SAP GRC 10.0 - SOD REVIEW

Dear All,
We are having a doubt related to the SoD review process available in GRC. Let us send you a couple of questions:
We guess that the SOD review performs an analysis over the hole users at the target system. Is that correct? Or it is just limited to the users requested by the Access Request menu. That is toy say to the users created/modified through GRC?
If we generate the data once and then the tasks are sent to the reviewers. If the Generate the Data again – just one minute later – will be send the same users to be reviewed to the Reviewer?
Thanks in advance!!!!!!

Jebeni,
we haven't done any SOD review but from the user access review my experience is that..
1.You should have an option to include a set of users for whom the review should be done.i.e only dialog.
2.Yes..it will resend if you re-run the job again.
we will wait to know more form the experts.

Similar Messages

  • SAP GRC v10 and OIM 11g SoD

    Hi,
    I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
    We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
    best
    mp

    See if this helps:
    http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
    regards,
    GP

  • Cross Organization SOD Conflict in SAP GRC

    Hi,
    I have a quick question:
    Does SAP GRC allow you to capture cross Organization level value conflict. I just checked the Auth. Object for Org level Company code with $BUKRS under transaction codes in Functions, this shows disabled by default.
    Example: If I have access to  SU01 in Company Code 1 and access to PFCG in Company Code 2 will this be risk based on SAP standard SOD Rule set.
    Your quick response will be appreciated. Thaning you in advance.
    Thanks & Regards,
    Abhimanu Kumar Singh

    Hi
    As already stated by Martin, one of the option for handling adtional backup access to users could be through Superuser Privilage management(If GRC has been implemented with your client). This would allow detailed reporting at transaction level for audit purposes.
    If GRC is not implemented with your client then any additional access which is resulting in SoD, there has to a proper documentation of temporary access assignment to users(For Audit purpose). Mitigation control should be documented and submitted by the supervisor of the user to the SoD team to ensure proper compliance is in place for the additional access provided to the user.
    Thanks.
    Anjan

  • SAP GRC AC 5.3 integrated with BW

    Hi all,
    Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
    Thanks in advance. Regards,
       Imanol

    Imanol,
    There is documentation available for the integration.  You can find that here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
    Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
    Pre-delivered queries:
    For RAR:
    Alert Detail Listing
    Alert Header Listing
    Critical Action Violations by User
    Critical Role Viols Analysis with Long Portal IDs
    Current User Permission Risk-Perm Violation Analysis Breakdowns
    Current User Permission Risk Violation Analysis Breakdowns
    Management Summary Total Listing
    Mitigated Users Analysis
    Risk Long Descriptions
    Risk-Rule Set Relationship Listing
    Role Permission Risk Violation Analysis
    Role (Portals) Permission Risk Violation Analysis
    Supplementary Rule Detail Listing
    Supplementary Rule Header Listing
    User Permission Risk Violation with Functions
    User Permission Risk Violation with Remediation by User
    User Permission Risk Violation with Remediation by User (Top 10)
    User Permission Violation with Remediation by Risk
    User Permission Violation with Remediation by Risk (Top 10)
    For CUP:
    Access Requests
    Risk Violations
    Role Provisioning
    Service Levels
    SOD Review
    User Access Review
    User Provisioning
    Thanks!
    Ankur
    SAP GRC RIG

  • SoD Review Guide

    Dear Forum goers,
    It has been a long time coming, but we just released the SoD Review Guide on BPX.
    You can find it here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f01947f3-80d6-2c10-36a6-d4dad7cf1649?quicklink=index&overridelayout=true
    Thanks!
    Ankur
    SAP GRC RIG

    Alpesh,
    To answer your questions,
    Page 17: 1. Admin
    Changes are not accepted from 'Track Changes' feature of Word. The changes still show up in 'RED'.
    I do not understand this response.  The document looks fine to me on Page 17.
    **Page 20: Lock, Forward To Next Stage:**
    *Is "Lock, Forward To Next Stage" same as "Deactivate; Forward To Next Stage" or the users are only locked in "Lock, Forward To Next Stage"?
    Yes, you are correct, the users are only locked in "Lock, Forward to Next Stage."  "Deactivate, Forward To Next Stage" sets the User assignment to the current date.
    Page 43: Are the links for config guide etc. under Related Content suppossed to work?
    We submit our documents to BPX as a word document, and then they convert it to PDF, so the links do not work after the conversion is done.  If you are interested in a link, let me know, and I will point you to the correct place.
    Thanks!
    Ankur
    SAP GRC RIG

  • SAP GRC 10.0 on ECC

    Hi Guys,
    We are planning on implementing SAP GRC 10.0. Our Basis guy has suggested that we can use ECC (EHP 6) box for installing the add on(GRCFND_A) component for it. The reason for this is to avoid adding another system to the landscape and to reduce the cost of implementation
    Are there any known issues using this approach?
    Thanks in advance,
    Silver

    Hi
    the GRC project is totally IT driven.
    I get why you are having to drive this - especially when you have to respond to audit requirements and your focus is on support processes.
    However, GRC is all about business risk management - Governance, Risk and Compliance (well internal controls). The GRC System is just the tool to manage this. Without business buy in how is this going to be successful? Who will review business process to determine what a risk is? Who in a senior leadership position will determine what risks are acceptable? Who will determine appropriate controls, report on them, and more importantly enforce them? Who in a leadership position will champion the project and support why a user must work a certain why (including access removed from them)?
    I get that you are focussing on a POC and trying to minimise cost but what happens post POC? I've given recommendations where I've said don't put in GRC until you sort your process and culture. I've done this as much as the innner techy in me knows I won't get to play with a new toy because without all the business buy-in you will have a system built and deployed that gives you a false sense of security when it comes to managing access controls.
    Another way to look at the SP issues - what happens if it's on ECC and the functional team (aka the business representatives) demand an SP increase for their functionality? They proceed to increase SP and now your functionality stops working.. which then impacts the business as you can't process their access requests and give them timely access to the system (assume this is your business case). Are your basis team going to tell the business that they can't have the SP stack increase because IT needs the system on a certain level and they need to wait until next time it's compatible?
    Good luck with your POC. I understand it will allow you to use the tool and check what will work for the business. If you are still undecided on system landscape post POC, take care in having that decision made for you. As you go down the POC path and time runs out the project may move from POC to design/build and now that it's working there will be reluctance to move it to a separate system.
    Regards
    Colleen

  • SAP GRC Access Control - Compliance Calibrator - License Cost

    Dear all,
    I have some questions on Compliance Calibrator implementation.
    1. Do  we have to pay additional cost for the license to implement Compliance Calibrator?
    2. Since SAP GRC 5.3 is just released, which one do you recommend? SAP GRC 5.2 or 5.3?
    3. What would be the major difference between Compliance Calibrator in GRC 5.2 and 5.3?
    Best regards,
    Rolando

    Hi Rolando-
    1. Yes, there lies some license cost and the amount should not as much as taking SAP R/3 license. I am not sure of exact amount but its nominal as compared to other SAP products.
    2. SAP always recommend for the latest version available and why not one would go for latest version if you are paying something for that.
    Also, it depends on your existing R/3 version and its compatibility. In short run, you can choose per your existing versions but in long run everyone has to move to latest version. Say for example whoever is using SAP R/3 technology with whatever version, they all need to upgrade to ECC6.0 by 2011 with extension upto 2013. I am not sure of any such information about GRC AC though.
    3. Some enhancement have been done with CC 5.3. Those features include-
    1. Risk analysis for SAP Enterprise Portal and UME
    2. BI integration for custom reporting
    3. Reporting enhancement features include additional auditor, business manager and IT reports
    4. SOD management by exception. Can be integrated with workflow.
    5. Import/Export of configuration data
    6. Migration scripts
    7. Download and print capability on every report.
    Some performance improvements-
    1. Concurrent risk analysis.
    2. batch mode risk analysis
    3. Improved memory mgmnt etc.
    Hope it gives you now some more visibility.
    Cheers!
    Ashok

  • Migarting from Approva to SAP GRC AC 5.3

    Hello All,
    One of our client using Approva applications now they are planning to move to SAP GRC Access Controls 5.3, so kindly help me or guide he how I proceed.
    Key doubts u2013
    1-How we upload rules in RAR, because we downloaded the rules from Approva.
    2-Creation of mitigation controls etc.
    It would be great if some share some documents related to above.
    Thanks,
    Jagat

    Hi Jagat,
    Once your GRC system is configured. You have to follow the following steps:
    1. Create system connector
    2. Define Master User Source
    3. Upload text & authorization objects. (Follow the AC53 Configuration guide to download these files from backend)
    4. Now as Frank has suggested you have to convert the downloaded Apporava files to .txt files. There are 9 .txt files you have to create:
    1. Business Process
    BusinessProcessId (CHAR 4)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)
    *fileds are TAB seperated
    2. Function
    FUNCTION ID (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION LANGUAGE  (CHAR 120)     FUNCTION SCOPE (CHAR 1 (S:Single System, C: Cross System))
    3. Function-Business Process
    FUNCTION ID (CHAR 8)     BusinessProcessId (CHAR 4)
    4. Function-Action
    FUNCTION ID (CHAR 8)    TRANSACTION(CHAR 20)     STATUS (NUMC 1 (0 or 1))
    5. Function-Permission
    FUNCTION ID (CHAR 8)     T-CODE (CHAR 20)     OBJECT(CHAR 10)     FIELD(CHAR 10)     FROM VALUE(CHAR 40)     TO VALUE(CHAR 40)     SEARCH TYPE(CHAR3 (AND,OR,NOT))       STATUS (NUMC 1 (0 or 1))       
    6. Rule Set
    RuleSetId (CHAR 8)     LANGUAGE  (CHAR 2)     DESCRIPTION (CHAR 132)
    7. Risk ID
    RISKID (CHAR 4)     FUNCTION_1_ID  (CHAR 8)     FUNCTION_2_ID  (CHAR 8)     FUNCTION_3_ID  (CHAR 8)     FUNCTION_4_ID  (CHAR 8)     FUNCTION_5_ID  (CHAR 8)     BusinessProcessId (CHAR 4)       PRIORITYDESCRIPTION (NUMC 1 (0=Medium
    1=High 2=Low 3=Critical))      STATUS (NUMC 1 (0 or 1))        RISKTYPE (CHAR 1 (1=SoD 2=Critical Action 3=Critical Permission))
    8. Risk Description
    RISKID (CHAR 4)       LANGUAGE  (CHAR 2)     RISKDESCRIPTION (CHAR 132)     DETAILDESCRIPTION (CHAR 1000)     CONTROLOBJECTIVE (CHAR 1000)
    9. RISK_RULESET
    RISKID (CHAR 4)       RuleSetId (CHAR 8)
    For more information on templates follow the configuration guide.
    Upload these files and generate the rules.
    Hope with this you will be able to continue.
    Thanks & Regards,
    Jitan

  • Migrate SAP GRC AC 5.3 SP13 (System A - System B)

    Hello all,
    currently we have setup 2 SAP GRC AC 5.3 SP13 SAP instances (DEV / PRD) for the customer's SAP ERP system landscape. Those systems also contain some customer business functionality.
    Because of business requirements the PRD Java Instance needs to be deleted and built up again from scratch with another WebAS Java Release Version (same SID, same Hardware, etc.).
    Our plan is now to setup a dedicated Java instance which will contain the PRD installation of SAP GRC AC (new SID, different hardware, etc.) to avoid similar problems in the future. Therefore we have to migrate all of the RAR data from the "old" Java instance to the newly setup Java system. We especially need to migrate all of the RAR analysis data (e.g. SoD violation analyses of previous months, etc.), otherwise we would loose all of this information when the "old" installation is deleted and built up again.
    I have checked all of the SAP documentation for SAP GRC AC 5.3 and only found these clues:
    In document "SAP GRC AC 5.3 Configuration Guide v3.16 - Chapter Utilities -> Export Utility / Import Utility" it only says
    something about exporting / importing rule sets, mititgating controls, etc. Can these tools also be used to export / import
    analysis data too ?
    In document "SAP GRC AC 5.3 Installation Guide v2.2 - Chapter Post-System Copy Configuration" it only says something about
    steps to be executed if the SAP GRC AC installation was done via system copy. But there is no information about migrating RAR analysis data.
    In document "SAP GRC AC 5.3 Operations Guide v2.1 - 7.2 Backup strategies" it says that in order to restore the system "you need to back up all tables with the following prefixes: VIRSA and VT". Can we simply do a backup of all of those tables, import
    them into the database of the new system and the use the export/import utility to move all of the configuration etc. from the old system to the new one ?
    Regards,
    Benjamin
    Edited by: Benjamin Schlotz on Jun 30, 2011 11:57 AM

    Hello Sunny, hello Frank,
    thanks for the quick replies.
    I did know about the SNOTE regarding the post migration steps, but the To-Do's Frank posted had some additional info in them.
    One question remains still open though:
    How to actually migrate all the GRC AC RAR data (incl. old analysis data) from System A to System B
    Our intended course of action would be:
    1. Deploy SAP GRC AC on System B (same Version, SP-level etc. as in System A)
    2. Export all VIRSA* and VT* tables from DB of System A, import them all in DB of system B
    3. Export all configuration, etc. from System A, import it into System B (using the export / import functionality within RAR)
    4. Do all the post-migration tasks described by you
    Would you agree with that course of action / know any pitfalls, etc ? We need to have all the "old" RAR analysis data from System A in System B after the migration because System A will be shutdown and deleted.
    Regards,
    Benjamin

  • SAP GRC PC 10.1 Policy Management

    Hi Gurus,
    I am performing a Policy Management Cycle in SAP GRC PC 10.1, and I find the following problem. The approver receives in the Workinbox the notification for perform the approval of the policy, and, if he decide Send to Rework, no one receives the rework, but if I activate a fallback user, he receives everything
    I configured the following business events in the SPRO Actibity : "Maintain Custom Agent Determination Rules".
    Business
      Event
    Role
    Entity ID
    Subtype
    Business Event
      Name
    0FN_AHISSUE_DEFAULT_PRC
    1
    SAP_GRC_SPC_CRS_POLICY_OWNER
    POLICY
    Default processor for ad-hoc issue
    0FN_AHISSUE_DEFAULT_PRC
    1
    SAP_GRC_SPC_GLOBAL_ORG_OWNER
    ORGUNIT
    Default processor for ad-hoc issue
    0FN_POLICY_APPROVE
    1
    SAP_GRC_SPC_CRS_PLC_APPR
    POLICY
    Approve policy
    0FN_POLICY_DEFAULT_APPR
    1
    SAP_GRC_SPC_GLOBAL_ORG_OWNER
    ORGUNIT
    Default apporver for policy
    0FN_POLICY_DEFAULT_APPR
    2
    SAP_GRC_SPC_GLOBAL_ORG_ADMIN
    ORGUNIT
    Default apporver for policy
    0FN_POLICY_REVIEW
    1
    SAP_GRC_SPC_CRS_PLC_REVIEW
    POLICY
    Review policy
    0FN_ISSUE_NOTIFY
    1
    SAP_GRC_SPC_CRS_POLICY_OWNER
    POLICY
    Send notification to object owner
    I am working with a copy of the standard roles, so I configure the table with the copy of these roles.
    In the transaction SWIA an error appears which says in field Executed Action: "No Action". I am wondering if maybe it could happens because user WF_BATCH (user used for the workflow) doen't have enought authorizations.
    I also test it in the sandbox and it works perfect (without fallback and with SAP_ALL in WF_BATCH user).
    Some help will be appreciated.
    Thanks!

    Hello Giridhar,
    What parameters are you referring to?
    You meant the parameters in General Configuration in AC?
    Best Regards,
    Fernando

  • Benefits of implementing SAP GRC AC in Lifescience/Pharma.

    Dear All,
    Would be great if anyone could please share the benefits of implementing SAP GRC Access Controls in Lifescience/Pharma industry, more specifically which all regulations and laws it takes care of.
    Regards,
    Hersh.
    Edited by: HERSH GUPTA on Dec 18, 2008 6:04 PM

    Hersh,
    Look for some of the Success stories out there. That should help you. Below is one of it.
    http://www.securintegration.com/fileadmin/redakteur/binary/Success_Story_KRKA_SI.pdf
    I too work at a Pharma client and having AC in place really helps. CC will help the internal SOX and audit team to verify that there are no SOD's. RE can streamline the role change approval process which will be of a great help when you see it from a auditor prospective. (You will always have the right approvals for the role changes a developer makes) and AE will help you reduce the paper work and the biggest advantage is the right approvals. Before using AE we used to have the paper based access request and we used to get a lot of audit issues because of the people approving roles that doesn't fall under their own space. (which will be taken very seroiously if it is a Pharma company.) FF advanages reamins the same across the industries.
    Hope this helps,
    Naveen

  • SAP GRC - SAP IDM integration

    Hello,
    may I ask you how SAP GRC Access Control can be integrated with Identity Management?
    I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
    Thank you to all
    Daniela

    Hi Daniela,
    there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
    - CUP can call IdM to provision roles to non-SAP systems through IdM
    - IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
    As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
    The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
    Kind regards,
    Frank.

  • Enterprise Risk Management Approach in SAP GRC

    Hi All,
    Can you please let me know  as to what is the approach followed for implementation of  Enterprise Risk Management (ERM) in SAP GRC.  Also please tell me how the internal control frameworks like COSO, COBIT is mapped to ERM in SAP GRC.
    Regards
    Vivek

    Dear Vivek,
    While assigning roles to users, you will be displayed the risks that are identified with those roles, if any. You can either mitigate or remove the roles.
    The process covered by GRC Risk management includes the following steps:
    -Risk Planning: Determines the approach to risk management in each business area or project. This includes setting up the risk management organization and defining risk thresholds . This phase is partially supported by a software application.
    -Risk Identification and Analysis: Identifies the risks in order to analyze and prioritize them along different attributes, such as probability of occurrence and potential total loss associated to the risk.
    -Risk Response: Decides on actions needed to respond to a risk. One action could be to actively mitigate the risk to reduce probability of occurrence and/or potential impact.
    -Risk Monitoring: Includes the regular update of risk information and the risk reporting to monitor progress along the risk management process.
    The Risk Management application provides a set of different reporting capabilities based on the individual needs of the target groups:
    -A set of built-in reports that are delivered with the application. These reports allow risk managers to review the current risk state.
    -Visual Composer based dashboards that provide information about the current risk status on an aggregated basis. The dashboards fulfill the risk reporting needs of senior managers and line managers.
    Step 1: You maintain the Risk structure
    1. You set up the organizational hierarchy
    2. You set up the Activity Hierarchy
    3. You set up the Risk Hierarchy
    Step 2: You perform the Risk Assessment
    1. You identify the risks
    2. You analyze the risks
    3. You respond to risks
    4. You document the Incidents
    Step 3: You analyze risk reports
    1. You generate risk reports
    2. You report the incidents
    Step 4: You analyze the dashboards
    Refer SAP documentation on GRC for more information.
    Regards,
    Naveen.

  • Sap grc note require

    Hello all.,
    Can someone tell me how to view java table (on GRC server) to see all tcode and object are there. None our full sod roles not showing any conflictions. we have su24 action and permision level file uploaded but still no confliction.
    can please anyone know the sap note number where they define the procedure how to view java table on grc server.
    Thanks

    Hi Junaid,
    If you're looking for a list of tables and definitions for generating custom reports, check note 1369045.
    But i guess you just look for tables to see if are filled, check some threads like this:
    Most commonly used tables in SAP GRC & SAP HR
    I guess check the database tables could be OK as a first view, but it should not be the way to do the error analysis. The naming convention for the tables is clear.
    Cheers,
    Diego.
    Edited by: Diego I. Yaryura on Dec 15, 2011 4:37 AM

  • SAP GRC NF-e 10.0: Erro na interface NFB2B_procNFe_IB (contendo CDATA)

    Olá a todos.
    Poderiam por gentileza me ajudar com a questão abaixo?
    Estou com o seguinte problema na interface NFB2B_procNFe_IB do SAP GRC NF-e 10.0 (Support Package 15):
    Recebemos uma série de XML's de montadoras de automóveis que contém informações adicionais nas tags <infAdProd> e <infCpl>, como por exemplo:
      <infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44<![CDATA[<ID ITEM=005115/><PED=4500159772/> <UM=PC/>]]></infAdProd>
    Porém ao inserir essa mensagem na interface NFB2B_procNFe_IB, a interface interpreta da seguinte forma:
        <infAdProd>VLR. PIS R$ 6,81 VLR. COFINS R$ 31,44
          <![CDATA[
            <ID ITEM=005115/>
            <PED=4500159772/>
            <UM=PC/>]]>
            </infAdProd>
    Sendo assim, ocorre o erro abaixo:
    <nm:ExchangeFaultDataExt xmlns:nm="http://sap.com/xi/NFE/common" xmlns:prx="urn:sap.com:proxy:NED:/1SAI/TAS8DFA2846CCAA9B6570C6:702">
      <faultText>Erro durante a transformação: Fim de elemento '{http://www.portalfiscal.inf.br/nfe}infAdProd' esperado programa: /1SAI/SAS6F90159886715E7C4560 caminho: nfeProc(1)NFe(1)infNFe(1)det(4)infAdProd(3)ID(1)</faultText>
      </nm:ExchangeFaultDataExt>
    Sei que temos algumas opções como:
    1. Alterar o XML no mapping do PI; (Funcionaria com mensagens processadas através do PI, mas não conseguiria inserir um XML manualmente via SE80)
    2. Alterar o XML no ABAP ao executar a classe /XNFE/CL_006NFB2B_PROC_NFE_IB; (Fazer algum replace nesses caracteres "<" e ">" por "&lt;" "&gt;"
    Mas como fazer isso sem danificar a assinatura do XML que já está assinado e autorizado na SEFAZ?
    Existe alguma nota SAP para corrigir esse problema?
    Agradeço desde já a atenção.
    Rodrigo Costa.

    Felipe,
    também tive o mesmo problema do lado do NTB2B_procNFe_OB. Tentei de várias formas transformar o XML para ficar aderente ao cliente, porém o PI sempre alterava o XML (possivelmente devido ao encoding).
    Vi muitos posts sobre o tema, mas ainda quando era o GRC NF-e 1.0, com a assinatura no Java. Para o GRC 10.0 não funciona, pois quando o xml chega no PI, o mesmo já está assinado, portanto não se pode alterar nada.
    A solução foi para nesses casos específicos enviar o xml através do ECC mesmo.
    Mas para o NFB2B_procNFe_IB ainda sem solução.
    Abs.
    Rodrigo.

Maybe you are looking for