When the controller asks the firefighter user for more information the notification email is not triggering?

-  To solve this follow the steps is SAP Note 2024111 - Firefighter not receiving email notification on work itemthis note explain step by step how to create this notification.

If the controller asks for more information for the second time the notification email is not triggering ?

- Implement SAP Note 2230867 - WF: Return event e-mail notification not being sent again if already sent once this note corrects the code for the second, third and next times.

Regards,

Rafael.

Dear colleagues,

I would like to share my recent experience with BSP hanging while I was trying to create ARQ. The only two services were hanging and only in one client. Please read my investigations and you will understand why.

Now I'm working on a project that requires to integrate GRC with LDAP group assignment. All customizing activities I perform into 200 client. In order to stop messing in LDAP logs, I stopped the connector and set status DOWN.

While I was trying to find something in the logs, in parallel, I decided to run my test scenario one more time. However, I wanted to active the connector right before I push "Approve" on the last stage of the request to minimize the log length.

And so I found? My function "Copy request" stops working. Then I try to use "Template Based Request" in order to create request from scratch. The same picture - BSP page hangs.

In the process monitor (SM50) I found this

The problem seemed global, and I called the same links from the other client of the same system (230). No problem, the pages opened in a second.

After time out I analysed ST22 information.

Shock!!! The first information I saw was:

And below

So, I would like to ask anyone who reads my post

How do you thing why the system does this selection?!

For me it seems not good, because for some reason LDAP connector might be switched off. And what? All activities with other connectors also stops?

If a grc architect reads my post, please, adjust the check logic or kindly explain why do we need it?

Regards,

Artem Ivashkin

P.S. After you active LDAP connector again your service will work (the hanged pages will not alive, restart required).

This is a weekly blog that will have the 5 last SAP Notes of Access Control corrections released to customer by SAP!

1 - 2290322 - UAM: Missing Reviewer Agent for Notification purpose in UAR and SOD workflow configuration

Symptom

Open the MSMP configuration and select the process type for UAR or SOD. Go to the Maintain Agents tab.Reviewer agent is missing for notification purpose in UAR and SOD Process type.

2 - 2294014 - HANA role does not get saved in the target system

Symptom

If a HANA role is created through Access Control (Role Maintenance), the role is not saved in the target system. How should the role methodology be configured for HANA roles?

3- 2229853 - GRC and S/4HANA oP: compatibility information

Symptom

You want to use GRC with S/4HANA on-Premise (oP).  Which points do you need to consider?

4 - 2266192 - Truncation of Firefighter ID Description

Symptom

The Description of Fire Fighter Object is getting truncated.

5 - 2291174 - AC10.X Incorrect column name in generated permission rules table

Symptom

Incorrect column name in the permission rule table while generating rules
after creation of access risks.

To receive updates bookmark the blog and have updates every week!

Rafael Guimbala

This is a weekly blog that will have the 5 last SAP Notes of Access Control corrections released to customer by SAP!

1 - 2290322 - UAM: Missing Reviewer Agent for Notification purpose in UAR and SOD workflow configuration

Symptom

Open the MSMP configuration and select the process type for UAR or SOD. Go to the Maintain Agents tab.Reviewer agent is missing for notification purpose in UAR and SOD Process type.

2 - 2294014 - HANA role does not get saved in the target system

Symptom

If a HANA role is created through Access Control (Role Maintenance), the role is not saved in the target system. How should the role methodology be configured for HANA roles?

3- 2229853 - GRC and S/4HANA oP: compatibility information

Symptom

You want to use GRC with S/4HANA on-Premise (oP).  Which points do you need to consider?

4 - 2266192 - Truncation of Firefighter ID Description

Symptom

The Description of Fire Fighter Object is getting truncated.

5 - 2291174 - AC10.X Incorrect column name in generated permission rules table

Symptom

Incorrect column name in the permission rule table while generating rules
after creation of access risks.

To receive updates bookmark the blog and have updates every week!

Rafael Guimbala

Register now for Extending SAP Access Control with SAP Access Violation Management by Greenlight, 25^th May 2016

Risk for organisations is growing. With more devices to protect, more people who require access to data, and more partners to integrate with, the paradigm ofaccess control is larger than ever. The Verizon Data Breach Investigations Report (DBIR)highlighted 9 of the top attack patterns ranging from Insider & Privilege Misuse, Physical Theft & Loss, Web App attacks through to payment card skimmers. There are just a few of the top attack patterns but none the less, this highlights the importance of reducing risk.

For all of us familiar with SAP Governance, Risk, and Compliance (GRC) we’re well aware of SAP Access Control (AC).  SAP Access Control is typically the 1^st solution customers implement when they begin their GRC journey.  AC is the solution our customers turn to when forced by internal and external auditors to perform Access Risk Analysis to get clean (i.e. identify and mitigate segregation of duties risks).  SAP Access Control is also well known for its Emergency Access Management (i.e. firefighter) functionality.  Rather than giving employees SAP_ALL (i.e. the “keys to the kingdom”), organizations can give users emergency access ids so that the emergency access activities are tracked and can be properly audited.  Other functionalities provided by Access Control include Access Request Management (i.e. providing users a central formalized process to request authorizations) and Business Role Management (i.e. putting roles in business terms).

While we know Access Risk Analysis and the mitigation of segregation of duties risk are critical activities for organizations, we also know that the mitigation of the access risks often requires manual activities that often take plenty of time.  Most of us don’t work in organizations where we can have one person do one thing and another person do another. We may have headcount and process constraints and unfortunately most of our manual controls are manual.   If I can create a vendor and pay a vendor, someone (i.e. perhaps my manager) may need to review a report to see whether I’ve actually done these activities.  The ability to do an activity, doesn’t mean that the activity actually occurs.  What if a manager has been reviewing multiple reports showing him that while an access risk has been identified, nothing has actually occurred?  How much time is that manager spending on the manual review(s)?  Is a business process change required?

With the power of SAP Access Violation Management (AVM) by Greenlight organizations now have the ability to analyze the underlying transactions associated with their access risk so that they can automatically mitigate as needed.  SAP Access Control leverages a rule set to uncover and provide visibility into users and roles with the capability to perform high risk transactions.  SAP Access Violation Management leverages Access Control and analytics rule sets to provide visibility into actual usage and violations executed against high risk transactions in conflict with policy. 

One more powerful function of Access Violation Management is the ability to connect to home grown applications, .net tools, and other cloud based solutions (e.g. Ariba), and even SAP Business Planning and Consolidation (BPC).  I’m sure there are applications in your landscape with data that you wish you could consume.  I’m sure you think SAP GRC solutions are only for SAP environments.  I’m here to tell you that, while this is a common misconception, it’s simply not the case.  SAP GRC solutions can be applied to more than SAP environments.

To learn more about how you can leverage your SAP Access Control investment with SAP Access Violation Management especially in the context of Ariba and BPC, please join us for a webinar on May 25.

Register now for Extending SAP Access Control with SAP Access Violation Management by Greenlight, 25^th May 2016, 1PM – 1.45PM AEST.

First enter is SAP Note search on the link bellow   https://support.sap.com/notes

1-  Click on "Launch the SAP Note and KBA Search" button

2 - Insert the search term that you want to look for, and select "Restrictions by Product Version".

3- Click in  the select button in the right side

3 -  In the pop-up that open, pick your component version

Click on it, it could me take a few seconds to load it since there are a lot of SAP Products,

4 - Click on the magnifyng glass icon on the side of the component that you want

5 - Select the support package in pop-up

6 - Finally click on search

The results will bring only corrections of higher support packages and Kbas(*) relevantes for your issues,

I have recently got a requirement from the Business users to get some additional fields in UAR Workflow. For example they wanted to get Valid From and Valid To in the Review list which will be of great helpful for them to review the access items. Since I wasn't much familiar with the data in GRC , I was going against SAP ERP to see how I can bring the Valid From and Valid To data into GRC, but Alessandro Banzer and Colleen Hebbert helped me in the right direction to fetch the data from GRC instead of the satellite tables. Alright enough of the story I guess ..

The below Enhancement is done in GRC 10.

1) Append your custom fields into GRAC_S_UI_REVDATA

2) Go to SE80 and choose the Web Dynpro Comp. / Intf. - GRAC_UIBB_USER_ACC_REVIEW

  (This is the Webdynpro component we are going to enhance it to show it on the screen)

3) Double click on V_UAR_ITEMS from Views and choose Enhance from the Menu (Ctrl + F4) and create Enhance Implementation

4) Double click on the COMPONENTCONTROLLER and choose N_UAR_ITEM_DATA from the Context.

5) Right click on N_UAR_ITEM_DATA and choose Create Using the Wizard - Attributes from Components of Structure.

6) Choose the custom fields from the pop-up to add them into the context.

7) Now double click on V_UAR_ITEMS from Views and select N_ITEM_DATA from Context.

8) Now right click on N_ITEM_DATA and choose Update Mapping and select Yes from the pop-up.

Okay , now we are moving on to place those fields on the screen.

9) Make sure you are still on the V_UAR_ITEMS view and go to the Layout

10) Right Click on the TABLE and choose Insert Columns (Repeat the same for all the custom fields you have)

11) After creating the Columns, Insert Text View and Header to those Columns. I have copied the same parameters from TC_ITEM_DESC to my new custom columns (Except ID's which has to be unique)

12) After creating those properties, don't forget to do the binding.

That's it. Now the fun part (Coding) .. Since my requirement is pretty simple, I handled the coding on the WDDOINIT Post-Exit part.

13) Now go to the Methods tab (make sure still you are in V_UAR_ITEMS view) , click to create Post-Exit on WDDOINIT.

14). Write your coding on this exit.

15). Code to populate ZZ_VALID_FROM and ZZ_VALID_TO Contexts.

 DATA lo_nd_n_item_data TYPE REF TO if_wd_context_node.   DATA lt_n_item_data TYPE wd_this->elements_n_item_data.   DATA lo_el_n_item_data TYPE REF TO if_wd_context_element.   DATA ls_n_item_data TYPE wd_this->element_n_item_data.   DATA lv_validfrm TYPE GRFN_TIMESTAMP.   DATA lv_validto  TYPE GRFN_TIMESTAMP.   DATA: lv_item_ty_desc TYPE string,         lv_validfrm_s type string,         lv_validto_s type string.   DATA: lv_roleid type  GRFN_GUID.   lo_nd_n_item_data = wd_context->get_child_node( name = wd_this->wdctx_n_item_data ).   lo_nd_n_item_data->get_static_attributes_table( IMPORTING table = lt_n_item_data ).   LOOP AT lt_n_item_data INTO ls_n_item_data.     lv_item_ty_desc = ls_n_item_data-item_type_desc.     TRANSLATE lv_item_ty_desc TO UPPER CASE.   if  lv_item_ty_desc eq 'USER'.     select single role_id into lv_roleid from gracrlconn       where role_name eq ls_n_item_data-parent_key and             connector = 'SAP_ERP'.     select single valid_from valid_to from gracuserrole into (lv_validfrm,lv_validto)        where role_id = lv_roleid and user_id = ls_n_item_data-user_name.    else.       "Nothing    endif.   lv_validfrm_s = lv_validfrm.   lv_validto_s  = lv_validto.   CONDENSE lv_validfrm_s.   CONDENSE lv_validto_s.    if lv_validfrm_s eq '0'.      ls_n_item_data-zz_valid_from = ''.    else.      ls_n_item_data-zz_valid_from = lv_validfrm_s(8).    endif.   if lv_validto_s eq '0'.      ls_n_item_data-zz_valid_to = ''.    else.      ls_n_item_data-zz_valid_to = lv_validto_s(8).   endif.    modify lt_n_item_data from ls_n_item_data.    clear: lv_validfrm, lv_validto, lv_item_ty_desc.  ENDLOOP.  lo_nd_n_item_data->BIND_TABLE(    exporting      NEW_ITEMS            =    lt_n_item_data ).

16). The Final Result:

That's it . I guess one more thing on the last screenshot you might have noticed - Yes the Export button. It was also custom solution to export those values to Excel. If it's of anyone's interest then I'll write it up.

Thanks everyone for taking your time to look at this.Please go easy on me ,as this is my first ever blog in SCN after my 11 years with SCN. I always wanted to post blog on my PI/PO space, but apparently GRC space seems to be where my first blog landed .. Please feel free to add comments about if there are any mistakes in the way I have handled the design or if you find the blog is not  quality enough. I'll try to improvise.

Dear all,

This blog will give you an overview about the master data in GRC Process Control

As we know already, the master data is shared between all 3 components (AC, PC and RM) of GRC.

Master data in Process controls like Organizations, Business processes, Sub processes, controls, owners, regulations, policies, entity level controls etc.

HR structures have been used in the technical software execution of the master data in SAP Process Control. All objects are contained in info type 1000 (table HRP1000).The link to the long text fields (for example, the fields under Description) is located in info type 1002 (table HRP1002, field TABNR), and the texts themselves in table HRT1002.

Centralized data is nothing but at corporate level Decentralized data (Local) is nothing but at individual unit level.

We have two types of Master data.

• Central Master data
• Local Master data

Central Master Data

Central (or Corporate) master data applies to the entire company

• Organization Hierarchy

• Central Process Hierarchy

• Account Group Hierarchy

• Control Objectives

• Indirect Entity-Level Control Hierarchy

• Regulations and Policies

Created from master data work center

Local Master Data

Local (organization-dependent) master data applies to data within each Organization

• Organization-dependent sub processes

• Organization-dependent controls

• Organization-dependent policies

• Organization-dependent indirect entity-level controls

Created from master data work center

The only difference between central and local objects is the organization object.

When we use the central objects like Sub Processes and controls in organization then these objects will become local objects.

All master data changes can be traced by using Audit log under Reports

Master data can be uploaded using 2 ways and also we enter manually

1. MDUG(Master data upload generator)
2. CLM(Content life cycle management)

Both are designed to get large amounts of data quickly into the system

MDUG is only available for PC Master Data during initial implementation and Not available for subsequent loads, which is Included within the PC client

CLM is Available for subsequent loading, Must reside as an instance on a portal, Must have someone administering and Master Data for AC, PC and RM can be loaded with CLM.

Master Data that can be moved using CLM

• Organization

• Regulation

– Regulation Group

– Regulation

– Regulation Requirements

• Control Objective

• Business Process

– Central Process

– Central Sub process

– Central Control

• Indirect Entity-Level Control

– Central IELC Group

– Central IELC

• Risk

– Central Risk Category

– Central Risk Template

• Account Group

• Assessment: Manual Test Plan

Master data can be set up and manage by using two work centers from NWBC

1. Master Data
2. Access Management

Create master data objects in the following order:

1. Organizations
2. Account Groups and Assertions
3. Control Objectives and Risks
4. Central Process Hierarchy: processes, sub processes, and controls

When all objects are created, perform the master data assignments:

1. Assign corporate and organization roles
2. Assign sub processes to organizations
3. Assign roles to local processes.
4. Policies and indirect entity-level controls may be created at any time and assigned to existing organizations and regulations.

Regulations are assigned to the following objects and inherited by the organizations when assigned to them.

1.Sub processes

2.Controls

3.Indirect Entity-Level Controls

4.Policies

5.Ad-Hoc Issues

Feel free to add anything related to master data,hope it helps.

Regards

Baithi

I am creating this blog to provide the steps of Disclosure Survey creation process.

Prerequisites:

Check the prerequisites to enable the functionality in the wiki page below:

Disclosure Survey Prerequisites - Governance, Risk and Compliance - SCN Wiki

Process:

Creating the Survey

• Category must be Disclosure Survey

Planning Disclosure Survey

Within planner screen, choose 'Perform X Disclosure Survey', where X is the object type (Organization, Subprocess or Control).

Three different Disclosure Survey plan activities are available:

• Perform Control DS
• Perform Organization DS
• Perform Subprocess DS

In the plan details screen, there are two Survey options:

• Survey
• Object Survey

If the processor wants just one or the other, the fields can be left blank.

Review after choosing the plan combinations

Activate the plan

The disclosure Survey may involve an object Survey, a disclosure survey or both of them.

In the example above, I scheduled the survey for both.

Work inbox:

The Business Event responsible for delivering the work item to the disclosure survey performer is:

• 0PC_PERF_DISCSVY

In the work inbox, I clicked on the task and opened the Organization Evaluation:

Disclosure – Object

Once you select the row, the following menu appears:

Reminder: A single work item is triggered for each object owner

If the questions dissapear when writting long comments, implement the follwing SAP note:

2307585 - Disclosure survey questions disappear when user enters very long comments

After filling out both, send the Survey for review.

Review Survey

Important info:

Is it possible to Remove the Review stage?

Currently, there is no option to switch off the review phase of the disclosure surveys.

Check history Button

You can also button:

It opens the Disclosure Survey Details Report

If the report presents an error, here is the notes released in 2016. Choose it according to your symptom:

2298408 - Object survey details are not showing up in Disclosure Survey Details Report

2224640 - Disclosure Survey Details does not filter children orgunits.

2300883 - Disclosure Survey Details report does no filter relevant timeframe plans

2263030 - Question Explain text is missing in Disclosure Survey Details Report

2277328 - Delete Disclosure Survey for any recipient causing report eror

2240413 - Disclosure Survey details reports not showing Survey Scores for survey question

Disclosure Survey status:

2278915 - Error in Disclosure Survey Status report "There is no data matching the entered

If the Survey was not triggered for some organizations, the following corrections can fix it:

2199671 - Issues in disclosure survey due to missing survey instances.

After pressing finish button, the workflow is completed.

Offline Disclosure Survey (object level)

The offline form shows a separate evaluation for each object.

When submitted the form updates SAP Process Control the same way as the online mode.

If the processor is responsible for 10 controls, they will receive a single e-mail with an attached form containing an evaluation section for each of the ten controls.

Respond to Disclosure Survey (Offline)

Introduction to Application

An Application object serves as a container which holds all the BRFPlus objects that is built to solve a particular business task.

In order to create a new application go to. The screen below will pop-up

Properties of Application

While Creating the Application, the following details needs to be defined.

1. General Data and

2. Application

In General Data NAME, SHORT TEXT and TEXT has to be defined.

The Field NAME is Language Dependent unlike the fields TEXT and SHORT TEXT.

Once the General Data is defined, application data needs to be defined.

Storage types in Application

While creating an application, we need to define the storage type. There are three storage types. They are:

1. Master Data

2. Customizing and

3. System

Basing on the storage types, if a new object is created in BRFPlus Application, it inherits its storage type based on the application in which it is created.

Storage types Customizing and Master Data are client dependent whereas System is Client Independent.

Storage type Customizing and System are transportable whereas Master Data is Local.

If the flag Create Local Application is selected, the application and its objects are restricted to local system usage only and their objects cannot be transported to other systems.

Development Package

Development Package will act as a container that holds object logically belonging to each other.

When the storage type is selected as Master data, The flag for Create Local Application is greyed out and it can’t be selected Since Master data is not transportable.

BRFplus offers a local application TMP. The Purpose of TMP is to create objects for temporary use cases only.

Software Component

The software component describes a set of development objects that can only be delivered in a single unit. You should assign all the sub-packages of the main package to this software component.

Once the Application is created, we will get a screen like this. In this screen, the following Application Properties can be defined. They are:

1.       General and

2.       Details

Application Properties - Detail

In Detail, the following tabs provides various properties for Application.

Properties Tab - An Introduction

The properties tab contains the following fields.

Apart from Development package and Software component, Application component and Application exit class fields are also available.

Application Component is not BRF+ Specific but will be useful in categorizing when building a package or raising a OSS message to SAP.

Application Exit Class will be used to implement additional functionality with methods of an ABAP Class.

Default Settings Tab - An Introduction

Application Log Objects provides a method to use a standard logging facility for all of your custom ABAP programs. It consists of several transaction codes, tables, and function modules. By using the SAP functionality, it is possible to have a standard way to store error messages, making the handling of errors much simpler, and increasing the maintainability of code.

Important transaction codes related to Application Log Objects are:

• SLG0 - Create a new Log Object and Sub object
• SLG1 - Display Application Log
• SLG2– Delete the Application Log

Application Log Sub-Objects Will help in further classifying the Application Log Object.

The Flag     will Control whether the log data shall be permanently stored in the database or not. If not, log data is only kept in memory during run time and is lost after the session.

Default Enforcement will define what degree of compulsion the objects within the application have to follow the application-wide default setting concerning application log.

Versioning of Assigned Objects allows you to track the changes that have been done to a BRFplus object over time. It is based on the timestamp that the system assigns to objects when they are saved and activated.

These are the following options available in Versioning Mode

You can define whether newly created objects are put under version control or not by default. This default setting is done on application level and affects all objects that are created in the scope of that application.

Default Language Settings allows you to define if the dependency of text and document depends on Language or Version or Language and Version and None of them.

Contained Objects Tab - An Introduction

Contained Objects will display the list of Objects that are available in the application.

The field Type is basically defined as drop down which displays the following objects in that specific application.

Miscellaneous Tab - An Introduction

In Miscellaneous, there is only one field Restart Rulesets Enabled with Flag Option.

This is used in case of Deferred Ruleset Processing.

We can define exit conditions for a ruleset to stop processing at a defined point in the process if a condition is fulfilled. In Some cases, the Processing might stop in between due to lack of availability of data. So, If the option Restart Rulesets Enabled is selected, then the Process starts from the place where it stopped rather than from the beginning.

Hope this helps to have some clarity on options in Application for BrfPlus. Additions and Subtractions to this blog is most welcome.

Regards,

Deepak M

In purchasing release strategies in SAP are used to ensure that purchase requisitions, purchase orders and purchase agreements are only released by an authorized individual with sufficient approval authority. The system prevents an approver from releasing a purchase document which value exceeds his or her approval authority limit or from releasing a purchase document at all. These approval values and the ability to release purchase documents are captured in SAP roles through authorization objects and transactions and are assigned to the user ID. The GRC Access Control module can be used to report on user IDs with specific purchase document authority limits.

In invoice processing no release strategies in SAP exist to ensure that invoices are only processed by authorized individuals with sufficient approval authority. The system does not prevent an individual from releasing an invoice which value exceeds his or her approval authority limit. Authority limits are not captured in roles through authorization objects and there is no ability to run a report on user IDs in GRC using the standard GRC rules with specific invoice authority limits. For invoices that are matched with a purchase documents and goods receipts this is not an issue as the authority limit of the approver is checked when the purchase document is released.

One of the advantages of SAP Invoice Management (VIM) is that it offers a solution for 'none three way matched' invoices (invoices without a purchase document reference). Authority limits and levels of are maintained in the charts of authority (COA) table and mapped to user IDs. Without an entry of the User ID in the COA table the user ID will not be able to release an invoice which value exceeds his or her approval authority limit.

Invoices allocated to a specific user that are handled through SAP invoice management can be accessed by executing the transaction code VIM workplace (/OPT/VIM_WP) or alternatively by executing SAP Business Workplace (SBWP) and display the allocated tasks in the user’s inbox. As you can imagine running a risk analysis in GRC to identity users that are able to process VIM invoices will result in many false positives, simply because most users in SAP will have authorization to access to SBWP work inbox. The important factor is whether users can also release the invoice. By adding a supplementary rule these false positives can be eliminated and additional information can be provided to the GRC access rule.

Let me give an example. Access risk ID ZRARPC10 (VIM process invoices) is a critical action that consist of GRC function ZFAVM001 (VIM process invoices). ZFAVM001 is the GRC function used to capture the relevant transaction codes and authorization objects to process VIM invoices. We will run a risk analysis on access risk ID ZRARPC10 and user IDs TDEJONG and NHARMANUS

As expected the result, as displayed below, shows that both user IDs can process VIM invoices which is in line with their authorizations in the target system.

However user ID TDEJONG does not exist in the Charts of Authority (COA) table and in fact cannot release invoices. The result showing that TDEJONG can release invoice is a false positive.

User ID NHARMANUS is entered in the COA table and can approve up to level 5 (highest amount) standard invoices.

As stated earlier by adding a supplementary rule to the VIM process invoices GRC function ZFAVM001 the false positive can be eliminated and additional information, in this case who can approve level 5 invoices, can be provided.

The following supplementary rule is created and assigned to the GRC function ZFAVM001. The supplementary rule in this example looks for all User IDs in the COA table which can approve standard invoices up to level 5.  The total value (amount) is defined in a different tab of the COA table.

Let’s re-run the risk analysis with the same criteria.

As expected only the user ID that can release standard invoices up to level 5 is displayed and the false positive is eliminated.

By using the supplementary rules user’s authority limits in SAP invoice management can be included in the GRC risk analysis. The great thing about supplementary rules is that it can be used for other approval authorities as well such as SRM shopping cart approval, approval authority engine, HR position approvals etc.

Want to learn more about supplementary rules or GRC access control in general? Please contact me

SAP Supplier Relationship Management (SRM) is developed to purchase predefined items from approved suppliers using an online catalogue. Selected items are put in a shopping cart.

SAP also provides a rule set for SRM which can be used to run risk analysis on users and identify access violations. However you will have to redesign the rules in order to prevent false positives and negatives when running a risk analysis from the standard SAP rule set.

For your convenience I have designed a new SAP SRM rule set with new access rules that is focused on permission level (the relevant authorization objects and values) instead of action level (webdynpro applications/transactions). This rule set can be used direclty to start the remediation of access violations and/or to document compensating controls.

Please find below an example of a SoD matix based on SRM functions defined in the alternative SRM rule set. There are many more SoD-conflicts within the Requisition to Pay process involving SRM activities but for clarity purposes I did not add them.

Attached as text files is the technical content of SRM rule set

I am aware that there is no one-size-fits-all rule set, but I am confident that the rule set attached will help you making your own specific one.

Please also check my other blogs on SDN

http://scn.sap.com/community/grc/blog/2016/05/18/include-approval-levels-and-prevent-false-positives-with-sap-grc-supplementary-rules

http://scn.sap.com/community/grc/blog/2016/01/18/risk-terminator

In SAP GRC Access Control it is common practice to provision SNC Name via Access Request. As the SNC name will be different for each user, the core question is, how to populate the correct SNC name in the Access Request form to provision in the plug-in SAP systems. The SNC name in SU01 is the name recognized by the external security software and is also known as printable name. Besides there is length limitation of SNC names, the printable name has different format for SECUDE and Kerberos.

Example for SECUDE printable SNC-Name: p:CN=TESTUSER, O=SAP-AG, C=DE

This scenario uses End User Personalization for the SNC name in access request. Default value of the SNC name in EUP can contain the following variables, which will be replaced at provisioning with their corresponding value.

Example for Kerberos 5 printable SNC-Name: p:TESTUSER@DEV61.DEV-WDF.SAP.CORP

Even default value of the SNC name in EUP can be set as p:#!#USERID#!#@DEV61.DEV-WDF.SAP.CORP, another approach might be required. In the following scenario the LDAP connector is Microsoft Active Directory and the LDAP connector has been maintained as user detail data source in SAP GRC customizing.

Group field mapping can be maintained for AC field 'SNCNAME', which is easy if there is an LDAP attribute, which contains the SNC name exactly. When 'SNCNAME' is mapped to 'USERPRINCIPALNAME' from Active Directory, then it is still needed to add 'p:' before it. This could be done by enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP. This WIKI provides guidance how to create a simple enhancement:

  METHOD ipo_z_snc~fill_adstructure.

*"------------------------------------------------------------------------*

*" Declaration of POST-method, do not insert any comments here please!

*"

*"methods FILL_ADSTRUCTURE

*"  importing

*"    !IV_GROUP_MAP type GRAC_T_GRPFLDMAP

*"    !IV_VALUE_TABLE type CL_GRAC_AD_ACCESS_MGMT_LDAP=>YT_SYSTEM_FIELD_VALUE

*"  changing

*"    !ES_USER_DETAIL type GRAC_S_USER_DETAIL .

*"------------------------------------------------------------------------*

    FIELD-SYMBOLS <fs_snc> TYPE grac_s_user_snc.

    ASSIGN COMPONENT 'snc' OF STRUCTURE es_user_detail TO <fs_snc>.

    IF sy-subrc = 0.

      TRANSLATE <fs_snc>-pname TO UPPER CASE.

      CONCATENATE 'p:' <fs_snc>-pname INTO <fs_snc>-pname.

    ENDIF.

    UNASSIGN <fs_snc>.

  ENDMETHOD.

SNC name for Kerberos is fetched in the access request using User-Principal-Name attribute from Active Directory.

Best Regards,

Zoltan Galik

This post originally appeared on the Analytics blog and has been republished with permission.

http://blog-sap.com/analytics/2016/05/25/cybersecurity-risk-and-governance-are-you-prepared/

It's the stuff of corporate nightmares and can keep executives up at night; the threat of cyber breaches and attacks that can put a company's data and reputation at risk or even make business processes come to a sudden, screeching halt. And there are no simple or easy answers. The cybersecurity landscape is volatile. Companies know they need to protect against cyber breaches and manage the risk of information theft, data modification, and the resulting disruption of business processes. It's critical that they understand how to prevent cyber attacks and handle mounting threats.

One key question is, "Do they have the right infrastructure and methods in place to effectively mitigate this ever-shifting risk?"

With 85% of the world's business systems running on SAP technology, SAP has focused increasing efforts on this issue. The company is holding an upcoming #askSAP session on how to improve approaches to cybersecurity risk and governance in our current era of increasing digitization. During this community call, which is interactive, SAP will give an overview of how companies should rethink their security strategy as they embrace the digital economy - so they can protect business applications and improve risk and governance programs.

Leading the discussions of this board-level topic will be SAP executives Michael Golz (CIO, Americas at SAP) and Kevin McCollom (Group Vice President, SAP Solutions for Governance, Risk and Compliance). Moderated by access and cyber governance expert Erin Hughes (Greenlight Technologies), the session will cover: 1) The state of cybersecurity threats and evolving security perspectives 2) A preview of SAP's security strategy 3) SAP's perspective on cyber risk and governance, and business application security 4) An overview of solutions

Because it's a community call, attendees will have the opportunity to ask questions through live chat or Twitter using the #askSAP hashtag.

Don't miss this key opportunity to learn more about cybersecurity risk and governance!

Details:

#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

Wednesday June 15, 2016 8AM PST / 11AM EST / 5 PM CET (90 minutes)

REGISTER NOW

https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&partnerref=blog&eventid=1182841&sessionid=1&key=3770761FD0EDCBFF3A11368CBC0CF81D&regTag=&sourcepage=register

I am creating this blog to provide the steps of Disclosure Survey creation process.

Prerequisites:

Check the prerequisites to enable the functionality in the wiki page below:

Disclosure Survey Prerequisites - Governance, Risk and Compliance - SCN Wiki

Process:

Creating the Survey

• Category must be Disclosure Survey

Planning Disclosure Survey

Within planner screen, choose 'Perform X Disclosure Survey', where X is the object type (Organization, Subprocess or Control).

Three different Disclosure Survey plan activities are available:

• Perform Control DS
• Perform Organization DS
• Perform Subprocess DS

In the plan details screen, there are two Survey options:

• Survey
• Object Survey

If the processor wants just one or the other, the fields can be left blank.

Review after choosing the plan combinations

Activate the plan

The disclosure Survey may involve an object Survey, a disclosure survey or both of them.

In the example above, I scheduled the survey for both.

Work inbox:

The Business Event responsible for delivering the work item to the disclosure survey performer is:

• 0PC_PERF_DISCSVY

In the work inbox, I clicked on the task and opened the Organization Evaluation:

Disclosure – Object

Once you select the row, the following menu appears:

Reminder: A single work item is triggered for each object owner

If the questions dissapear when writting long comments, implement the follwing SAP note:

2307585 - Disclosure survey questions disappear when user enters very long comments

After filling out both, send the Survey for review.

Review Survey

Important info:

Is it possible to Remove the Review stage?

Currently, there is no option to switch off the review phase of the disclosure surveys.

Check history Button

You can also button:

It opens the Disclosure Survey Details Report

If the report presents an error, here is the notes released in 2016. Choose it according to your symptom:

2298408 - Object survey details are not showing up in Disclosure Survey Details Report

2224640 - Disclosure Survey Details does not filter children orgunits.

2300883 - Disclosure Survey Details report does no filter relevant timeframe plans

2263030 - Question Explain text is missing in Disclosure Survey Details Report

2277328 - Delete Disclosure Survey for any recipient causing report eror

2240413 - Disclosure Survey details reports not showing Survey Scores for survey question

Disclosure Survey status:

2278915 - Error in Disclosure Survey Status report "There is no data matching the entered

If the Survey was not triggered for some organizations, the following corrections can fix it:

2199671 - Issues in disclosure survey due to missing survey instances.

After pressing finish button, the workflow is completed.

Offline Disclosure Survey (object level)

The offline form shows a separate evaluation for each object.

When submitted the form updates SAP Process Control the same way as the online mode.

If the processor is responsible for 10 controls, they will receive a single e-mail with an attached form containing an evaluation section for each of the ten controls.

Respond to Disclosure Survey (Offline)

Dear all,

This blog will give you an overview about Continuous Control Monitoring(CCM) in GRC Process Control.

Intentionally this blog in two parts for better understanding.

Continuous control monitoring functionality is used to monitor the Controls and CCM is called with different names though concept will be same.

• Automated Rules Framework (ARF)
• Automated Controls Framework (ACF)
• Automated Monitoring Framework (AMF)
• Continuous Control Monitoring (CCM)
• Continuous Monitoring Framework (CMF)

The integration of compliance management software with SAP ERP systems for the purpose of setting up test and monitoring scenarios.

Data sources is nothing but which data is read from which system using the GRC Integration Framework and which type of analysis this data is subjected to.

In GRCV 10.0 -9 types of data sources

In GRCv10.1-10 types of data sources, (Added HANA based data source)

Steps to follow:

This blog is based on Sub scenario: SAP QUERY for data source

Refer the below link for Sub scenario:Configurable.

Business Rule Functionality - Governance, Risk and Compliance - SCN Wiki

Create data source from RULE SETUP work center

Click on Create

Select sub scenario as SAP Query in Object field

Select the Main connector from F4

Now select the Query from Query Lookup

Click on Connector tab, it will give you target connector.

Now SAVE the data source

Now open the created data source from catalog and change status to IN REVIEW and SAVE.

Now again open the data source from catalog and change status to ACTIVE and SAVE

Only ACTIVE data sources can be used in Business rules

Business rules are the selection criteria for the data to be analyzed and contain analysis rules and logic for applying and issuing the criteria. The analysis rules form the core of the CMF and they are used to determine whether as the result of a test, for example, an issue is to be generated with a specific status.

Business rules are created from RULE SETUP work center

Click on Create

Select the created data source from Search box

Click Continue

Depends on requirement you can select/unselect the filters in step@2 Filter Criteria

Deficiency Criteria

It is like condition if data matches to defined criteria then it is considered as defect.

Select Customer number from deficiency fields (Select/un select deficiency)

Step@4 Conditions and Calculations (#Not Used#)

It is related to BRF+ used in cases where field values not retrieved from defined data sources.

Step@5                Output format

Step@6 Technical Settings

Step@7 Ad-hoc Query

Select the data collection and click on Start to show the output as defined in deficiency criteria

Step@8 Attachments and Links

Once we come to STEP@8 then only the save button will be enabled.

  Click the save button

  Click on Change this business rule and change the status from IN REVIEW to ACTIVE.

Now assign the created business rule to control

Please refer PART-2    Continuous Control Monitoring-GRCV10.0 Process Controls#Part2

Regards

Baithi