.1. Down load & Down load & Installation Installation The Access Control 5.3 installation package includes: An ABAP software component that provides the Access Controls
Real-Time Agent (RTA). A Java software component that runs on Net Weaver 2004s on a
Web Application Server 700 The ZIP file contains all software components: Java SCA files and
Real Time Agents (RTA) for all available Backend release levels In the folder Adapter you‘ll the Greenlight Adapters for JDE, Oracle
and PeopleSoft.
Installation & user Guides Installation & user Guides You can find relevant documentation on SAP Service Marketplace at
http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for GRC -> SAP GRC Access Control -> Release 5.3
2.SAP NW AS Java: Check SP Level, Java2.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters For AC5.3 a SAP NW AS 7.0 SP12 or higher is required Here is were you find the Patch for SAP J2EE Engine Core 7.00: https://service.sap.com/swdc -Support Packages and Patches -SAP
Net Weaver – SAP NETWEAVER- SAP NETWEAVER 7.0 - Entry by Component - Application Server Java- SAP J2EE Engine Core. Patch 2 includes Patch 1.
JVM Memory / Performance Parameters 723909 - Java VM settings for J2EE 6.40/7.0 1044173 - Recommended Net Weaver Setting for Access Control 5.x 1121978 - Recommended settings to improve performance risk
analysis 1158625 - If you are using MS SQL Server
2.SAP NW AS Java: Check SP Level, Java2.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters
NotesNotesJVM Memory / Performance Parameters 723909 - Java VM settings for J2EE 6.40/7.0 1044173 - Recommended Net Weaver Setting for Access Control 5.x 1121978 - Recommended settings to improve performance risk
analysis 1158625 - If you are using MS SQL Server
3.SAP NW AS Java: Check SP Level, Java3.SAP NW AS Java: Check SP Level, JavaVersion and JVM Performance ParametersVersion and JVM Performance Parameters
Http://<server>:<port>
4.Check SLD Configuration4.Check SLD Configuration Ensure that the SLD is configured and running: Go to: http://<sld-server>:5<instancenumber>00/sld/index.html Remember that the SLD may be installed on a different server!
5. 5. Check Connection from Access ControlCheck Connection from Access ControlServer to SLDServer to SLD
Web dynpro-content administrator –check SLD Connection
5. Check Connection from Access Control5. Check Connection from Access ControlServer to SLDServer to SLD
6 .Check SAP Internet Graphics Server6 .Check SAP Internet Graphics Server Verify if the Internet Graphics Server (IGS) is configured
and running: Go to: http://<host_name>:4<instance number>80 A graphic screen should display If not successful check Installation Guide Appendix C. Use
Fully Qualified Host Name!
7 .Usage of JSPM for AC 5.3 Installation7 .Usage of JSPM for AC 5.3 Installation Copy the AC5.3 installation SCA files to /usr/sap/trans/EPS/in/ The JSPM is a tool that works similar to SDM and has to be started
from OS level of the server as user <SID>ADM from /usr/sap/<SID>/<CI>/j2ee/JSPM/go.bat
AC 5.3 comes with the following sca files: VIRCC00_0.SCA - Risk Analysis and Remediation VIRAE00_0.SCA - Compliant User Provisioning VIRRE00_0.SCA - Enterprise Role Manager VIRFF00_0.SCA – Super user Privilege Management VIRACLP00_0.SCA - Launch Pad VIREPRTA00_0.SCA - Enterprise Portal
Deploy the first 4 SCA files first, then deploy the 5th SCA file. The last SCA file contains the RTA for the Net weaver Portal EP7.0
SP12+. Deploy it to all your Net weaver Portal 7.0 servers in scope of your
implementation. For more Details check Appendix A and E in the installation Guide.
7 .Login JSPM7 .Login JSPM JSPM: Select „New Software“
7 .Login JSPM7 .Login JSPM JSPM: Select SCA Files Deploy CC, AE, FF, RE First, then
VIRACLP00_0.SCA - Launch Pad
8 . Check SP Levels of your SAP Backend8 . Check SP Levels of your SAP Backend Systems / Prepare RTA Installation Systems / Prepare RTA Installation
Check requires SP levels for software components SAP_BASIS, SAP_ABAP and SAP_HR in the table below.
1133161: Install SAP GRC Access Control 5.3 on SAP BASIS 46c Non-HR 1133163: Install SAP GRC Access Control 5.3 on SAP BASIS 620 Non-HR 1133165: Install SAP GRC Access Control 5.3 on SAP BASIS 640 Non-HR 1133167: Install SAP GRC Access Control 5.3 on SAP BASIS 700 Non-HR
1133162: Install SAP GRC Access Control 5.3 on SAP BASIS 46C HR 1133164: Install SAP GRC Access Control 5.3 on SAP BASIS 620 HR 1133166: Install SAP GRC Access Control 5.3 on SAP BASIS 640 HR 1133168: Install SAP GRC Access Control 5.3 on SAP BASIS 700 HR
9 . Plan Your System Landscape9 . Plan Your System Landscape Discuss with your basis team your system landscape for Access Control Do you plan for 2-tier or 3-tier Landscape for SAP GRC Access Control? How do you plan to connect your AC5.3 instances to your multi-tier
backend landscape? Customer System Landscape -Please Enter All SIDs, SP-Levels etc
Integration of a Two-Tier GRC Access ControlIntegration of a Two-Tier GRC Access ControlLandscapeLandscape
Logical Systems: Grouping of physical systems sharing the same risk rules Two-tier Access Control Landscape can connect to N-tier back end
Always apply latest Support Packages for Always apply latest Support Packages for Access ControlAccess Control
Always apply latest support packages for Access Control 5.3 during Ramp-Up There are two types of AC 5.3 Support Packages: For the AC 5.3 application on NW AS Java 7.00 itself (cumulative) For the NH and HR RTAs in the backend (incremental) Content of all RTA Support Packages (Backend) is listed in the following notes: RAR: 1168120 – CUP: 1168508 – ERM: 1168183 – SPM: 1168121
To upload UME Roles and Create AC Administer UserTo upload UME Roles and Create AC Administer User
https://ip:54501/index.html Logon to UME and click on Import
Check Background Job DaemonCheck Background Job Daemon
It is possible that the background job daemon is engaged in any other thread for another background job. It is possible to confirm the job status from the URL:
Call the URL http://<server>:<port>/sap/CCBgStatus.jsp - it should come up with status running“
Check Analysis Engine Daemon ManagerCheck Analysis Engine Daemon Manager
Call the URL http://<server>:<port>/sap/CCADStatus.jsp - it should come up with status running“
If the analysis daemon threads and web services are stopped the threads may be restarted from URL:
Check connectors using the following link and try to Check connectors using the following link and try to search for userssearch for users
https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
Check connectors using the following link and try to search Check connectors using the following link and try to search for usersfor users
https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
Troubleshooting background Jobs in GRC Access Troubleshooting background Jobs in GRC Access ControlControl https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/
grc~ccappcomp/CCDebugger Step 1) Check the entries in virsa_cc_config table
Troubleshooting background Jobs in GRC Access Troubleshooting background Jobs in GRC Access ControlControl https://10.77.130.112:54501/webdynpro/dispatcher/sap.com/
grc~ccappcomp/CCDebugger Step 1) Check the entries in virsa_cc_config table . Step 2) If the entries for 105, 106, 107 are missing please update the table
virsa_cc_config with following records.
GRC Initial ScreenGRC Initial Screen