Cross Organization SOD Conflict in SAP GRC

Similar Messages

• GRC - SOD Conflict Management (SAP Role Substitution)

  Hi,
  I am looking to see how others handle SAP Role Substitution and SOD conflicts.
  For example, a person is going to be out on vacation for a few day and assigns their roles to another employees to continue with daily tasks....SOD risks result because of the temporary assignment and role combinations....what are you guys doing to manage, and monitor this sort of activity?
  Your help and comments greatly appreciated!

  Hi
  As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
  If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
  Thanks.
  Anjan

• SAP GRC v10 and OIM 11g SoD

  Hi,
  I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
  We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
  best
  mp

  See if this helps:
  http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
  regards,
  GP

• Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

  Friends,
  Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
  If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
  Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
  I tried to search, but could not get good results.
  Any help would be highly appreciated.
  Best Regards,
  Amol Bharti

  Amol-
  From my experience:
  CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
  AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
  FF 5.2 with Peoplesoft: N/A
  RE 5.2 with Peoplesoft: N/A
  I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
  Sorry, I couldn't share more info, as that is all I know for now...
  Ankur
  GRC Consultant

• Cross system SOD check

  Hi All,
  We have SAP Compliance Calibrator by Virsa Systems Release 4.0 . One of the clients does not have Virsa installed and we need to check for user and role SOD conflicts in this client. Please advice what are the settings required for cross system connections and how to run the reports for remote checks. Also, will this affect any existing settings / setup?
  Many thanks
  Vijaya

  Vijaya,
    As far as I know, you will need CC 4.0 RTA installed on every system. Please open a message with SAP and check with them. Most of the customers have moved to RAR 5.3 which is the latest and advanced version of CC 4.0 and I will recommend you to upgrade to RAR 5.3.
  Regards,
  Alpesh

• Migarting from Approva to SAP GRC AC 5.3

  Hello All,
  One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
  Key doubts u2013
  1-How we upload rules in RAR, because we downloaded the rules from Approva.
  2-Creation of mitigation controls etc.
  It would be great if some share some documents related to above.
  Thanks,
  Jagat

  Hi Jagat,
  Once your GRC system is configured. You have to follow the following steps:
  1. Create system connector
  2. Define Master User Source
  3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
  4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
  1. Business Process
  BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
  *fileds are TAB seperated
  2. Function
  FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
  3. Function-Business Process
  FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
  4. Function-Action
  FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
  5. Function-Permission
  FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
  6. Rule Set
  RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
  7. Risk ID
  RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
  1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
  8. Risk Description
  RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
  9. RISK_RULESET
  RISKID (CHAR 4)       RuleSetId (CHAR 8)
  For more information on templates follow the configuration guide.
  Upload these files and generate the rules.
  Hope with this you will be able to continue.
  Thanks & Regards,
  Jitan

• SAP GRC AC10 Common Practices on Mitigation Control

  Hi all,
  Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
  We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
  And the mitigation controls should be owned by global organization or compliance department or local organization?
  Please help.
  Thx!

  Hi "GRC_SAP_AUDIT"
  I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
  You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
  With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
  Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

• Sap grc note require

  Hello all.,
  Can someone tell me how to view java table (on GRC server) to see all tcode and object are there. None our full sod roles not showing any conflictions. we have su24 action and permision level file uploaded but still no confliction.
  can please anyone know the sap note number where they define the procedure how to view java table on grc server.
  Thanks

  Hi Junaid,
  If you're looking for a list of tables and definitions for generating custom reports, check note 1369045.
  But i guess you just look for tables to see if are filled, check some threads like this:
  Most commonly used tables in SAP GRC & SAP HR
  I guess check the database tables could be OK as a first view, but it should not be the way to do the error analysis. The naming convention for the tables is clear.
  Cheers,
  Diego.
  Edited by: Diego I. Yaryura on Dec 15, 2011 4:37 AM

• Download SAP GRC for ECC 6.0

  How can I download SAP GRC for ECC 6.0?

  GRC applications comprise Access Control, Process Control, Global Trade Service, Environmental Compliance, Environment Health & Service, Risk Management, etc.
  The software license for these applications scales with the licensing organization's revenue or an equivalent metric.
  You'll obtain a quotation from your account manager.

• For GRC 5.3 can I use the SAP GRC 5.2 rule set

  We are going for an upgrade to GRC 5.3,  I have a small concern here....
  Can I use the same ruleset what I used in GRC 5.2 to SAP GRC5.3 ...?
  because when I checked ruleset at permission level in GRC 5.2 it displays first object of an action from one function conflicting with first object of an action from another function, where as in GRC 5.3 it displays all objects of an action from one function vs all objects of an action from another function....
  How will it impact analysis in GRC 5.3 with old rule set...?
  appreciate your response & thanks in advance.

  Hi,
  Here you will find the documentation to get Upgrade/Configuration Guides.
  [https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718172&]
  SAP BusinessObjects Governance --> Access Control ---> SAP GRC Access Control 5.3
  There you will find a Upgrade guideline.
  Cheers,
  Martin

• SAP GRC Access Control - Compliance Calibrator - License Cost

  Dear all,
  I have some questions on Compliance Calibrator implementation.
  1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
  2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
  3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
  Best regards,
  Rolando

  Hi Rolando-
  1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
  2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
  Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
  3. Some enhancement have been done with CC 5.3. Those features include-
  1. Risk analysis for SAP Enterprise Portal and UME
  2. BI integration for custom reporting
  3. Reporting enhancement features include additional auditor, business manager and IT reports
  4. SOD management by exception. Can be integrated with workflow.
  5. Import/Export of configuration data
  6. Migration scripts
  7. Download and print capability on every report.
  Some performance improvements-
  1. Concurrent risk analysis.
  2. batch mode risk analysis
  3. Improved memory mgmnt etc.
  Hope it gives you now some more visibility.
  Cheers!
  Ashok

• SAP GRC AC 5.3 integrated with BW

  Hi all,
  Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
  Thanks in advance. Regards,
     Imanol

  Imanol,
  There is documentation available for the integration.  You can find that here:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
  Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
  Pre-delivered queries:
  For RAR:
  Alert Detail Listing
  Alert Header Listing
  Critical Action Violations by User
  Critical Role Viols Analysis with Long Portal IDs
  Current User Permission Risk-Perm Violation Analysis Breakdowns
  Current User Permission Risk Violation Analysis Breakdowns
  Management Summary Total Listing
  Mitigated Users Analysis
  Risk Long Descriptions
  Risk-Rule Set Relationship Listing
  Role Permission Risk Violation Analysis
  Role (Portals) Permission Risk Violation Analysis
  Supplementary Rule Detail Listing
  Supplementary Rule Header Listing
  User Permission Risk Violation with Functions
  User Permission Risk Violation with Remediation by User
  User Permission Risk Violation with Remediation by User (Top 10)
  User Permission Violation with Remediation by Risk
  User Permission Violation with Remediation by Risk (Top 10)
  For CUP:
  Access Requests
  Risk Violations
  Role Provisioning
  Service Levels
  SOD Review
  User Access Review
  User Provisioning
  Thanks!
  Ankur
  SAP GRC RIG

• Migrate SAP GRC AC 5.3 SP13 (System A - System B)

  Hello all,
  currently we have setup 2 SAP GRC AC 5.3 SP13 SAP instances (DEV / PRD) for the customer's SAP ERP system landscape. Those systems also contain some customer business functionality.
  Because of business requirements the PRD Java Instance needs to be deleted and built up again from scratch with another WebAS Java Release Version (same SID, same Hardware, etc.).
  Our plan is now to setup a dedicated Java instance which will contain the PRD installation of SAP GRC AC (new SID, different hardware, etc.) to avoid similar problems in the future. Therefore we have to migrate all of the RAR data from the "old" Java instance to the newly setup Java system. We especially need to migrate all of the RAR analysis data (e.g. SoD violation analyses of previous months, etc.), otherwise we would loose all of this information when the "old" installation is deleted and built up again.
  I have checked all of the SAP documentation for SAP GRC AC 5.3 and only found these clues:
  In document "SAP GRC AC 5.3 Configuration Guide v3.16 - Chapter Utilities -> Export Utility / Import Utility" it only says
  something about exporting / importing rule sets, mititgating controls, etc. Can these tools also be used to export / import
  analysis data too ?
  In document "SAP GRC AC 5.3 Installation Guide v2.2 - Chapter Post-System Copy Configuration" it only says something about
  steps to be executed if the SAP GRC AC installation was done via system copy. But there is no information about migrating RAR analysis data.
  In document "SAP GRC AC 5.3 Operations Guide v2.1 - 7.2 Backup strategies" it says that in order to restore the system "you need to back up all tables with the following prefixes: VIRSA and VT". Can we simply do a backup of all of those tables, import
  them into the database of the new system and the use the export/import utility to move all of the configuration etc. from the old system to the new one ?
  Regards,
  Benjamin
  Edited by: Benjamin Schlotz on Jun 30, 2011 11:57 AM

  Hello Sunny, hello Frank,
  thanks for the quick replies.
  I did know about the SNOTE regarding the post migration steps, but the To-Do's Frank posted had some additional info in them.
  One question remains still open though:
  How to actually migrate all the GRC AC RAR data (incl. old analysis data) from System A to System B
  Our intended course of action would be:
  1. Deploy SAP GRC AC on System B (same Version, SP-level etc. as in System A)
  2. Export all VIRSA* and VT* tables from DB of System A, import them all in DB of system B
  3. Export all configuration, etc. from System A, import it into System B (using the export / import functionality within RAR)
  4. Do all the post-migration tasks described by you
  Would you agree with that course of action / know any pitfalls, etc ? We need to have all the "old" RAR analysis data from System A in System B after the migration because System A will be shutdown and deleted.
  Regards,
  Benjamin

• SAP GRC 5.3 - Do I need to install all tools initially

  Hi,
  I am looking into installing SAP GRC 5.3. At the moment we only want to use Risk Analysis and Remediation (RAR), Superuser Privilege Manager (SPM) and Risk Terminator. However we may want to implement CUP and ERM at a later stage as part of a seperate project. I am looking for some advice on how we should approach the install. Should we install all components initially or can they be easily installed and configured at a later stage?
  Thanks,
  Gary

  Hi Gary,
  SAP GRC Access Control comes with all four components like RAR,CUP,ERM& SPM.According to your organization's need you may configure the components which you want initially. Later on you may plan to configure other components.
  I am looking for some advice on how we should approach the install. Should we install all components initially or can they be easily installed and configured at a later stage?
  It's recommended by SAP to deploy all four components.
  Regards,
  Mohit

• Benefits of implementing SAP GRC AC in Lifescience/Pharma.

  Dear All,
  Would be great if anyone could please share the benefits of implementing SAP GRC Access Controls in Lifescience/Pharma industry, more specifically which all regulations and laws it takes care of.
  Regards,
  Hersh.
  Edited by: HERSH GUPTA on Dec 18, 2008 6:04 PM

  Hersh,
  Look for some of the Success stories out there. That should help you. Below is one of it.
  http://www.securintegration.com/fileadmin/redakteur/binary/Success_Story_KRKA_SI.pdf
  I too work at a Pharma client and having AC in place really helps. CC will help the internal SOX and audit team to verify that there are no SOD's. RE can streamline the role change approval process which will be of a great help when you see it from a auditor prospective. (You will always have the right approvals for the role changes a developer makes) and AE will help you reduce the paper work and the biggest advantage is the right approvals. Before using AE we used to have the paper based access request and we used to get a lot of audit issues because of the people approving roles that doesn't fall under their own space. (which will be taken very seroiously if it is a Pharma company.) FF advanages reamins the same across the industries.
  Hope this helps,
  Naveen