SAP GRC - Post Installation Guide

GRC 10.
0 Post-Installation
Customer Solution Adoption
June 27th 2011
Version 1.4
Purpose of this document
This guide covers the basic steps required for the post-installation of GRC
in general, before performing the solution specific (e.g. AC, PC or RM)
post-installation tasks.
Disclaimer
This presentation outlines our general product direction and should not be relied on in
making a purchase decision. This presentation is not subject to your license agreement
or any other agreement with SAP. SAP has no obligation to pursue any course of
business outlined in this presentation or to develop or release any functionality
mentioned in this presentation. This presentation and SAP's strategy and possible future
developments are subject to change and may be changed by SAP at any time for any
reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no
responsibility for errors or omissions in this document, except if such damages were
caused by SAP intentionally or grossly negligent.
© 2011 SAP AG. All rights reserved. 3

Topics
1.Client Copy
2.Activating Applications in Client
3.Check SAP ICF Services
4.Activating BC Sets
5.Creating the Initial User in the ABAP System
6.Activate Profile of Roles Delivered by SAP
7.Activate Common Workflow

Client Copy
For more information specific to GRC 10.0, see SAP Note: 1505255.
See http://help.sap.com and search for Client Copy.

Topics
1.Client Copy

Activating Applications in Client 1/3
Call the customizing with transaction

SPRO
Choose SAP Reference IMG
Expand the Governance, Risk and
Compliance > General Settings node
and choose Activate Applications in
Client

Choose New Entries

Click the first row and select the GRC solution(s) required for your project
Then choose the Active checkbox
Click Save
Note: you may have to create a transport request

Topics
1.Client Copy

Check SAP ICF Services 1/4
Call transaction SICF

Click the Execute icon

Expand the node default_host -> sap -> public

Right click public and choose Activate Service
Choose Activate Service for all sub-nodes

Proceed likewise with the node default_host -> sap -> bc

Activate all sub-nodes too

Now activate the node default_host -> sap -> grc

Also activate all sub-nodes

Topics
1.Client Copy

Activating BC Sets 1/5
Call transaction SPRO again

Click SAP Reference IMG
Click Existing BC Sets in the next screen

Select a BC Set
Click “BC Sets for Activity”

From the menu choose Goto  Activation Transaction

These BC sets can also be activated via transaction code SCPR20

Activate the corresponding BC sets.

Proceed likewise for all required PC, RM, and/or AC BC sets
For a complete list of BC Sets please refer to the PC/RM/AC install guide!

When activating always use “Expert” mode

Topics
1.Client Copy

Creating the Initial User in the ABAP System
Call transaction SU01, create a user

Assign following role to access GRC applications, such as AC
 SAP_GRC_FN_BASE
Assign following power user role to the person doing the customization of the product
 SAP_GRC_FN_ALL
Assign following role to the business users
 SAP_GRC_FN_BUSINESS_USER
Assign following role if you use NWBC as front end UI instead of Portal
 SAP_GRC_NWBC

Topics
1.Client Copy

Activate Profile of Roles Delivered by SAP
• Activate profile of roles delivered by SAP via transaction PFCG if you want to use them
directly
• For the list of the roles, please refer to Security Guide - here is an example of the SAP-GRC-
NWBC role
• Please use transaction “SUPC” for mass profile generation in case you want to generate
profiles for multiple roles

Topics
1.Client Copy

Activate Common Workflow
Call transaction SPRO again

Click SAP Reference IMG
Access Workflow node under
Governance, Risk and Compliance >
General Settings
Execute Perform Automatic Workflow
Customizing

Perform Automatic Workflow Customizing (1/2)
Execute Perform Automatic

Workflow Customizing
Make sure that all tasks are green
after the generation as show in the
screenshot
Note: you may have to create a
transport request
During the activation procedure you
might receive an error message,
then check the created system user
„WF-BATCH“ in SU01 if the user
has sufficient roles assigned – see
SAP Note 1251255 and the GRC
Security Guide.
You may need to run program
RHSOBJCH to fix HR control tables

Perform Automatic Workflow Customizing (2/2)
Maintain the Prefix Numbers to your needs or like shown in the screenshot

Perform Task-Specific Customizing 1/5
Execute Perform Task-

Specific Customizing
Expand the GRC node.
Click the Assign Agents
link at the right side of the
GRC node.
Note: if no folders are visible below the “GRC“ folder please run report “RS_APPL_REFRESH” in SE38
Assign Task as General

Task via Task Attribute.
Make sure all tasks that are
not using Background
task have been assigned
as General Task.

Click Activate event

linking

Click the Properties

icon
Set the Linkage
Status to No
errors
Make sure Event
linkage activated
is checked.
Set Error feedback
to Do not change
linkage
Be sure to activate
all WS.

Repeat the first four

steps to activate the
solutions you need (e.g.
for Access Control
“GRC-AC”)
Note: task-specific
customizing for GRC-AC
is not available in case
you have the GRC plug-
ins installed in your GRC
system, check the
Appendix for perfoming
the customizing in this
case

Activate Crystal Reports
In IMG you need to

check this option to be
able to see report
tables also as Crystal
Reports

Appendix – Task-Specific customizing with plugins
In case you have the GRC plugins installed also in the central GRC instance the
task-specific customizing for Access Control is not visible in IMG as shown below.

Event Linkage (1/2)
Go to transaction SWE2 and maintain the following linkages by double clicking on
each line in Change mode.

Event Linkage (2/2)
Set these parameters per event linkage item

Assign Agents (1/4)
Go to transaction PFTC and select the type and task as shown below, you need
to repeat the whole process for each item.
Display Approval webdynpro Appl TS 76307918

Display Role Approval App TS 76307944
user access review approval task TS 76307964
Access Request Approval Workflow WS76300056
Role approval UI task TS 76307966
User Access Review Workflow WS76300082
GRAC Read Stage TS 76307967
Function Approval Workflow WS76300084
GRAC Read Stage TS 76308011
Mitigation Control Maintenance WS76300088
GRAC Diaplay Approval for AR TS 76308013
Risk Approval Workflow WS76300085
Access Request Approval dialog TS 76308021
SOD Risk Review Workflow WS76300081
Access Request Approval dialog TS 76308026
Role Approval Workflow WS76300080
SPM Audit Review Approval TS 76308028
Fire Fighter Log Report Review WF WS76300089
RAR Rule for Function Approval TS 76308029
Control Assignment Approval Workflow WS76300087
Role Assignment Review Workflow WS76300086
Display Approval webdynpro RAR Risk TS 76308038
Role assignement dialog step TS 76308056
Control assignment approval dialog TS 76308057

Assign Agents (2/4)
Then go to Additional Data  Agent assignment  Maintain. If the “Transfer

container elements” window shows answer always “No”

Assign Agents (3/4)
Now select “Attributes” and change the task to General Task

Assign Agents (4/4)
After you have changed all tasks you need to activate the workflows tasks using
transaction SWDD

© 2011 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
without the express permission of SAP AG. The information contained herein may be Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
changed without prior notice. mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
registered trademarks of Sybase, Inc. Sybase is an SAP company.
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, All other product and service names mentioned are the trademarks of their respective
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, companies. Data contained in this document serves informational purposes only. National
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, product specifications may vary.
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, The information in this document is proprietary to SAP. No part of this document may be
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, reproduced, copied, or transmitted in any form or for any purpose without the express prior
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, written permission of SAP AG.
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered This document is a preliminary version and not subject to your license agreement or any
trademarks of IBM Corporation. other agreement with SAP. This document contains only intended strategies, developments,
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. and functionalities of the SAP® product and is not intended to be binding upon SAP to any
particular course of business, product strategy, and/or development. Please note that this
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
document is subject to change and may be changed by SAP at any time without notice.
registered trademarks of Adobe Systems Incorporated in the United States and/or other
countries. SAP assumes no responsibility for errors or omissions in this document. SAP does not
Oracle is a registered trademark of Oracle Corporation. warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind,
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. either express or implied, including but not limited to the implied warranties of
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are merchantability, fitness for a particular purpose, or non-infringement.
trademarks or registered trademarks of Citrix Systems, Inc. SAP shall have no liability for damages of any kind including without limitation direct,
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World special, indirect, or consequential damages that may result from the use of these materials.
Wide Web Consortium, Massachusetts Institute of Technology. This limitation shall not apply in cases of intent or gross negligence.
Java is a registered trademark of Sun Microsystems, Inc. The statutory liability for personal injury and defective products is not affected. SAP has no
control over the information that you may access through the use of hot links contained in
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for these materials and does not endorse your use of third-party Web pages nor provide any
technology invented and implemented by Netscape. warranty whatsoever relating to third-party Web pages.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.

SAP GRC - Post Installation Guide

Uploaded by

Copyright:

Available Formats

SAP GRC - Post Installation Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP GRC - Post Installation Guide

Uploaded by

Copyright:

Available Formats

GRC 10.

© 2011 SAP AG. All rights reserved. 3

© 2011 SAP AG. All rights reserved. 4

© 2011 SAP AG. All rights reserved. 5

© 2011 SAP AG. All rights reserved. 6

Call the customizing with transaction

© 2011 SAP AG. All rights reserved. 7

Choose New Entries

© 2011 SAP AG. All rights reserved. 8

© 2011 SAP AG. All rights reserved. 9

© 2011 SAP AG. All rights reserved. 10

Call transaction SICF

© 2011 SAP AG. All rights reserved. 11

Expand the node default_host -> sap -> public

© 2011 SAP AG. All rights reserved. 12

Proceed likewise with the node default_host -> sap -> bc

© 2011 SAP AG. All rights reserved. 13

Now activate the node default_host -> sap -> grc

© 2011 SAP AG. All rights reserved. 14

© 2011 SAP AG. All rights reserved. 15

Call transaction SPRO again

© 2011 SAP AG. All rights reserved. 16

© 2011 SAP AG. All rights reserved. 17

From the menu choose Goto  Activation Transaction

© 2011 SAP AG. All rights reserved. 18

Activate the corresponding BC sets.

© 2011 SAP AG. All rights reserved. 19

When activating always use “Expert” mode

© 2011 SAP AG. All rights reserved. 20

© 2011 SAP AG. All rights reserved. 21

Call transaction SU01, create a user

© 2011 SAP AG. All rights reserved. 22

© 2011 SAP AG. All rights reserved. 23

© 2011 SAP AG. All rights reserved. 24

© 2011 SAP AG. All rights reserved. 25

Call transaction SPRO again

© 2011 SAP AG. All rights reserved. 26

Execute Perform Automatic

© 2011 SAP AG. All rights reserved. 27

© 2011 SAP AG. All rights reserved. 28

Execute Perform Task-

Assign Task as General

© 2011 SAP AG. All rights reserved. 30

Click Activate event

© 2011 SAP AG. All rights reserved. 31

Click the Properties

© 2011 SAP AG. All rights reserved. 32

Repeat the first four

© 2011 SAP AG. All rights reserved. 33

In IMG you need to

© 2011 SAP AG. All rights reserved. 34

© 2011 SAP AG. All rights reserved. 35

© 2011 SAP AG. All rights reserved. 36

© 2011 SAP AG. All rights reserved. 37

Display Approval webdynpro Appl TS 76307918

© 2011 SAP AG. All rights reserved. 38

Then go to Additional Data  Agent assignment  Maintain. If the “Transfer

© 2011 SAP AG. All rights reserved. 39

Now select “Attributes” and change the task to General Task

© 2011 SAP AG. All rights reserved. 40