GRC(Governance Risk and Compliance)

GRC is an integrated holistic approach to organization wide Governance, Risk and

Compliance ensuring that an organization acts ethically correct and in accordance
with its internal policies and external regulations through the alignment of
strategy, process, technology and people, thereby improving efficiency and
effectiveness.

- Governance describes the overall management approach through which senior

executives direct and control the entire organization. Governance activities ensures
that critical management information like decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from
management and carried out systematically and effectively

- Risk management is the set of process through which management identifies and
analyzes the risk and take necessary response to risk that might adversely affect
business objectives.

- Compliance means conforming with stated requirements

 GRC – 10 Features & Benefits

New Features

Harmonizes Access Control with Risk Management & Process Control offers
shared processes, data, and user interface across the GRC suite.
Unifies all AC capabilities on a standardized ABAP platform, offering enterprise
supportability, granular security, transport, and archiving
Standardizes on improved workflow that supports flexible, multi-tiered routing
and approval matrices. Dynamic user request forms based on user or system
selected.
Provides a standardized role compliance frame work, centralized across
organizations, systems, and applications. Translates roles into terms business
users can understand.
Centralizes firefighting and administration across all systems. New workflow
provides an auditable process for tracking log report approval.
Improves compliant provisioning for customers already using IdM. Allows for
initiation of risk analysis and remediation from IdMor enables use of IdMto
provision compliant requests.

Key Benefits of implementing GRC-10

Lowers TCO by eliminating redundancy in administration, configuration, setup,

and end user training.
An enterprise GRC platform approach allows you to have complete
management of all risks and controls from a single environment.
Tailoring of routing requirements for simple to highly complex organizations.
New request forms improve user adoption and usability.
Streamlines management of technical roles and eases identification and
selection of appropriate roles for users, positions, and jobs.
Reduces the effort required to grant and provision emergency access to
multiple systems. Provides a structured, documented process around
emergency access.
Provides flexibility to ensure an enterprise wide, compliant provisioning process.

Solution Enhancements in GRC-10

AC, PC, RM solutions on common ABAP platform with shared data model and
interface.
ABAP offers object level security, transportability, solution manager, robust
scheduling, archiving, audit log, and supportability.
Enhanced mitigating controls stored in control catalog.
New support for hierarchical compliance organization and enhanced risk
analysis against this organization.
New ability to schedule risk analysis from PC automated rule framework

Key Benefits of these new Enhancements:

Single source for enterprise GRC

Reduced total cost of ownership by leveraging existing resources and

investments

ABAP speeds maintenance with standard OSS notes and support pack process

Centrally consolidated controls and reduced access violations through GRC

managed compliance structure

Leverage key processes across the GRC suite

 Enhanced Access Risk Analysis (RAR in GRC 5.3)
Enhances the leading access analysis engine with an intuitive interface
that supports end user customization and personalization. New bulk
maintenance, automation, audit trail, and mitigation options enable a faster
and more efficient path to compliance.

More efficient, flexible access risk analysis options and improved ability to
analyze results

Faster deployments and easier data maintenance over time.

Reduce broad application of controls

Ability to repurpose workflows including routing and escalation logic, by utilizing

the standardized workflow engine

New interface allows targeted risk analysis as well as importing, editing, and
reusing analysis criteria

New ability to customize and personalize access risk results

Enables Business Role and CUA composite role risk analysis

New ability to mitigate by system and by access rule ID

New support for mass mitigation, including assignment and maintenance with
bulk updates

New function maintenance workflow

Additional data tracked in the Audit Trail

Key Benefits of this Access Risk Analysis

More efficient, flexible access risk analysis options and improved ability to
analyze results.

Faster deployments and easier data maintenance over time.

Reduce broad application of controls.

Ability to repurpose workflows including routing and escalation logic, by utilizing

the standardized workflow engine.
Streamlined User Access Management (CUP in GRC 5.3)
Access Control standardizes on SAP Business workflow technology and supports more
flexible and tailored access request and approver views, simplifying the provisioning
process.
Standardized on SAP Business Workflow technology

Access requests enhancements:

New customizable access request forms
New template based access requests
New position-based role assignment requests
New end-user display of profile, access assignments and request history
Enhanced search for roles, groups, and system based on authorization
New customizable approver views
New multiple rule set support Enhanced periodic reviews for user access and
access risks

Key Benefits of User Access Management (CUP in GRC 5.3)

Business workflow reduces manual tasks and streamlines access request

processing

Leverage existing resources for workflow administration and configuration

Faster and easier for users to request the roles they need.

Utilize existing HR structure for automated and compliant position based role
assignment

Improved security and richer request context

 Business Role Governance (ERM in GRC 5.3)
Access Control offers scalable and collaborative business role modeling,
supporting both technical and business users. Supports the design of
centralized, compliant roles through a robust role governance process.

Collaborative role governance process closes loop between business and

technical owners

Enforces segregation of duties from the ground up by starting with clean role
definitions

Streamline role definition and management

Optimizes role definition and reduces role redundancy

New centralized business role management with embedded access risk

analysis

Enhanced process for mapping technical access authorizations to business

functions

New role design and flexible role building workflows, including preventative
simulations

New ability to analyze role usage for optimal assignment and to keep role
definition up to date

Improved role comparison to detect backend changes provides role

consistency, synchronization, and compliance

Collaborative role governance process closes loop between business and

technical owners

Enforces segregation of duties from the ground up by starting with clean role
definitions

Streamline role definition and management

Optimizes role definition and reduces role redundancy

 Centralized Emergency Access (SPM in GRC 5.3)
Access Control centralizes firefighter access and administration,
enhances provisioning and introduces automation to the log review
process.

Simplified management and firefighting activities

Reduces repetitive assignments, easing administration

Improves log review efficiency by capturing previously undocumented activity

Improves log report navigation

Enables documented account of the controller’s review

Administrators centrally manage firefighter assignments, controllers, and other

master data

New options for group owners and controllers and improved provisioning.

Firefighters centrally access their assignments

New ability for firefighters to update the activity log with unplanned firefighting
tasks

Access specific log reports from transaction report

New workflow driven firefighter log report

New categorization of firefighter access signifies criticality and drives workflow

logic

Key benefits of Centralized Emergency Access

Simplified management and firefighting activities

Reduces repetitive assignments, easing administration

Improves log review efficiency by capturing previously undocumented activity

Improves log report navigation

Enables documented account of the controller’s review

GRC AC 10 Installation
Prerequisites
• SPAM (Support Package Manager) 40 or higher
• _ SAP NetWeaver Application Server ABAP Components (NW702)SP06

Sizing Requirements
The following preliminary guideline can be used for test purposes:

Installation Steps
• Install SAP NetWeaver 7.0 EHP2 SP06 and the install add-on
GRCFND_AV1000.
• Need to install the NetWeaver Portal Plug-in GRCPIEP in Access Control 10.0
only environments to enable risk analysis and provisioning using the portal.
• GRCPINW plug-in for AC for non-HR Functions (formerly AC 5.3 VIRSANH RTA)
(For Satellite systems)
• GRCPIERP plug-in for AC and PC HR Functions (formerly AC 5.3
VIRSAHRRTA) (For Satellite systems)
•
Related Notes (Example)
- 1490996-Inst/Upgrade GRCFND_A V1000 on NW7.02 Enhancement
Pack(Pack Information about installing SAP Business Objects AC/PC/RM 10)
- There are specific installation notes available in the installation guides
depending on the releases
Migration Process
Prerequisite
• Verify that SAP NetWeaver 702 SP6 or higher is running before migrating AC 5.3
data.
• Install AC 10 plug-ins on all back-end systems.
• Verify that all applicable Business Configuration sets are activated for GRC 10
• Verify some specific default configuration parameters are maintained in GRC10.
• Create all relevant GRC 10 users on the target system. Before migrating CUP
and ERM data, manually
• Specify a dedicated data export/import directory accessible from both AC 5.3 and
AC 10.0 systems.
• Create appropriate Organization Unit in Target system to import RAR application
data.

Export of AC 5.3 Data

Export the relevant AC 5.3 SPM & RAR data (e.g. configuration, master,
and transactional data), and then copy the exported data to the import
Folder/location

Import of AC 5.3 Data

Using GRC 10 Data Import Application, Import the common configuration
data, RAR data (including Risk, Mitigation Control, Org Rule, and Business
Unit data) & SPM data

Complete the post-import tasks

Activating BC sets, generating rules, creating function modules, maintaining
workflow setting

Validation of GRC AC 10 data

This is a manual process by examining the corresponding application areas in GRC AC
5.3 and GRC AC 10 system to check the data like functions, permissions, risks,
mitigating controls
 How to Log in into GRC -10 System

Front End Components

- NetWeaver portal

In GRC10.0 NetWeaver Portal can be used as an optional front end.

The Portal Content consists of one Portal Role and one iView, which shows
the embedded NetWeaver Business Client (NWBC) view.

The minimum version required for Portal is NW Portal 7.02 SP2.

- Embedded NWBC

The embedded NWBC works on AS ABAP 7.02

Can also be called directly (without a Portal) through the transaction "nwbc” in
the GRC 10.0 ABAP back end
 When we run this transaction it takes to the following screen

This takes you to GRC-10 Home page as below..

Note : The URL for the embedded NWBC is in the following format:
http://<AS ABAP>:500<Instance Number>/nwbc

- NWBC 3.0 - Standalone NWBC

Before installing the stand alone NWBC 3.0 ensure the SAPGUI version is 7.20

After the installation add the connection to your local NWBC settings by selecting
Personalize and Options from the menu
 In these three ways we can login into GRC system

Comparison of Different Front Ends of GRC10.0

Summary Portal Embedded NWBC Standalone NWBC

The Portal Content consists of Installed in the server side Locally installed in PC or laptop
one Portal Role and one iView
and needs to be installed in
ASJava side
GRC10.0 Can be accessed Can also be called directly by Can only be accessed by local
through Portal transaction code NWBC application
Portal system connection No extra configuration is Connection details needs to be
needs to be configured necessary configured manually
Enterprise Portal 7.02 SP2 is The embedded NWBC works Need at least SAPGUI 7.20
needed as of AS ABAP 7.02

Work centers in GRC-10

Work centers provide a central access point for GRC 10.0. They can be organized
based on what the customer has been licensed to operate.

Delivered work centers are shown below.

In the SAP NetWeaver Portal component:
In the SAP NetWeaver Business Client (NWBC) software:

A delivered NWBC alternative for AC-only customers:

My Home
The My Home work center allows you to:
View, access, and perform workflow tasks assigned to you including viewing
completed reports that you scheduled.
Perform document searches across all documents (including document content) for
which you have authorization.
Assign delegates to perform your tasks or activities.
View and process your user data.
Master Data
Depending on the GRC products you have licensed, the Master Data work center
Contains the following sections:
Organizations
Regulations and Policies
Objectives
Activities and Processes
Mitigating Controls
Risks and Responses
Accounts
Consistency Checks
Reports
Rule setup
Depending on the GRC products you have licensed, the Rule Setup work center
provides links to the following areas:
Access Rule Maintenance
Critical Access Rules
Exception Access Rules
Generated Rules
Continuous Monitoring
Scheduling
Legacy Automated Monitoring
Reports

Assessments
Depending on the GRC products you have licensed, the Assessments work center
Contains the following sections:
Surveys
Manual Test Plans
Risk Assessments
Incident Management
Scenario Management
Assessment Planning
Reports
Access Management
Depending on the GRC products you have licensed, the Access Management work
center has the following sections:
GRC Role Assignments
Access Risk Analysis
Mitigated Access
Access Requests Administration
Role Management
Role Mining
Role Mass Maintenance
Super user Assignment
Super user Maintenance
Access Request Creation
Compliance Certification Reviews
Alerts
Scheduling
Reports and Analytics
Depending on the GRC products you have licensed, the Reports and Analytics
work center has the following sections:
Management
Compliance
Risks and Opportunities
Access Management
Incidents and Losses
Print Reports
BI Analytics
Note: What users see is based upon their authorizations
We need to activate many parameters for Access Control according to
these parameters Access Control will work.

Spro IMG Governance, risk and compliance Access Control

Maintain configuration settings
 Access Risk Analysis
Rule Setup Tab: In this rule setup tab we can create Rule sets, Access Risks and Functions. We
can maintain

Rule set: At here we can found the rule sets available in the system and we can create or
compare the rule sets.

/NNWBC RULESETUP ACCESSRULE MAINTAINCE RULESETS

OPEN/CREATE/COMPARE

Functions: This is used to create, open, copy delete a function and generate rule.

/NNWBC RULESETUP ACCESSRULE MAINTAINCE

FUNCTIONS CREATE/OPEN/COPY/DELETE and GENERATE RULES,

Below Screen shows the detailed view of the Function CR07 which belongs to the CRM area.
The below shot also shows the list of Actions (Tcodes) contained the function. The status of the
actions can also be controlled from this screen.
By clicking on the permission tab we can see the details of the associated authorization
objects at Permission level. Below Screen shows the System details, Permission group at
the field level and values.

Creation of a function:

We have to give the Function name, Business process Analysis scope and Description

We need to maintain the conflicting transactions for this function and need to maintain the
permission values to these transactions to run the risk analysis on permission level.
 In this GRC10 we have a work flow for creation of a function and modification of a function.
When we are creating any new function if we click submit button it will send a mail to the function
approver if he approved then only it will create.
 Note: Submit button is there whenever this workflow is configured otherwise we can found
Approve button

This request is submitted to the ADMIN01 for approval

When he click on the request it will take to the below screen

When he approved this new function is created

New Function is created

We can check the change history of any function by clicking on Change History
Access Risks:
By this we can search, create and delete the risks

/NNWBC RULESETUP ACCESSRULE MAINTAINCE ACCESS RULE MAINTENANCE

ACCESS RISKS OPEN/CREATE/DELETE

Risk ID : B001

Below screen shows the Risk ID B001 details, Risk type, Bus. Process, Risk level etc. It is
composed of Function BS02 and BS11. Change history can also be seen through this option.

We can also set the Risk Owners through an option.

Creating new risk

After maintaining all the required values click submit

If work flow is activated then it will send a mail to the risk approver once he approved then only it
is created.
Request submitted to Risk Owner (RISK_OWNER)
Click on the request

When the Risk owner approved the risk it is created .

Assign a Mitigating Control

1) Log into GRC 10 and navigate to the Access Management work center>Mitigated
Users in the Mitigated Access section

2) Select Assign > Populate the required information on the Details tab by using the
search boxes for:
Access Risk ID
Control ID
Monitor

3) Ensure that the validity date of the mitigation is set to expire correctly per internal
policy/ approval (365 days)
4) Navigate to the Systems table and by default the All Systems will be in line 1. In
the event that the risk is only applicable to one system select the row (row will
turn light orange) and select the Remove button, then add the applicable systems.
5) Navigate to the Users table and select the Add button and use the search box to
find the user that will be mitigated by the control. Bring in the user(s) and click
the OK button.
 6) Once the Details and user information have been filled in select the Save button

Generated Rules:
We can see all the generated access rules through this option.
Access Rule summary:
This option provides the list of rules based on the selection criteria. The report can be run in
Foreground or background.
Below we have selected Risk ID P024 and Rule set global and run it in foreground.

The result shows the details for BP- PR00, Function – MM06, PR04, at Risk level – Medium in
E01CLNT100 system.

Access Rule Detail Report:

This option provides the list of rules based on the selection criteria. The report can be run
in Foreground or background.
Below we have selected Risk ID B002 and Rule set global and run it in foreground.
The result not only shows the list of Risk IDs, Function IDs, Business Processes but refines the
result and shows the Actions and Permission Objects (at Field values) as well.
Access Management Tab:
We can access all the Access Control components form this Tab
Access Control Owners:

In this we can assign owners for the following things

/nnwbc Access Management GRC Role assignment Access control owners

open/copy/create/delete

Role Owners:

Here we can configure a User Id as a Condition Group ID and set it as Role assignment
and content approver.
Role Creation (Role Management)

When we are creating any new role a dropdown list is there with all types of roles. We
can select the type which role we are crating.

We have to give all the details of the role to be created and save
After this we have to maintain authorizations so we need to click on maintain
authorizations tab

After clicking this it takes you to backend system

Once you entered the user ID and password it takes you to the backend pfcg screen as
shown below
 We have to mention the transaction to be including in this role

If risk terminator is activated in your system it shows the risks in the role like below. If you want to
create this role with risks you have to click on continue profile generation
It will give warning message like below

I f wish to continue then click on continue and just save the role with out generating exit
from that role.

Then click on sync with pfcg it will ask you enter ticket no and remarks and click ok
After clicking ok it take you to the below screen
After running the risk analysis in the foreground it gives the following screen
If you want to continue click on save and continue button then it will take to below
derive role screen. If you want to create derive role then mention details here and
click save and continue button.

After this initiate approval request

This request is submitted to the approver (ADMIN01)

It sends a mail to the user ADMIN01 and he checked his work inbox he can found this
request

We have to open this role to generate

Click on generate button
When we submit it is the role is not generating due to the violations

We have to mitigate these risks then only it allows you to create the role in the back end
system.

This request is submit to the user MTGN_APPR for approval due to the work flow

To approve this the user MTGN_APPR is login to the system and checked in the work
inbox tab.
Mitigation control is created now

When we try to assign to send for approval to the mitigation control approver

Once this is approved then the mitigation control is assigned to the risk.

After mitigating the risks this role is created in the back end system.
Role Search: This option shows the Role list in detail. We can see Role type,
Business Process, current phase of the roles.
We can export Role data as well.

Role Mass Maintenance

Role Import: This option enables to import ECC roles to the AC repository in a
given format. We have selected file saved on the Desktop. We select system
details, Role source and click on Next button. The Roles data Excel file format is
available through option available by clicking on below option.

Import file screen shot:

Below screen shows option to select Role data from desktop.

Below screen shows the data been fetched.

We can set the Job in foreground or background as per requirement.

Role risk analysis:

We can run risk analysis on multiple roles in one time. Below screen shows it
A background job is scheduled

The Details of job can be seen by looking into job details.

Role Generation: This option enables to generate mass roles at a time. Select the
roles to be generated and this schedules a background job

Background Job Screen details:

Click on View results tab to see the details of Roles generated.
 User Access Management
Access Control standardizes on SAP Business workflow technology and supports more
flexible and tailored access request and approver views, simplifying the provisioning
process.

Access requests enhancements:

New customizable access request forms
New template based access requests
New position-based role assignment requests
New end-user display of profile, access assignments and request history
Enhanced search for roles, groups, and system based on authorization
Customizable approver views
Enhanced periodic reviews for user access and access risks
Faster and easier for users to request the roles they need
Improved security and richer request context

To enter into UAM /NNWBC Access Management Access Request Creation

Access Request.
It takes to you to the following access request form.
Note: Fields in this Access request from is customizable

Note :Fields with * are mandatory and need to select the system first.
We have only one system select that and click on the Arrow.

We need to include role for this we have to select the system, role name and click to
add that role.
We have to mention comments while submitting

After entering this comments click on submit button then the request is created with
one unique number.
As ADMIN07 is the approver this request is submitted to this user.
The request is closed and according to the workflow the user is created in the
backend system.

If we want the audit log fro that request we need to

Access Request Administration:

Search Requests:
We can select the criteria through the below screen as per requirement. The
Result shows the request types – New acct, Change acct, Lock user etc, . It also
shows request status and Creator details and due date etc.

By clicking on the Audit Log button, we can see the Stages a request has
traversed across a path. Below screen shows that Role provisioning request has
moved across GRAC_MANAGER stage and is awaiting GRAC_ROLEOWNER
stage for approval.

Provisioning Logs;

This option shows us the Provisioning details of the Requests based on selection
criteria.
GRC CUP Workflow Configuration Steps

Go to Tcode SPRO and Go to GRC Workflow for Access control Generate

MSMP Process versions as shown below.

Select each process version individually and generate in simulation mode.

Below screen shows the Status of Process Version as “Generated”.

Now click on Maintain MSMP workflow tab.

MSMP Workflow configuration screen appears as shown in the below screen.

The Screen shows various Process Ids delivered by SAP for which workflows can be
generated.

Below example is to Generate Process ID “SAP_GRAC_ACCESS_REQUEST” used to

create a Workflow for User access provisioning.

Process Global settings:

Click on the “SAP_GRAC_ACCESS_REQUEST” Process ID click on Display/Change

button and then click “Next”.
Maintain Rules:

Below screen shows the available Rules in GRC 10 version. In GRC 5.3 it was known as
“Initiator”.
We have used Initiator “GRAC_AR_INITIATOR” for as of now .
Various Rules available are Initiator Rule, Agent Rule etc. We can also create our
customized Rules using Tcode BRFplus .
It generates a Random number which can then be configured as shown below in Red
marked box.

Rule Kinds:
•Initiator Rule –determines the path upon submission of the
request
•Agents Rule –determines the recipients of a stage
•Routing Rule –determines a detour routing based upon an
attribute of the request (for example, SoDViolations Exist,
Training Verification, No Role Owner)
•Notification Variables Rule –determines the variable
values at runtime used in the notification e-mails.

Rule Types:
•BRFplusRule: is a rule defined in the BRFplusapplication
to fetch rule results, depending on conditions inside the rule.
•Function Module Based Rule: Function module is coded
to output rule results.
•ABAP Class Based Rule: ABAP Classis coded to output
rule results
•BRFplusFlat Rule (Line-item by Line-item): BRFplusrule
which is defined for only one line item (rule will be called
once for each line-item in the request). Also referred to as
BRF+ Easy.
Maintain Agents:

We can use the Custom Agents available in GRC 10 or can create agents which act as
approvers . In GRC 5.3 the agents acted as CAD.
Below screen shows that by executing Tcode GRFNMW_CONFIGURE we arrive at
GRC Process type screen.

Click on Process type and Maintain approvers tab to create approvers as per
requirement.

Below Screen shows the Two approver IDs IBM_APPROVER & IBM_APPROVER1 with
User ADMIN01 & ADMIN03 has been created in the system.

Variables and Templates:

We can configure Notification templates as shown in below screen. That part is not used
as of now.
Maintain Paths:

By default SAP delivers “GRAC_DEFAULT_PATH”, but we can create a path as shown

below.
“ESCAPE_ROUTE” has been enabled in case request does not find any approver or in
case Auto provisioning fails.
“NO_ROLE_OWNER” detour has been created if role to be assigned to a user does not
have an owner defined.
“SOD_VOIL” detour has been created if role to be assigned to a user has SODs conflicts
and needs to be reviewed by a BA or Senior manager.

Below screen shows the Stages configured for GRAC_DEFAULT_PATH. The request
flows tto the Manager initially, then to the Role owner and finally to Security team as
shown.
Below screen shows the configuration settings for GRAC_ROLEOWNER stage by
clicking on Modify button. Agents can be chosen by clicking on available options button.
We can enable/disable the routing settings as per requirement.

By clicking on Modify Task setting tab we can set the approve options, when a request
comes to Manager or Approver at a particular stage. Below screens show the settings
for GRAC_MANAGER and GRAC_ROLEOWNER stage. Risk analysis is set to
mandatory at Manager Stage.
Rejection level is set to Request and Role level at Manager and Role owner stages
respectively.

Maintain Route :

The default route is shown, but we need to configure the Detour routes as shown below.
The path ID shown has been created in the previous step. The values From Path ID and
To Path ID also needs to be set , so the request can traverse as per the conditions met.

Finally we need to save and Generate the workflow as shown in below screen . The
transport request option does not need to be selected as of now.
GRC BRM Workflow Configuration Steps

Go to Tcode SPRO and Go to GRC Workflow for Access control Generate MSMP
Process versions as shown below.

Select SAP_GRAC_ROLE_APPR process version individually and generate in

simulation mode.
The generation logs are shown in the below screen.

Below example is to Generate Process ID “SAP_GRAC_ROLE_APPR” used to create a

Workflow for Role approval workflow.

Below Screen shows the Initiator Rule GRAC_ROLE_APPR_INITIATOR selected.

The approver agents used are shown in the below screen. The requests will be routed to
the approver configured here.

The requests will be routed to ADMIN01 ID as is clear from the below screen.

We are not using Templates/ Variables so we shall skip this step

We have used the Deafult path as shown in the below screen with Stage
GRAC_ROLE_APPROVER.

The task settings are shown below. Approver can also reroute the request in case of
SODs or Critical Role approvals
The Rule ID used will be Default one.

We can generate the Workflow as shown in the below Screen.

 Centralized Emergency Access

The purpose of Emergency Access Management is to allow users to take responsibility

for tasks outside their normal job function. This component allows temporary access for
users when assigned with solving a problem, giving them provisionally broad, but
regulated access.
This temporary access is monitored and recorded in the application

New in 10.0
Access Control 10.0 has been enhanced in the area of Emergency Access Management
with the ability to manage and utilize firefighting activities centrally from the Access
Control 10.0 application.
Also the log file can be distributed to controllers and owner via workflow for additional
approval.

The following concepts have not changed since the previous release and are mentioned
here for completeness:

Firefighter: user requiring emergency access

FirefighterID: user ID with elevated privileges; it can only be accessed in the GRC
server using transaction GRAC_SPM.

Firefighting: the act of using a firefighterID

Owner: user responsible for a firefighterID and the assignment of controllers and
firefighters.

Controller: reviews and approves (if necessary) the log files generated by a firefighter.
Firefighter Application Types

ID Based Firefighter: The firefighterID created in the remote system will be assigned to
the user in the GRC system, either manually or via an access request. The firefighter
accesses their assigned firefighterID in the GRC server using the SAP GUI and
transaction GRAC_SPM. The firefighterID for all remote systems assigned to the
firefighter will be accessed from this transaction.

Role Based Firefighter: The firefighter roles created in the remote system will be
assigned to the user in the GRC server. The firefighter directly logs into the remote
system using their user ID and performs activities which are provided in the user’s role
and firefighter role assigned to the user.

Creating users and assigning roles

Customer roles need to be created based on their authorizations.

In the AC system role
Firefighter user SAP_GRAC_SUPER_USER_MGMT_USER
Firefighter controller SAP_GRAC_SUPER_USER_MGMT_CNTLR
Firefighter owner SAP_GRAC_SUPER_USER_MGMT_OWNER

In the target system role

Firefighter ID SAP_GRAC_SPM_FFID (configured in parameter 4010)

Reminder: end users will require also the roles based on SAP_GRC_FN_BASEand
SAP_GRC_FN_BUSINESS_USER

The following steps are required to configure a firefighter ID

Maintain Access Control Owners
Assign an Owner to a Firefighter ID
Assign a FirefighterID to Controllers and Firefighters
Create the Reason Codes

After this steps are followed the firefighter is ready to start a firefighter session from the
GRC server
Maintain the Owners

Assign Owners to FirefighterIDs:

Superuser assignment link , firefighter table

Super User Maintenance tab firefighter table showing FFID to firefighter user relation

Super User Maintenance tab controller table showing FFID to controller firefighter user
relation

Assign a FirefighterID to Controllers and Firefighters

Create Reason Codes:

Whenever a firefighter starts a firefighter session the reason code needs to be specified
and maintained. A Reason Code can be created and assigned multiple remote systems.
This reduces the amount of duplicated administration across systems
Frequency of usage is tracked by reason code, by system. In the Reason Code list, you
will see the total usage of the reason code across all systems to which it is assigned.

Logging into SPM using SAP .

Use Tcode GRAC_SPM to login to SPM.

Update Reason Code

It will take you to E01 system with FFID logon
Moreover the status will change to Red.

While a firefighter session is open the status of the firefighter ID will turn to red
A firefighter can click Additional Activity any time to enter more information.
If a firefighter ID is in use by another firefighter, then notification can be sent to the other
firefighter by clicking Message
Unlock can be used to unlock the firefighter ID in the event it is locked
Reporting

The reports can be accessed using the NWBC or the Portal and are located under
Reports and Analytics Superuser Management Reports

Consolidated Log Report: This report provides information based on the following logs
from the remote system:
Transaction Log: Captures transaction execution from transaction STAD
Change Log: Captures change log from change document objects (tables
CDPOS and CDHDR)
System Log: Captures Debug & Replace information from transaction
SM21.
Security Audit Log: Captures Security Audit Log from transaction SM20
OS Command Log: Captures changes to OS commands from transaction SM49.

Invalid SuperuserReport: This Report gives the details of all the users (firefighter,
controller, owner, firefighter ID) who are Expired, Locked or Deleted. In the case of Role
Based Firefighter, it gives the details of whether the role has been generated or not.

Firefighter Log Summary: Provides details of the session the firefighter logged into the
remote system using the FFID for the ID based FF Application.

Reason Code and Activity Report: This Report provides the details of information of
Reason and Activity used by the firefighter.

SOD Conflict Report for Firefighter ID: When the firefighter logs in to the remote
system using the FFID in to the remote system and performs certain transactions which
violates access risk rules
 Risk Terminator

We can activate risk terminator in our access control by activating the

parameters in the Access Control as shown in the below screen

Once this is activated if you try to assign any conflicting roles to the user or assigning
any conflicting transaction to any role it throw a warning message and prevents you to
do that action

When I try to create a role with the transactions SU01, PFCG risk terminator did the risk
analysis and shown the risks as below

When we try to generate the role it prompt you to as shown below

In this way Risk Terminator keeps our system stay cleaned when we are doing role
assignment and role creation.