SAP GRC 10.

0 – Path to Implementation
Access Control (AC) Initial Setup Validation
Table of Contents
 Access Control (AC) Configuration
 Post Install Validation
 General Configuration
 Application Activation
 Connector Setup
 BC Sets Activation
 AC 10.0 Workflow Initial Set-up
Learning Objectives
By the end of this module, you will be able to:
 Understand Access Control (AC)
configuration.
 Activate applications in client.
 Create and maintain Connectors.
 Activate BC Sets.
 Activate Initial Workflow Configuration
 Activate Profile for SAP delivered Roles
 Create Initial User
Access Control (AC) Configuration
SAP GRC 10.0 – Post-Install Validation

Activating Maintain
Create RFCs
Applications Connector
(Connectors)
in Client Groups

Maintain AC
BC Sets Define AC
Connector
Activation Connectors
Settings

AC 10.0
Workflow
Initial Set-Up
General Configuration
GRC AC 10.0 Configuration
 Centralized for all modules
 Performed in two interconnected locations
 SAP NetWeaver Frontend (transaction NWBC)
 SAP IMG (transaction SPRO)
Setup – AC Frontend
Path: Access Control (AC)  Setup
 Components grouped in centralized GRC
instance (instead of separating components
between modules)
 Primary configuration in AC frontend includes:
 Organizations (Mitigation Configuration)
 SoD, Critical Access, Organizational, and
Supplemental Rules (Risks and Functions)
 Mitigations
 Central Access Management (Firefighter)
 AC Access Owner Lists
Setup – AC Frontend (cont.)
Access Risk Analysis
Risks, Functions, Rules Exception Access
Critical Access Rules Rules
Critical Roles, Profiles Organization and
Supplementary Rules

Organizations Generated Rules

Organization Structure Summary and Detail

Superuser Assignment Mitigating Controls

Owners, Firefighter IDs Manage Mitigations

Superuser
Access Owners
Maintenance
Access Control Owners,
Firefighters, Controllers,
Role Owners
Reason Codes
Setup – SAP IMG Backend
Path: IMG  Governance, Risk and
Compliance (GRC)
 Most technical AC
configuration in SAP IMG
(transaction SPRO)
 Common configuration
settings (e.g., Connectors,
Business Processes/Sub-
processes)
 Limited module-specific
configuration tasks
 AC 10.0 designed as single
configuration versus module-
based approach
Setup – SAP IMG Backend (cont.)

GRC 10.0 Central Instance

Common Configuration Tasks

Target Connectors Logical System Groups Configuration Parameters.

Workflow Role Methodology Synchronization Jobs

Business Processes Sub-processes Organization

User Access Role

ARA
Rule Sets Management Management
User Request form Role Master Data
Activating Applications in Client
Activating Applications in Client
 Driver
 Application activation is required
to begin configuration of the tool
 Activating applications in the
client allows settings to be turned
on
 Capability Highlights
 Implementation Guide (IMG)
setting initialization
 Allows applications to be active
within the tool
 Drives initial configuration
settings
Activating Applications in Client (cont.)
Path: Governance, Risk and Compliance  General Settings 
Activate Applications in Client
Activating Applications in Client (cont.)
 Business Value
 Choosing new entries in a client
 Capability Highlights
 Allows a user to select applications to activate
 Includes Access Control, Risk Management, and Process Control
Activating Applications in Client – New Entries
Connectors
Connectors
Connectors are the vehicles to link SAP GRC AC to other systems:

• DEV, QA, Prod

SAP • ECC, BW, SRM,
etc.

SAP • Oracle
Oracle Financials
GRC • Databases
10.0
• Peoplesoft
• JD Edwards
Other • Any other
connectable
system
Connectors
Use Connectors to establish interaction between Access Control and various
SAP and non-SAP systems. Customize Connectors to manage multiple data
sources and define how Access Control communicates with back-end systems.
 Commonly used back-end systems include:
 ABAP Systems – Maintains core SAP functionality in stack
 Enterprise Portal – Manage user access for client’s with web based
interaction for SAP
 Non-SAP Systems – Existing systems outside of SAP requiring
provisioning
 LDAP – Pre-population of user, Manager, and Requestor data in
Access Request form
 Verification/Training Systems – Confirmation
of training requirements
 Identity Management (IdM) Solutions –
When integrated with UP provides an
enterprise-wide provisioning solution
Creating and Maintaining Connectors
 Driver
 Establishing connection between AC
& target systems (SAP/Non SAP)
allows for analysis, reporting, and
provisioning through GRC
 Capability Highlights
 User able to specify what system to
connect
 Multiple configuration options to
ensure that GRC 10.1 connects to
the correct environment
 Allows a user to select which
connection to use
 Can be a LDAP system, Local Data
Sources, SAP system, etc.
Create Connectors

Path: IMG  GRC  Common Component Settings  Integration

Framework
 Connectors are maintained in the SAP GRC 10.0 host instance
 Creation Steps
1. Create the Connector
2. Assign the Connector to a Connector Type
Create Connectors (cont.)
Path: GRC  Common
Component Settings 
Integration Framework 
Create Connectors
 Created using Type 3 –
ABAP Connection
 User ID and Password
must exist on the target
instance
 Communication or
system user
Create Connectors (cont.)
 Define
Destination and
Connection Type
 Connector Name
must be the same
across Access
Control
components
 Enter Description
 Data fields are
defined within
configuration
guide
Create Connectors (cont.)
Path: GRC  Common Component Settings  Integration Framework  Maintain Connectors
and Connection Types
 In the Central GRC IMG double-click Define Connectors
 Configure Connector
 Enter Target Connector - [your target connector name]
 Enter SAP Connection Type - [EP, FILE, LDAP, LOCAL, SAP, SPML1, SPML2,
WS]
 Select SAP or SAP connectors, EP for SAP Portal, and LDAP for client User
Directories (e.g. MS Active Directory, SunOne, Novell e-Directory, etc)
 Enter Source Connector- [the GRC 10.0 instance]
 Enter Logical Port - [your target connector]
 Enter Max No. of BG WP - [number of background work processes].
• Verify with Basis Support at the client
Maintain Connectors
Define Connectors
 Target Connectors are used to create a Connector for
an SAP system
 Ports and other fields are configured when a Target
Connector is used

1
Maintain Connectors
 Connectors are created for a GRC 10.0 instance, an
LDAP instance, etc.
 Each system connected to GRC 10.0 must have a
Target Connector

2
Maintain Connectors
 Connector Groups allow for any group to be created
 Connectors Groups are used to maintain and manage Connectors
 Groups are available for Basis Connectors, R3 Connectors, LDAP
Connectors, etc.

3
Maintain Connectors
 Assigning Connectors to Group Types simplifies Connector
maintenance
 Connector Groups share similar characteristics

4
Maintain Connectors
 Business Value
 Allows for similar Connectors to be managed together
 Capability Highlights
 Facilitates searching, editing, and maintaining Connectors
 Simplifies system

5
Maintain Connector Settings
 Driver
 Connectors settings are easy to maintain though the IMG. They are not defined
in the Connector itself
 Connector settings define what scenarios will be performed in the target system
(i.e. user provisioning, risk analysis, role management or superuser privilege
management)
 Capability Highlights
 Connector settings are modified directly within the IMG
 Connector settings are used to ensure that correct Connector is created for
GRC 10.1 communication
 Connector settings are not configured during connector creation
Maintain Connector Settings (cont.)
Maintain Connector Settings (cont.)

 Add all the target

connectors which AC
will provision user to.
BC Sets Activation
Business Configuration Sets
Customizing settings within SAP GRC are bundled by processes into
Business Configuration Sets (“BC Sets”). BC Sets make customizing more
transparent by documenting and analyzing the customizing settings. They
can also be used for a group rollout, where the customizing settings are
bundled by the group headquarters and passed on in a structured way to its
subsidiaries.
Advantages of using BC Sets:
 Efficient group rollout
 Industry sector systems are easier to create and maintain
 Customizing can be performed at a business level
 Change management is quicker and safer
 Upgrade is simpler
BC Sets Activation
 Activate BC Sets via transaction SCPR20
 Business Configuration Sets are templates of configuration
that are put in place for Workflow
 BC Set is activated and then modifications to Workflow are
made from the template in place
Listing of BC Sets
 Multiple BC Sets are loaded into GRC 10.0
 BC Sets can be Activities within SAP GRC 10.0
 Before a BC Set is activated, consider what it is implementing to
AC 10.0 Workflow Set-Up
AC 10.0 Workflow Set-Up
 Multi Stage Multi Path (MSMP) workflow can be configured with standard
or customized set of rules and logic to determine approval routes for a
process within AC
 MSMP consists of following components: initiators, rules, agents,
notification variables, paths, and stages which are used to configure routes
and paths with desired approvers on the system.
 All modules are integrated as one specific component
 Individual and customized workflow can be configured for the all the below
AC work processes:  Risk approval
 Access request  Role approval
 Control assignment  Segregation of Duties
 Mitigation control maintenance (SOD) risk review
 Fire Fighter log report review  User access review
 Function approval
Activate Common Workflow

 Call transaction SPRO again

 Click SAP Reference IMG
 Access Workflow node under
Governance, Risk and Compliance
> General Settings
 Execute Perform Automatic
Workflow Customizing
AC 10.0 Workflow Set-Up

 Execute Perform Automatic

Workflow Customizing
1
 Make sure that all tasks are
green after the generation as
show in the screenshot
 Note: you may have to create a
transport request
 During the activation procedure
you might receive an error
message, then check the created
system user „WF-BATCH“ in
SU01 if the user has sufficient
roles assigned – see SAP Note
1251255 and the GRC Security
Guide.
AC 10.0 Workflow Set-Up – Activating Event Linkage

2
AC 10.0 Workflow Set-Up – Assign Agents

 Execute Perform
Task-Specific
Customizing
 Expand the GRC
node.
 Click the Assign
Agents link at the right
side of the GRC node.

Note: if no folders are visible below the “GRC“ folder please run report “RS_APPL_REFRESH” in SE38
AC 10.0 Workflow Set-Up – Assign Agents

 Assign Task as
General Task via Task 3
Attribute.
 Make sure all tasks
that are not using
Background task have
been assigned as
General Task.
Knowledge Check
Which of the following is correct order of AC configuration?

A. Activate Applications in Client -> Set-up Master Data -> Activate BC Sets
-> Create & Maintain Connectors
B. Activate Applications in Client -> Create & Maintain Connectors ->
Activate BC Sets -> Set-up Master Data
C. Set-up Master Data -> Create & Maintain Connectors -> Activate BC
Sets -> Activate Applications in Client
D. Activate Applications in Client -> Set-up Master Data -> Activate BC Sets
-> Create & Maintain Connectors
Knowledge Check
Most customizing activities for GRC can be done through which transaction?

A. SCPR20
B. SPRO
C. SM59
D. BRF+
Security & Roles
Roles in GRC 10.0
 Business Value
 Roles are used to authenticate user access
 Capability Highlights
 Multiple roles are used to authenticate access
 Roles are assigned to users in backend ABAP system and the
NetWeaver front-end (GUI roles)
 Permissions do not need to be granted in the User Management
Engine (UME)
Activate Profile of Roles Delivered by SAP
• Activate profile of roles delivered by SAP via transaction PFCG if you want to use them
directly
• For the list of the roles, please refer to Security Guide - here is an example of the SAP-GRC-
NWBC role
• Please use transaction “SUPC” for mass profile generation in case you want to generate
profiles for multiple roles
Create the Initial User in GRC 10.0 ABAP system
 Call transaction SU01, create a user
 Assign following role to access GRC applications, such as AC
 SAP_GRAC_BASE
 Assign following power user role to the person doing the customization of
the product
 SAP_GRAC_ALL
 Assign following role to the business users
 SAP_GRC_FN_BUSINESS_USER
 Assign following role if you use NWBC as front end UI
 SAP_GRC_NWBC
Summary
You should now be able to:
 Understand Access Control (AC)
configuration.
 Activate applications in client.
 Create and maintain Connectors.
 Activate BC Sets.
 Activate Initial Workflow Configuration
 Activate Profile for SAP delivered Roles
 Create Initial User