Alternatives to SAP GRC Tool to monitor compliance & automatic provisioning

Similar Messages

• Person who done the Sap GRC Tool Setup

  Hi Experts,
     Hope you are doing well.
  i m need in  SAP GRC.
      I need to do the lab setup of SAP GRC tool in our company .to do that  what the setup we require (software and hardware). Its help me if you provable me in details.
      As of now I have installed IDES ECC6 (Hardware: win 2003, 2 GB ram, 250 GB Hard disk) in company Lab.
  Query,   
  1, what are software and server I need to setup to work on Sap GRC in LAB.
  2, What are the added on software we need to  SAP GRC Tool (In details)
  3, Can I get SAP GRC (trial ver) and patch ( In details) . I have OSS id to download also in SAP Site
  Thanks for your Support
  Regards
  keshava

  1, what are software and server I need to setup to work on Sap GRC in LAB.: You need at the bare minimum a system running Netweaver AS 7.0 JAVA with SP12.  You could run it on the same system as your ECC installation, but I would not recommend this in a production environment due to performance overheads.
  2, What are the added on software we need to SAP GRC Tool (In details): In addition to your NWAS7.0 JAVA server, you'll just need the installation files downloaded through service marketplace and follow the configuration guide from the same place.
  3, Can I get SAP GRC (trial ver) and patch ( In details) . I have OSS id to download also in SAP Site: I don't believe you can get a trial version of GRC AC 5.3, but you might consult your SAP rep to make sure.

• Upload of SU24 Auth. objects in SAP GRC AC 5.3

  Hello,
  We are in process of SAP GRC AC 5.3 implementation, and our SAP System is not updated to SU24 (Authorization objects), in which USOBT_C is populated.
  In GRC AC 5.3 Pre-implementation checklist, it is mentioned about the above, being necessary.
  If the SAP System is not updated to SU24, then what is the other way, to upload authorization objects in RAR Post-Install Steps, after we have already completed SAP GRC Tools ( all the SCA files) install and backend RTA installation?
  Thanks!

  hi
  1. Create file (automated via batch job) from SU24 (report /VIRSA/ZCC_DOWNLOAD_SAPOBJ)
  ==> SA38 --> Background --> create a variant where you fill out the value for the server + filename (no extension needed for filename) --> schedule periodically
  2. convert to UTF-8 format (how can this be automated?)
  --> not necessary ; in my system it is UTF-8 by default
  3. upload periodically into RAR via background job (from AIX based file system !)
  --> configuration tab --> upload objects --> permission --> choose system --> leave local file blank and fill out server location (drive letter) --> click background and schedule the job daily. This is not a heavy job, therefore daily.
  Sam Szafranski
  Senior Consultant
  axl & trax

• SAP Standard Tools for compliance

  Hello,
  i heard that SAP has standard tools available for compliance i.e. AIS, MIC..etc. They are smaller in scope than GRC.  Could someone help show me where I can find them in my SAP v4.6c system.
  Many thanks.
  Charles
  PS: I intend to post this in the GRC forum as well.

  > PS: I intend to post this in the GRC forum as well.
  Officially, that would be non-compliant with the SoX "rules of engagement" of this site
  However I can understand special cases where it is usefull to go beyond forum boundaries and have made a suggestion for a feature to mirror threads to other related forums. However that is on a long and prioritized list of suggestions.
  Back to your question: If you start transaction SECR then a 46C system will tell you more about the AIS. Also see report RSUSR009 (and the newer one RSUSR008_009_NEW). Tcode AUT10 might also be of interest.
  To my knowledge there is nothing in the standard 46C system which "brings it all together" like GRC intends to.
  Cheers,
  Julius

• SAP GRC Access Control - Compliance Calibrator - License Cost

  Dear all,
  I have some questions on Compliance Calibrator implementation.
  1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
  2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
  3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
  Best regards,
  Rolando

  Hi Rolando-
  1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
  2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
  Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
  3. Some enhancement have been done with CC 5.3. Those features include-
  1. Risk analysis for SAP Enterprise Portal and UME
  2. BI integration for custom reporting
  3. Reporting enhancement features include additional auditor, business manager and IT reports
  4. SOD management by exception. Can be integrated with workflow.
  5. Import/Export of configuration data
  6. Migration scripts
  7. Download and print capability on every report.
  Some performance improvements-
  1. Concurrent risk analysis.
  2. batch mode risk analysis
  3. Improved memory mgmnt etc.
  Hope it gives you now some more visibility.
  Cheers!
  Ashok

• SAP GRC 5.3 - Do I need to install all tools initially

  Hi,
  I am looking into installing SAP GRC 5.3. At the moment we only want to use Risk Analysis and Remediation (RAR), Superuser Privilege Manager (SPM) and Risk Terminator. However we may want to implement CUP and ERM at a later stage as part of a seperate project. I am looking for some advice on how we should approach the install. Should we install all components initially or can they be easily installed and configured at a later stage?
  Thanks,
  Gary

  Hi Gary,
  SAP GRC Access Control comes with all four components like RAR,CUP,ERM& SPM.According to your organization's need you may configure the components which you want initially. Later on you may plan to configure other components.
  I am looking for some advice on how we should approach the install. Should we install all components initially or can they be easily installed and configured at a later stage?
  It's recommended by SAP to deploy all four components.
  Regards,
  Mohit

• SAP GRC 10.0 on ECC

  Hi Guys,
  We are planning on implementing SAP GRC 10.0. Our Basis guy has suggested that we can use ECC (EHP 6) box for installing the add on(GRCFND_A) component for it. The reason for this is to avoid adding another system to the landscape and to reduce the cost of implementation
  Are there any known issues using this approach?
  Thanks in advance,
  Silver

  Hi
  the GRC project is totally IT driven.
  I get why you are having to drive this - especially when you have to respond to audit requirements and your focus is on support processes.
  However, GRC is all about business risk management - Governance, Risk and Compliance (well internal controls). The GRC System is just the tool to manage this. Without business buy in how is this going to be successful? Who will review business process to determine what a risk is? Who in a senior leadership position will determine what risks are acceptable? Who will determine appropriate controls, report on them, and more importantly enforce them? Who in a leadership position will champion the project and support why a user must work a certain why (including access removed from them)?
  I get that you are focussing on a POC and trying to minimise cost but what happens post POC? I've given recommendations where I've said don't put in GRC until you sort your process and culture. I've done this as much as the innner techy in me knows I won't get to play with a new toy because without all the business buy-in you will have a system built and deployed that gives you a false sense of security when it comes to managing access controls.
  Another way to look at the SP issues - what happens if it's on ECC and the functional team (aka the business representatives) demand an SP increase for their functionality? They proceed to increase SP and now your functionality stops working.. which then impacts the business as you can't process their access requests and give them timely access to the system (assume this is your business case). Are your basis team going to tell the business that they can't have the SP stack increase because IT needs the system on a certain level and they need to wait until next time it's compatible?
  Good luck with your POC. I understand it will allow you to use the tool and check what will work for the business. If you are still undecided on system landscape post POC, take care in having that decision made for you. As you go down the POC path and time runs out the project may move from POC to design/build and now that it's working there will be reluctance to move it to a separate system.
  Regards
  Colleen

• SAP GRC AC10 Common Practices on Mitigation Control

  Hi all,
  Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
  We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
  And the mitigation controls should be owned by global organization or compliance department or local organization?
  Please help.
  Thx!

  Hi "GRC_SAP_AUDIT"
  I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
  You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
  With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
  Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

• SAP GRC NF-e 10.0 - Problema durante Upgrade (mensagem /XNFE/APP 011)

  Boa tarde a todos!
  Realizamos o "Upgrade" do SAP GRC NF-e da versão 1.0 para a versão 10.0 (SLL-NFE 900, nível 0008) e estamos convivendo com um problema em uma mensagem XML do PI.
  Na transação SXMB_MONI, monitor de mensagens processadas, ao filtrar por mensagens com SELSTAT = 017 Application Error - Manual Restart Possible, encontramos problemas em mensagens do seguinte tipo:
  Sender: BATCH_BatchProcess_006
  Receiver: CLNT100TND (Mandante 100 do Sistema TND)
  Receiver Interface Namespace: http://sap.com/xi/NFE/006
  Receiver Interface: BATCH_nfeRecepcaoLoteResponse_IB
  Para estes, quando vou até o detalhe da mensagem e seleciono "Call Inbound Proxy" (com status vermelho), em "Payloads", vejo o erro "Não existe ID de lote  000000000000000".
  Pelo que vi na tabela T100, a mensagem se refere ao código /XNFE/APP, número 011.
  Por que será que está acontecendo este erro? Alguém já vivenciou esta situação antes?
  P.S.: Já abri chamado na SAP e eles encaminharam o problema para a SAP Alemanha...
  Obrigado,
  Daniel

  Bom dia Fernando (que bom te encontrar aqui também :-)!
  Então, o Denny da SAP Alemanha me retornou dizendo que temos que instalar o XI Content SLL-NFE 10.0 e criar novamente os cenários da NF-e.
  Eu estou entrando em contato com o nosso Basis que fica em Lima para ver se é possível que ele instale este componente, para que eu crie novamente os cenários da NF-e (extensão _900).
  Após a recriação dos cenários, será que eu consigo reenviar as NF-e de teste novamente ou terei que estornar os documentos e fazer os processos novamente?
  Obrigado pela ajuda!
  Att.
  Daniel

• Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?

  hello,
  I went to the PAM in the SAP Marketplace to see if SAP GRC AC 5.3 could connect to SAP R/3 4.7 Enterprise but I can't see all the "Add-On Product Version for...", it's cut off.
  Can SAP GRC AC 5.3 connect without any problem with SAP R/3 4.7 Enterprise?
  If I can't is there any proof about it? I have to show it to a client.
  Best Regards,
  Pablo Mortera,

  Pablo,
  GRC AC 5.3 works perfectly fine with SAP's R/3 4.6c, mySAP ERP 4.7 and ECC systems. In fact we have two 4.7 Enterprise systems connected to GRC AC 5.3 system.
  You can get the details of supported SAP ERP systems under prerequisite section of Info page of GRC AC 5.3 , it can be accessed on marketplace at -
  Downloads-->Installations and Upgrades - Entry by Application Group > SAP Solutions for Governance, Risk, and Compliance>SAP GRC Access Control>SAP GRC ACCESS CONTROL>SAP GRC ACCESS CONTROL 5.3
  Just ensure to have proper BASIS and ABAP support pack level as mentioned in prerequisites.
  Regards,
  Amol

• Mitigation in SAP GRC AC

  Hi all,
  Two questions regarding mitigation in SAP GRC AC:
  1)
  Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  2)
  If WF  is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Thanks in advance. Best regards,
    Imanol

  Hi Imanol,
     Here is my response:
  1) Reading through the forum, we have seen that if monitor does not execute the report (action) within the frequecny set and alert is generated. Are these alerts sent out to the mitigation controls' approvers automatically or need to be triggered by executing alerts generation with mitigation flags set?
  You need to go to Alert Generation -> Select Generate Alert log, Control Monitoring under Action Monitoring and Alert notification.
  2) If WF is set and appropriate configuration is set in RAR, approver activities in CUP are approval for mitigation control maintenance and mitigation control assignment. Is this correct?
  Yes, that is correct.
  Regards,
  Alpesh

• Implementing SAP GRC CC 5.2 - Help with RTAs for SAP 4.0B & 4.6B Needed

  We are in the process of implementing the SAP GRC Compliance Calibrator 5.2 across multiple environments including SAP legacy systems.  Our key issue is that we cannot find any RTAs for SAP 4.0B and 4.6B.
  I am positive that someone has done this somewhere out there so I am looking for any information and/or solution that you may have implemented to resolve this.
  Would you be kind enough to send the information to me asap.  I can be contacted on my personal email [email protected]
  Many thanks,
  Carlos

  Dear Carlos,
  Available RTAs :
  SAP 4.6B and above
  PeopleTool 8.46
  Oracle eBusiness Suite 11.5.10
  Hyperion HFM 4.1.0
  In order for target systems to connect to Compliance Calibrator, each Real Time Agent (RTA) must:
  Have an entry in the operating system services file of the NetWeaver server
  Server must be restarted before new client entries are registered
  Be defined as a Technical Landscape in the System Landscape Directory (SLD)
  Have a login account for Compliance Calibrator to use for connection
  This account information is used for configuring the Java connections
  Regards,
  Naveen.

• Scope of SAP GRC

  Hi Experts,
  Need ur valuable suggestion..
  I am getting opportunity to work on GRC module.
  How is the scope for GRC Consultant in near future?? Is it very specialized module.
  awaiting ur reply..
  Julie

  Hi Julie,
  SAP GRC as it name states is on Governance Risk and Compliance. It has very good scope and it has below submodules:
  1) Access Control
  2) Process Control
  3) Risk Management
  4) Employee Health Security
  5) Global Trade Service
  The GRC module has focus on Security and compliance, which is need of the hour.
  It will take some time to get exposure to all sub-modules; however expertise in sub-modules like AC, PC and RM is also highly respected.
  You will get added advantage if you also have funtional experince as well.
  Hope you will be able decide based on the above inputs.
  regards,
  Jwalant

• LDAP Setup in SAP GRC 10 system

  Hello All,
  We are implementing SAP GRC 10 and trying to connect GRC with LDAP to sync users but we are facing below error while doing configuration in LDAP t-code
  Errro “Could not login to directory “
  But it’s working fine when we are trying to login throw ldap.exe to check host and other things.
  Please let me know where we I can check the configuration in GRC and LDAP system to correct the same.
  Thanks & Regards,
  Jagat

  Hello,
  Please check other configuration screens from GRC and LDAP.exe tool
  Screen 1 – LDAP Server
  Screen 2 – System User
  Screen 3 – LDAP Connector Setting
  Screen 4 – LDAP.exe

• Download SAP GRC for ECC 6.0

  How can I download SAP GRC for ECC 6.0?

  GRC applications comprise Access Control, Process Control, Global Trade Service, Environmental Compliance, Environment Health & Service, Risk Management, etc.
  The software license for these applications scales with the licensing organization's revenue or an equivalent metric.
  You'll obtain a quotation from your account manager.