GRC RAR Overview

Information Document GRC RAR
Information Document
Document Id:
Sap GRC RAR Overview
SAP GRC
Version1.0
Ashish Dhar
Page 1
AAO TAC SAP Security
Document Control Section

Author:
Role
Author
Reviewed by (SME)
Name
Ashish Dhar
Abhay Vaidya / Ramesh Deshmukh
Reviewers:
Role
Transition Manager
Project Manager
Name
Contact Details:
Name
Role
Email ID
Lotus Notes ID
Project
Manager
Technical
Consultant
SME
Revision History
Version #
1.0
Ashish Dhar
Description of Changes
Initial Document
Issue Date
5 Jan 2011
Page 2
Phone
Contents
1.0 SAP Presentation Interface
1.0.1 SAP Instance
1.0.1.1 SAP WAS ABAP System
1.0.1.2 SAP WAS JAVA system
1.0.1.3 SAP WAS ABAP + JAVA System
1.0.2 GRC Agenda
1.0.3 SAP GRC Components
5
5
6
7
7
8
9
1.1 RAR Informer Tab Overview

1.1.1 RAR Management view reports
1.1.1.1. Risk Violations
1.1.1.2. User Analysis
1.1.1.3. Role Analysis
1.1.1.4. Comparisons
1.1.1.5. Alerts
1.1.1.6. Rules Library
1.1.1.7. Controls Library
1.1.2 Risk Analysis and Audit Reports
1.1.2.1. User Level
1.1.2.2. Role Level
1.1.2.3. HR Objects
1.1.2.4. Org. Level
1.1.3 Background Jobs
1.1.4 RAR Simulation
10
11
11
11
12
13
13
14
14
15
16
17
18
18
19
21
1.2 RAR Rule Architect

1.2.1 RAR Rule Arch Business Process Tab
1.2.2 RAR Functions
1.2.3 RAR Risks
1.2.3.1 RAR Action rules
1.2.3.2 RAR Permission rules
1.2.4 RAR Utilities and Change History
1.2.5 RAR Rule Set Components
1.2.6 RAR Rule Structure
22
22
23
24
24
25
25
26
26
1.3.1 Mitigation Tab Administrator

1.3.2 RAR Business Units
1.3.3 RAR Mitigating Control
1.3.4 RAR Mitigated Users
27
28
28
29
31
1.3 RAR Mitigation Control
Ashish Dhar
Page 3
1.3.5 RAR Alert Monitoring Using alert Monitor 33

1.4 RAR Configuration Tab
34
1.4.1 Default Values
1.4.1.2 Performance Tuning
1.4.1.3 Additional Options
1.4.2 Mitigation Controls
1.4.3 Workflow
1.4.4 Miscellaneous
1.4.5 Connectors
1.4.6 Logical Systems
1.4.7 Cross Systems
1.4.8 Data Extractor
1.4.9 Master User Source
1.4.10 User Mapping
1.4.11 Custom User Groups
1.4.12 Upload Objects
48
1.4.14 Backend Sync
1.4.16 Organization User Mapping
1.4.17 Custom Tabs
1.4.18 SAP Adapter Servers
1.4.19 Utilities
1.4.20 Configuration Change History
Ashish Dhar
Page 4
34
35
38
39
40
40
42
43
44
45
46
46
48
48
49
49
50
52
52
54
1.0 SAP Presentation Interface

SAP GUI helps user to interact with system and enter or display data.
Following SAP GUI are available
1. GUI for Windows
2. GUI for Java
3. GUI for HTML
For Windows: The GUI code is written in C/C++ and runs on windows based
platform. It supports all transactions in SAP system and user DIAG Protocol to
interact with Application Server.
For Java: The GUI code is written in Java and is platform independent. This GUI user
DIAG protocol as well to interact with Application Server.
For HTML: This has ITS (Internet transaction Server) on the server interacting with
Web Browser . Does not require any installation at the front end. It may not support
all the functions in an SAP system for users in a company.
1.0.1 SAP Instance

An instance is an administrative unit combining SAP system components.
SAP Instance can have following Stacks
1. ABAP Stack
2. JAVA Stack
3 .ABAP+JAVA Stack
Ashish Dhar
Page 5
1.0.1.1 SAP WAS ABAP System
SAP system has one database and one or more instances as shown above. The
above diagram shows SAP GUI connected to WAS ABAP which in turn is connected to
Messaging server and Internet communication manager.
The Internet Communication Manager (ICM) enables SAP systems to communicate
directly with the Internet. The ICM receives requests from the Internet and forwards
them to the SAP system for processing. In doing so, it recognizes whether the
request is a call of a business server page or a Java application and forwards this
request to the ABAP runtime environment or the Java runtime environment.
Messaging Server Enables an SAP Instance to interact with any other distributed
ABAP or JAVA instance.
Ashish Dhar
Page 6
1.0.1.2 SAP WAS JAVA system
The above diagram shows SAP GUI connected to WAS Java which in turn is
connected to Messaging server and Internet communication manager. It receives
direct Http requests from web browser for processing.
1.0.1.3 SAP WAS ABAP + JAVA System
Ashish Dhar
Page 7
The above diagram shows SAP GUI connected to WAS ABAP+Java which in turn is
connected through Messaging server and Internet communication manager. ICM
integrates the connectivity for ABAP and Java instance for receiving http requsts.
Message server helps to interact with any other distributed ABAP or JAVA instance.
JCo is used for interaction between SAP and Java interface (Portal ).
1.0.2 GRC Agenda

1. GRC Definition
2. SOX Act
3. SAP GRC Components and functionality
Definition:
Governance: A state of Management defined by policies, processes, decisions and
guidance for a given area of responsibility.
Risk Mgmt: It is defined as identification, assessment, prioritization of risks followed
by the use of resources available to monitor and minimize the impact of the same.
Compliance: A state of something in accordance with established guidelines and
specifications.
SOX ACT:
Ashish Dhar
Page 8
The Sarbanes Oxley act 2002 is a legislative act brought into practice after Enron &
WorldCom financial frauds in order to protect shareholders and general public from
accounting errors and fraudulent practices in an Enterprise.
Sox legislation affects financial & IT sides of an Enterprise and stores all business
records including electronic records for not less than 5 years.
GRC Schema:
ABAP Stack Using transactions in SAP eg. /n/virsa/vfat we run firefighter

application in SAP to provide firefighter ID.
Java Stack Using CUP, RAR, ERM etc i.e through http application, Interacting with
SAP systems through Java connectors.
ABAP+JAVA stack Using tcodes and WEB Browser both to run GRC applications.
1.0.3 SAP GRC Components:
RAR - Risk analysis and remediation Control provides capabilities to get clean
including identification and elimination of existing access and authorization risks at
the T Code and Auth Object level.
ERM - Enterprise role management addresses the root cause of access control
problems through standardized and centralized role design, testing, and
maintenance. As a result, the software helps to eliminate manual errors and makes it
easier to enforce best practices. Technical experts and business process owners can
document role definitions, perform automated risk assessments, and track changes.
CUP - Compliant user provisioning enables fully compliant user provisioning
throughout the employee life cycle and prevents new segregation of duties (SoD)
Ashish Dhar
Page 9
violations. Businesses can automate provisioning, test for SoD issues, streamline
approvals, and reduce the workload for IT staff.
SPM - Superuser privilege management enables users to perform activities outside of
their role using superuser-like privileges in a controlled, auditable environment. The
application tracks, monitors, and logs every activity a superuser performs with a
privileged user ID.
RAR Functionality:
1.1 RAR Informer Tab Overview
Ashish Dhar
Page 10
The purpose of an analysis is to provide an enterprise Governance, Controls and

Process and Security teams alternatives for correcting or eliminating risks
Security analysis allows to review risks for:
Roles / Templates
Users
Security analysis allows to review the role and determine how certain personnel
might be restricted from performing undesired activities using:
Objects
Fields
Values
RAR Management view reports

1.1.1 Management view reports It provides a graphical view of scheduled
analyzed data in the form of pie charts, bar charts, and line charts.
Ashish Dhar
Page 11
1.1.1.1. Risk Violations

SoD Violations by Risk Level and by Process. Here we can see that 1444 violations
exist for around 25413 users at Risk level.
By Process Here OTC Process has 6% violations, Finance process has 10 %.
1.1.1.2. User Analysis

SoD Risk Type analysis, No Violations, Mitigated Users, Critical, High, Medium, Low
Critical Actions and Roles Risk Type analysis. As we can see that
No of users analyzed are 30399
User with violations - 23975
User without violations - 6424
Also number of Critical Actions, roles and profiles etc are provided there .
Ashish Dhar
Page 12
1.1.1.3. Role Analysis

Here we can analyze SoD Risk Type analysis
Roles with no violation- 99%
Roles with Violation -1%
SoD Violations by Roles and Users can be analyzed .
Ashish Dhar
Page 13
1.1.1.4. Comparisons
Choose quarterly or monthly comparisons. Analysis can be performed for User, Role
or Profile Remediation progress and percent completion.
1.1.1.5. Alerts
Alerts by month and conflicting alerts by process.
Here Conflicting tcodes are displayed for Yr. 2010. Also we can see alerts for
different processes . Eg SD has 2034 alerts.
Ashish Dhar
Page 14
1.1.1.6. Rules Library (Rules by Risk Level and Process)

Rule can be of Action, Permission or Risk level.
Here we can see that Active rules at action level are defined 72879.
Disabled rules 161
For Process Basis area 15587
FI area 16059 Rules are there.
Ashish Dhar
Page 15
1.1.1.7. Controls Library (Mitigating controls by Risk Level and Process).

Here we can see that for Business Unit HR Payroll
Total Mitigating ID 23. Active ID 7, Inactive ID 16
1.1.2 Risk Analysis and Audit Reports:
Ashish Dhar
Page 16
Offers the following level of Risk Analysis

1.1.2.1. User Level
Here in the below slide for User ADHAR with report type action level we can see the
risks existing in the System.
Ashish Dhar
Page 17
Also we can see the conflicting Actions for Risk B001CQ (Tcodes SA38 and SM01 are
in a conflicting state). Risk level is high for Business Process Basis.
1.1.2.2. Role Level
Ashish Dhar
Page 18
Here System is R3 Production Report is run at Permission level in order to analyze

risk
For Role ECC_SEC_SO_ERD0842_M.We selected risk for all processes.
After running we found it gave conflicts eg. B001CQ01 for Tcodes SE38 and SM01.
Ashish Dhar
Page 19
1.1.2.3. HR Objects
Here we can run simulation for HR objects like position, org. units and jobs etc.
After running report no violations were found in system.
1.1.2.4. Org. Level

The report can be run at Org. Level also by inputting System name and Risk by
process area for a user for all users. Here it did not show any violations.
Ashish Dhar
Page 20
Each level has its own selection criteria screen

Other Features
Click + More Options to view additional selection criteria fields
Selection criteria can be saved as a variant.
You can also search for variants.
Reports can be executed in the foreground or the
background
View background job status within the Informer tab.
Here ID GRC_ADMIN has scheduled background job which is complete
Ashish Dhar
Page 21
Report can be run at :

1. Action Level
Only performs analysis at the action level (Tcode Level)
2. Permission Level
Includes permission tests (Auth Object. Level )
3. Critical Actions
Test users that have access to the action codes listed as a Critical Action in the Rule
Architect
4. Critical Roles/Profiles
Test users that have access to the action codes listed as a Critical Roles/Profile in the
Rule Architect
5. Mitigation Controls
Lists assigned mitigating controls
*RAR can be configured at Action or Permission level. We cant combine both.
*Summary report
Show the user or role and the corresponding risk group and action conflicts involved
*Executive/Management Summary report
Provides a description of the risks and a count of the number of rules which are
causing the conflict
*Detail report
Lists each Risk as a single line item, displays the Risk severity level and provides a
link to the Risk Resolution page where options are available for resolving the risk
Drill down further by clicking the risk to view more detailed information, including
conflicting functions
Ashish Dhar
Page 22
1.1.4 RAR Simulation
Simulation is accessible from the Risk Analysis screen. It is used to see the effect on
the system if you were to add or remove the following for users or roles/profiles:
Action
Role
Profile
Ashish Dhar
Page 23
1.2 RAR Rule Architect:

Rule Library has list of all the rules created in RAR based on Process area, Criticality
and status etc.
SLIDES
1.2.1 RAR Rule Architect Business Process tab
Business Process:
The business area categories in which you would like to report Risk Analysis results
in RAR. We can see different Business Process like BS00-Basis, FI00-Finance, HR etc.
coming up which are created in RAR. The functionality to Change or Delete a BP is
also there.
Ashish Dhar
Page 24
1.2.2. RAR Functions

Function:A grouping of one or more related actions and/or permissions for a specific
business area.As we can see Functions like CC01-Maintain Cost Center Distribution
etc.
Ashish Dhar
Page 25
1.2.3 RAR Risks

Risk:
An opportunity for physical loss, fraud, process disruption, or productivity loss that
occurs when individuals exploit a specific condition.
In RAR, a Risk is defined as two or more transactions that, when available to a single
user, role, profile, or HR Object, create the possibility of error or irregularity.
Risk is a mapping between two functions and not Tcode which is called as SOD.
Critical Risk: This risk is present between critical tcodes ex SM30, SCC4 etc
1.2.3.1 RAR Action rules

Action:
An activity (i.e. transaction code) that is performed in the system in order to fulfill a
specific function. Here rules are created for conflicting actions.
eg. F001001- Rule id is for 2 conflicting actions.
Ashish Dhar
Page 26
1.2.3.2 RAR Permission rules

Permission:
Authorizations (i.e. authorization object) that allow a user to perform a particular
activity in a system. Here rule B00100101 is set for 3 functions upto object level.
Ashish Dhar
Page 27
1.2.4 RAR Utilities and Change History

We can Import or Export Rules through this tab. This tab is important.
Change history helps us to analyze changes done to a Function or a Risk
1.2.5 RAR Rule Set Components:
Ashish Dhar
Page 28
1.2.6 RAR Rule Structure
Ashish Dhar
Page 29
1.3 RAR Mitigation Control

Risk types in GRC can be:
1) Remediated 2) Mitigated.
The Risks identified in the GRC system which cannot be remediated as a result when
it becomes necessary to be given to a set of user it needs to be mitigated.
Mitigating Controls feature in GRC RAR provides a systematic way to mark

conflicting access for User, Positions, or Roles (ERD, Templates, users) as
remediated.
When implemented, SoD reports can show that a User, Position, or Role has
been mitigated for a particular SoD risk(s).
Primarily triggered by Governance, Controls and Process and SAP Business

Process Controls teams decision to retain conflicting access.
Includes GRC Mitigating Control ID, Risk ID, Monitors and Approvers, Controls
Framework reference, etc.
RAR Mitigation Tab:
Ashish Dhar
Page 30
1.3.1 Mitigation Tab Administrator:

Mitigation activity has to have administrator Users as approvers and Monitors.
Here we can see that a Single person has been configured as Monitor and approver
for mitigating controls. Mitigation is done at user level.
We can see User ID MMD has authority to Monitor and approver.
1.3.2 RAR Business Units

There are 11 Business units as shown namely: BA00 Basis, HR00 HR Payroll
PM00 Plant Maintenance etc.
Ashish Dhar
Page 31
1.3.3. RAR Mitigating Control

Here we can see the Mitigating Control IDs created for respective Risk IDs. Control
ID TEMP_B001 has Business Unit Basis and Approver assigned.
Ashish Dhar
Page 32
Example to Create Mitigation ID

In the below slides an example to create Mitigating ID is explained.
TEMP_B003 is a Mitigating ID of Business unit Basis and Approver MKIRAN.
By clicking on risk id input help button on associated risk tab, you would get a list of
Risk Ids for which we can assign this as a Mitigating / Control ID.
On the monitor tab we can select the user to be selected as Monitor for the Control
ID.
Then we have to save the ID and we can see the again from search tab.
Ashish Dhar
Page 33
Ashish Dhar
Page 34
1.3.4 RAR Mitigated Users:

The Mitigation Id has to be assigned to the specific user. Here we can see that Ids
have been assigned to all users and Roles which is not an ideal case. Mitigated id
should be assigned in the scenario where risk elimination is not possible.
Ashish Dhar
Page 35
RAR Mitigated Roles:
Ashish Dhar
Page 36
1.3.5 RAR Alert Monitoring Using alert Monitor:

The Alert Monitor tab sets up the tracking of alerts in the following risk areas:
Conflicting Actions: These are pairs of actions that, when assigned to one user, role,
or organizational function, constitute a risk. These conflicts may be within the
enterprises business rules.
Critical Actions: These are actions which, when executed, may affect the integrity of
company functions. A critical transaction may generate a risk situation or violation
without being in conflict with another transaction.
Mitigation Monitoring: Mitigations can be characterized as approved and authorized
conflict conditions. Risks that would normally be corrected or removed are mitigated
permitted, permanently or with defined time restrictions. These mitigations must
be monitored to remain within regulatory parameters.
Cleared Alerts: When an alert message has been delivered and cleared, it remains as
an archived record. It can still be tracked and monitored.
When a conflicting or critical action is used the Risk Owner assigned to the
associated Risk is notified by email:
Email message is sent to the email address entered in the Mitigation tab
Monitors can also review the list of alerts through the Alert module.
Ashish Dhar
Page 37
1.4 RAR Configuration Tab

1.4.1 Risk Analysis
1.4.1.1. Default Values
Default report type for risk analysis: This option determines the default risk
level populated when executing a Risk Analysis.
Ashish Dhar
Page 38
Default risk level for risk analysis: This option determines the default risk
level populated when executing a Risk Analysis.
Default user type for risk analysis: This option determines the default user
type included when executing a Risk Analysis.
Default rule set for risk analysis: This option determines the rule set
defaulted as selection criteria when executing a Risk Analysis from RAR. The
default rule set is used for risk analysis initiated from CUP, ERM and Risk
Terminator. This option determines the default rule set for risk analyses and is
used by all capabilities. You can modify it for risk analyses performed within
RAR. You cannot modify it when the risk analysis is initiated from CUP,
ERM or Risk Terminator.
Exclude Locked Users: This option specifies whether locked users are
excluded when executing a Risk Analysis.
Exclude Expired Users: This option specifies whether expired users are
excluded when executing a Risk Analysis.
Exclude Mitigated Risks: This option specifies whether risks with assigned
mitigating controls are excluded when executing a Risk Analysis.
Ashish Dhar
Page 39
1.4.1.2 Performance Tuning: Use Risk Analysis Performance Tuning to

optimize performance according to the demands of your usage and network
environment. The tuning options are:
Batch Size for User Synchronization: Specifies the number of users to
synchronize at a time. Reducing this value decreases performance. Increasing
this value too much may cause timeouts during synchronization.
Number of Web Service Worker Threads: specifies the number of server
threads to dedicate to Web Service calls, such as calls from the Analysis
Engine. If you experience Risk Analysis performance issues, consider
increasing this thread allocation.
Number of Background Job Worker Threads: specifies the number of
server threads to dedicate for Background Jobs. If you schedule multiple
Background Job processes to run simultaneously, these operations may be
held up until another one of your background job processes is completed.
When this happens enough to slow performance, consider increasing this
thread allocation.
RFC Timeout for Web Services / Background Job Worker Threads:
Specifies, in minutes, the time out value for remote function calls. The amount
of data you process and number of threads you allocate can affect whether you
experience RFC timeouts during Web Service or Background Job operations.
Web service violation limit: This sets threshold violation limit for the Risk
Analysis web service. When the violation data count exceeds this limit, an
error message appears. The default value is 1000; if set to 0 (zero) then there
is no upper or lower limit.
Row-prefetch value for Oracle Risk Analysis: You can change the number
of rows retrieved with each trip to the database; the minimum value is 10.
Use Net Weaver Logical Lock: This option if set to Yes will avoid use of
Database locks and improve performance by reducing database hit.
Ashish Dhar
Page 40
Store Web Service Input/Output parameters objects in database: This

option if set to Yes will avoid use of common folder location specified in
Background Job Spool File Location option for writing I/O object files during
web service call. If in a cluster environment the common network disk/folder
has some latency problems then using this option will improve performance.
Please note there will be a database Transaction log increase hit, if database
log is not maintained properly.
1.4.1.3 Additional Options: Use Additional Options to specify additional

configuration options for users who run Risk Analysis using the Informer tab.
These options include.
Ignore Critical Roles & Profiles: This setting determines whether roles and
profiles maintained in the Critical Roles and Profiles tables are ignored when
user risk analysis is performed. The default is No.
Show Composite Role in User Analysis: This setting determines whether
composite role names are displayed when risk analysis is performed.
Ashish Dhar
Page 41
Use SoD Supplementary Table for Analysis: This setting determines

whether the SoD supplementary table is checked when risk analysis is
performed. If no supplementary rules are maintained, this parameter must be
set to No to avoid incorrect results in Risk Analysis.
Include Role/Profile Mitigating Controls in User Analysis: This setting
determines whether role-based or profile-based mitigating controls are
included in user-based Risk Analysis reports. The risk analysis includes userlevel mitigating control IDs, if they exist. If not, the report displays either the
role-based or profile-based mitigating control ID (in that order). If you set this
option to Yes, the mitigation flows to the risks mitigated at the role/profile
level (regardless of whether the user has the risk from that role or from
additional roles). The default value is No.
Enable Offline Risk Analysis: This setting allows Risk Analysis to be
performed without real-time communication with a back-end system and uses
data from the Batch Risk Analysis for reporting. Enabling offline analysis
results in faster response times for Risk Analysis reports.
Consider Org Rules: This setting determines whether to consider
organizational rules when updating the Management Reports of the Informer
tab and during the Risk Analysis Web service call. If no organizational rules
are maintained, this parameter must be set to No to avoid incorrect results in
the Risk Analysis. The default value is No.
Convert users, roles and profiles to upper case: This option converts users,
roles and profiles to upper case (recommended for SAP systems); the default
value is yes; setting the value to No disables this feature.
Include Reference User when doing User Analysis: This setting determines
whether access gained through assignment of a reference user to a user ID is
included in Risk Analysis for users. Reference users are templates, which give
predefined access to individual user IDs. If reference user security is
considered in Risk Analysis, the report rows related to access gained from
reference user assignment are displayed in a different color than the rows
resulting from access gained by direct assignment.
Show All Objects in Risk Analysis: This setting determines whether all
objects in the selection criteria range are shown in the report, whether or not
they have associated risks. For example, user-level Risk Analysis shows User
A has risks and User B has no risks. Setting this value to yes return Users A
and B in the results, whereas setting this value to No returns only User A.
Ashish Dhar
Page 42
Enable monitor notification: This setting enables email notification to the

specified monitor. This occurs when the monitor is assigned to or removed
from a mitigation control.
Show Selection Criteria: This setting determines whether to show selection
criteria in Risk Analysis reports. The default value is Yes.
Enable Data Mart Job: You use this option to enable data mart reporting.
The default is No.
Ashish Dhar
Page 43
1.4.2 Mitigation Controls: Use the Mitigating Controls setting to specify, in days, the
validity period for a Mitigation Control. The validity period starts as the Mitigation is
assigned to a Risk. Because Mitigation Controls must have expiration when they are
assigned, this validity period will be designated automatically, if one is not specified
during risk mitigation.
Ashish Dhar
Page 44
1.1.1 1.4.3 Workflow: Use Workflow to specify the conditions under which workflows
are triggered, and which workflow engine to use Workflow is possible for several RAR
processes. However, Compliant User Provisioning must be enabled and configured in
order for workflow to work in Compliance Calibrator. Please reference the Compliant
User Provisioning User Guide for information to configure Compliant User Provisioning
to accommodate RAR workflow approval flows.
1.4.4 Miscellaneous: Use miscellaneous settings to specify:How often to

invoke the background job daemon .
.
How many lines can be displayed in a Print Preview window
Ashish Dhar
Page 45
Background job spool file name and location
Alert log file name and location
Whether to keep a Change History to track all changes made to Risks
Whether to keep a Change History to track all changes made to

Functions.
Default management report violation count specifies whether counts

are done at the risk or permission level on the management reports.
By default, logging is disabled until you specify an Alert log path and
file name, or enable Risk and Function Change Logs.
If you specify an Alert Log Filename & Location, you will need to
monitor the size of that file (in environments that generate many
alerts).
MIC User Mappings (Not using)
Ashish Dhar
Page 46
MIC Risk Mappings (Not using)

1.4.5 Connectors: Use the Connectors > Create command to create JCO connectors
for each back end system you want to connect to SAP Compliance Calibrator. Enter
the appropriate information in the following fields: SAP Gateway SAP backend
system Gateway name that will be maintained by basis for each instance of the R/3
system or group of application servers.
Report Name In order to communicate to backend Risk Terminator system, you

need to maintain the RFC destination using SM59 transaction. You need to create
a unique external program name
SM59 > TCP/IP connections > Connection
type = T
Outbound Connection Flag to indicate whether the connector is enabled for Risk
Terminator
Unicode System Flag to indicate whether backend R/3 system is Unicode enabled
or not. Normally 4.7
The System ID and System Name fields are text identifiers only, so they do not
have to correspond to the system you are connecting to. Use the System Type
field to specify the type of system for this connector.
System Type Supported Connection Type SAP Adaptive RFC, File FTP, File
Local There are several context specific fields that display only when you choose
the Connection Type to which they apply, such as the name or URL of the remote
server, login information, or (for File - Local connectors), Location.
When entering the Location of the local file, enter the path to the file. You specify
the file name when you create a data extractor (Data Extractor > Create) that uses
this connector.
When entering the URL for a Web Server or for an FTP server, include the port
number on which that server listens, in standard URL format
(<URL>:<port_number>).
The JCO Destination field allows you to select a system from a drop down list of
systems that have been registered in the Java server services file, and are available
on the network.
Ashish Dhar
Page 47
1.4.6 Logical Systems: A Logical System is two or more physical systems grouped
together, for the purpose of performing analysis against the same rules.
Ashish Dhar
Page 48
Ashish Dhar
You use logical systems to group rules in a way that limits the
amount of effort required to load and maintain identical rule
sets across multiple systems.
Once a logical system has been defined, Generate Rules from

the Logical System menu. This will build rules for the Logical
System.
Physical systems, Logical Systems, and Cross Systems

(described in the following section) share the following
relationships:
o
One physical system can be linked to one or more

Logical Systems.
One physical system can be linked to one or more Cross

Systems.
When creating Functions in Rule Architect, you can create or

delete an action or permission and assign it to different
systems. A function action can be defined against both a Logical
System and a physical system. When the same action is
defined against both, the physical system takes precedence.
Once a Logical System has been defined, generate rules using

Configuration > Logical System. This will build rules for the
Logical System. If a physical system within a Logical System
grouping contains one or more rules that are specific to that
physical system, the physical system rule will be checked first.
To create a Logical System:

o
Create physical systems using Configuration >

Connectors.
Create a Logical System and assign the physical

systems.
Go to rule upload and upload function action and

function permissions for the logical system. During the
initial installation, all rule files need to be loaded. When
loading actions and permissions, be sure to select the
Logical System ID.
Page 49
Auth and Text data must be loaded for at least one physical
system. If text and authorization data is loaded for multiple
systems, the text and authorizations for the logical system will
default to the data loaded for the first system defined. The Auth
and Text data is used when manually updating functions. The
Text data is used for populating the descriptions in the analysis
reports.
1.4.7 Cross Systems: A Cross System is a group of physical systems, created for
the purpose of running user analysis operations across multiple systems. You can
select and view Cross Systems when you generate and view Informer Management
Reports, and when you perform risk analysis.
Physical systems, Logical Systems, and Cross Systems share the following relationships:
Ashish Dhar
One physical system can be linked to one or more Logical

Systems.
One physical system can be linked to one or more Cross Systems.
Risk Analysis can be completed against one system or all systems.

Once you have defined two or more systems as a Cross System,
those systems will be analysed when you select that Cross System.
With Cross Systems defined, you can perform analysis operations
against one physical system, all physical systems or a selected
Cross System.
Page 50
1.4.8 Data Extractor: Data Extraction enables you to obtain User, Role, and Profile
data from different systems and to reconcile and unify that data in Compliance
Calibrator format:
Create Data Extractor
Search Extractor
Compare and Generate Incremental Upload Files
Ashish Dhar
Page 51
1.4.9 Master User Source:
As part of the installation process, you defined a Master User Source

to specify the system from which SAP Compliance Calibrator obtains
user data.
Change the Master User Source setting only when you want to
change the primary system you use for user data. If you change the
Master User Source setting, verify and update any custom user
mapping you have done, and perform Backend Sync. Only systems
for which you have created a connector appear in the Select System
drop down menu.
1.4. 10 User Mapping: Use User Mapping to link multiple accounts associated with
an individual user, so that Risk Analysis operations produce valid results for each
user, and so that data displayed in reports reflect usage and violations on a per
user (rather than a per user account) basis.
Ashish Dhar
Page 52
Enter the Master User ID (the ID to be used to identify this user in

generated reports), specify the System ID on which the secondary
account resides, and then enter the secondary account for that user in
the System User ID field.
If you have a onetoone relationship between users and user accounts

across all connected systems, you do not need to map users.
Ashish Dhar
Page 53
1.4.11 Custom User Groups: Custom user groups are definable groups that
associate user accounts, so they can be processed together. You can specify these
custom user groups as selection criteria when you perform user-level risk analysis.
1.4.12 Upload Objects:
Maintain authorization objects for each Compliance Calibrator connector

(System). For SAP systems this is the SU24 / USOBT_C data.
When uploading objects users have the ability to upload different object
data for different physical systems or for one or more logical systems.
To ensure Compliance Calibrator is synchronized with the back end

system, a periodic job should be scheduled to upload this information.
1.4.13 Rules Upload:
Ashish Dhar
Page 54
Rules are packaged in the software as text files. SOD Action and
Permission level rules are provided for R/3, APO, ECCS, CRM and SRM.
HR Basis rules are included in R/3 and are also available separately.
Rules should only be uploaded once for new installations. User who are
upgrading should not reload ruleset as the rules will overwrite any
customizing done by die customer.
Ashish Dhar
Page 55
1.4.14 Backend Sync: When you integrate SAPs Management of Internal Controls
(MIC) application with Risk Analysis and Remediation, you must perform a back-end
synchronization with MIC. Doing this transfers the mitigation and rule information
from Risk Analysis and Remediation to the back-end ABAP stack where the MIC
application resides.
Mitigation Sync
Rule Sync
1.4.15 Background Jobs: Use Background Jobs to schedule synchronization with

back-end systems, batch risk analyses, generation of management reports, and
generation of alerts. You can also use the DataMart background job to extract data
to be accessed by custom reports.
Ashish Dhar
Page 56
Schedule Job: When you schedule a synchronization background job, you can
synchronize in Full mode or Incremental mode.
Full mode is the synchronization of all user, role, or profile

information.
Incremental mode updates only the information about the user,

role, or profile that has changed since the last synchronization.
Risk Analysis and Remediation tracks the execution date and
time of all synchronization jobs. Therefore, when you want to
synchronize in Incremental mode, Risk Analysis and
Remediation knows when the last update occurred and
synchronizes only the information that has changed.
Alert Generation: When you generate an action log, the data is loaded to a local
table in Risk Analysis and Remediation. You can generate alerts based on the
following alert types:
Conflicting Actions: This alert type is an action level analysis,

where any violation generates an alert.
Critical Actions: This alert type is an action level analysis,

where any violation generates an alert.
Control Monitoring: This alert type is a mitigation level analysis,

which generates mitigation alerts.
1.4.16 Organization User Mapping: The Org. User mapping menu item allows you
to specify a system that contains organizational user data you want to add to or
synchronize within Compliance Calibrator.
Ashish Dhar
Page 57
To add or update user information within Compliance Calibrator:
Ashish Dhar
Choose Configuration > Org. User Mapping. From the System ID

dropdown menu, choose the system that contains the user data
you want updated within Compliance Calibrator.
In the User field and the to field, enter a user range to

update. To update all user information, click Search and enter
the first listed user in the User field and enter the last listed user
in the to field.
To perform an ad hoc (one time) update, click Foreground. If the

system contains a large volume of user data or if you want to
synchronize Compliance Calibrator data periodically, click
Background and schedule the intervals at which this update
should occur.
Page 58
1.4.17 Custom Tabs:
The Custom Tabs menu item enables you to add any URL, such as a
customdeveloped web page, as an additional tab to the left of the
Compliance Calibrator Configuration tab. You can use this feature to
add up to three URLs under three custom tabs.
Additional reports can be uploaded using Java archive files. You upload
and activate those java files using the Upload Informer Reports menu
item. A complete installation of Java is not being required to activate
additional reports delivered by SAP
Ashish Dhar
Page 59
1.4.18 SAP Adapter Servers:
The SAP Adapter is a continuously running interface between

Compliance Calibrator front end and the SAP back end system where
the SAP adapter is defined.
The SAP Adapter provides real time analysis in the Risk Terminator.
Whenever Risk Terminator is triggered in the SAP system, it will send
data to the SAP Adapter for SOD risk analysis. The SAP Adapter will
then send this data to Compliance Calibrator for analysis and then
sends the results back to the Risk Terminator.
1.4.19 Utilities: The Utilities options include Export, Import, Purge Action Usage,
and Manage Deletion utilities.
Ashish Dhar
Page 60
Export Utility: You can export configuration information for Risk

Analysis and Remediation that is defined in one system (source) to
another system (destination).
Import Utility: The Import utility imports files exported from other
Risk Analysis and Remediation instances. The data format from the
exported file is used during the data import.
Purge Action Usage Utility: The Purge Action Usage utility archives
records from time periods that are no longer of interest. This utility
reduces the size of large databases or files. You specify the location the
system stores the file in Miscellaneous.
Ashish Dhar
Page 61
1.4.20 Configuration Change History: RAR tracks configuration changes. You can
use Configuration Change History to search for the change history for specific areas.
Ashish Dhar
Page 62
Ashish Dhar
Page 63

GRC RAR Overview

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

GRC RAR Overview

Transféré par

Droits d'auteur :

Formats disponibles

Information Document GRC RAR

AAO TAC SAP Security

Information Document GRC RAR

AAO TAC SAP Security

Document Control Section

Information Document GRC RAR

AAO TAC SAP Security

1.1 RAR Informer Tab Overview

1.2 RAR Rule Architect

1.3.1 Mitigation Tab Administrator

1.3 RAR Mitigation Control

Information Document GRC RAR

AAO TAC SAP Security

1.3.5 RAR Alert Monitoring Using alert Monitor 33

Information Document GRC RAR

AAO TAC SAP Security

1.0 SAP Presentation Interface

1.0.1 SAP Instance

Information Document GRC RAR

AAO TAC SAP Security

1.0.1.1 SAP WAS ABAP System

Information Document GRC RAR

AAO TAC SAP Security

1.0.1.2 SAP WAS JAVA system

Information Document GRC RAR

AAO TAC SAP Security

1.0.2 GRC Agenda

Information Document GRC RAR

AAO TAC SAP Security

ABAP Stack Using transactions in SAP eg. /n/virsa/vfat we run firefighter

Information Document GRC RAR

AAO TAC SAP Security

Information Document GRC RAR

AAO TAC SAP Security

The purpose of an analysis is to provide an enterprise Governance, Controls and

RAR Management view reports

Information Document GRC RAR

AAO TAC SAP Security

1.1.1.1. Risk Violations

1.1.1.2. User Analysis

Information Document GRC RAR

1.1.1.3. Role Analysis

AAO TAC SAP Security

Information Document GRC RAR

AAO TAC SAP Security

Information Document GRC RAR

AAO TAC SAP Security

1.1.1.6. Rules Library (Rules by Risk Level and Process)

Information Document GRC RAR

AAO TAC SAP Security

1.1.1.7. Controls Library (Mitigating controls by Risk Level and Process).

1.1.2 Risk Analysis and Audit Reports:

Information Document GRC RAR

AAO TAC SAP Security

Offers the following level of Risk Analysis

Information Document GRC RAR

AAO TAC SAP Security

1.1.2.2. Role Level

Information Document GRC RAR

AAO TAC SAP Security

Here System is R3 Production Report is run at Permission level in order to analyze

Information Document GRC RAR

AAO TAC SAP Security

After running report no violations were found in system.