GRC100 - GRC Principles and Harmonization(Col96).pdf

GRC100 GRC Principles and Harmonization other solution

Date Training Center Instructors Education Website

Participant Handbook Course Version: 96 Course Duration: 2 Days Material Number: 50104436

An SAP course - use it to learn, reference it for work

Copyright Copyright © 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Trademarks •

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

•

IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.

•

ORACLE® is a registered trademark of ORACLE Corporation.

•

INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.

•

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

•

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

•

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

•

JAVA® is a registered trademark of Sun Microsystems, Inc.

•

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

•

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.

Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.

g2011717113749

About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.

Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style

Description

Example text

Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.

2011

Example text

Emphasized words or phrases in body text, titles of graphics, and tables

EXAMPLE TEXT

Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.

Example text

Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.

Example text

Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

© 2011 SAP AG. All rights reserved.

iii

About This Handbook

GRC100

Icons in Body Text The following icons are used in this handbook. Icon

Meaning For more information, tips, or background

Note or further explanation of previous point Exception or caution Procedures

Indicates that the item is displayed in the instructor's presentation.

iv


2011

Contents Course Overview ............................................................................. vii Course Goals.................................................................................vii Course Objectives .......................................................................... viii

Unit 1: Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0........................................................................1 Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 ......................................................................................... 3 GRC Solution Overview.................................................................... 17 GRC Convergence ......................................................................... 24 Key Features and Benefits ................................................................ 30 Integration ................................................................................... 40

Unit 2: Information Architecture, Security and Authorizations .................... 67 Information Architecture ................................................................... 68 Security and Authorizations ............................................................... 80

Unit 3: The GRC 10.0 User Interface ..................................................... 99 Work Centers............................................................................... 100 Harmonized Navigation in the GRC 10.0 Portal ....................................... 121

Unit 4: Common Functions and Data ...................................................143 Common Functions and Data Overview ................................................ 144 User Interface Configuration Framework ............................................... 151 Shared Master Data ....................................................................... 159

Unit 5: Implementation and Configuration ............................................183 Streamlined Configuration ................................................................ 184 Functional Implementation ............................................................... 197

Unit 6: Reporting ............................................................................217 Harmonized Reporting Framework...................................................... 218

2011


v

Contents

vi

GRC100


2011

Course Overview This hands-on workshop provides an introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0, including solution harmonization, the implementation process, and how GRC helps you to manage compliance and regulations.

Target Audience This course is intended for the following audiences: • • • • •

Implementation Consultants Key Technical Business Users involved in a GRC 10.0 project IT Governance Experts Consultants for SAP Security and GRC IT Auditors Business Project Team Leaders

Course Prerequisites Required Knowledge • •

Knowledge of integrated processes in an SAP system Knowledge of authorization concepts in an SAP system

Recommended Knowledge • •

2011

Practical knowledge of business processes Practical knowledge of software implementations


vii

Course Overview

GRC100

Course Goals This course will prepare you to: • • • • • • • • •

Discuss the integrated GRC 10.0 solution and its business benefits Describe solution key features and benefits Describe solution integrations and their business use Explain relevant information architecture, security and authorization topics Navigate work centers, assign delegates, and personalize the Work Inbox Explain shared master data concepts Identify common and component-specific IMG nodes Describe project teams and key steps in the functional implementation process Use report functionality in the harmonized reporting framework

Course Objectives After completing this course, you will be able to: • • • • • • • • • •

viii

Introduce SAP BusinessObjects Governance, Risk, and Compliance (GRC)10.0 Identify key governance, risk, and compliance processes supported in the GRC 10.0 solution Describe key features and business benefits of the integrated solution Identify applications that integrate with the GRC 10.0 solution Describe the purpose and location of key user interface components Discuss harmonized navigation and how authorizations affect what users see Describe how common functions and relative master data are shared across GRC solutions Describe the IMG organization for GRC 10.0 Describe a general implementation process and key steps Configure report presentation, structure, and content


2011

Unit 1 Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 Unit Overview This unit introduces the GRC solution, presents examples of compliance regulations from various regions of the world, and provides an overview of solution components. GRC convergence and the business benefits of an integrated solution are discussed, as well as how GRC addresses disconnects between risks, policies, and compliance. Solution key features and benefits, as well as Integration topics are also presented.

Unit Objectives After completing this unit, you will be able to: • • • • • • •

Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions contribute to improved performance Identify compliance regulations from various regions and the importance of an integrated solution Identify key governance, risk, and compliance processes supported in GRC 10.0 Explain the business benefits of an integrated solution Describe a business example of how the GRC solution addresses the issue of disconnects between risks, policies, and compliance Identify and describe key benefits of enhancements to the GRC 10.0 solution Discuss how particular applications integrate with the GRC 10.0 solution

Unit Contents Lesson: Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0............................................................... 3 Lesson: GRC Solution Overview .................................................. 17 Lesson: GRC Convergence ........................................................ 24

2011


1

Unit 1: Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0

GRC100

Lesson: Key Features and Benefits ............................................... 30 Lesson: Integration .................................................................. 40

2


2011

GRC100

Lesson: Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0

Lesson: Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 Lesson Overview This lesson presents an introduction to SAP BusinessObjects Governance, Risk, and Compliance and how this solution helps companies to proactively balance risk and opportunity. Also presented are compliance initiatives from various regions of the world and the benefits of an integrated solution.

Lesson Objectives After completing this lesson, you will be able to: • •

Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions contribute to improved performance Identify compliance regulations from various regions and the importance of an integrated solution

Business Example Company policy states that material risks need to be identified, documented and managed to avoid any disruption to business activities and to safeguard the reputation of the company. Some risks can be due to legal regulation, such as: • • •

Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPAA) German Federal Data Protection Act

while others may not be regulated by law but have become the “Standard” or “Best Practice” to remain compliant with other regulations (such as Control Objectives for Information and Related Technology (CoBIT) or IT Infrastructure Library (ITIL)) or risks that are more inherent to a specific industry or company environment (such as Oil and Gas or Mining). The risks can be found in many areas such as business processes and procedures, security and user access, and IT infrastructure and solution administration just to name a few. SAP BusinessObjects Governance, Risk, and Compliance (GRC) can help to document and manage the prevention and/or detection of the identified risks and also document and manage the mitigation or remediation of the identified risks or issues. This solution can also serve as an audit trail during period end review processes.

2011


3


GRC100

GRC Solution Introduction

Figure 1: Risk

Companies like this realize that risks can have a detrimental impact on performance. They understand the link between risk and performance, and they understand how to optimize their business in light of risks to which they are exposed. The GRC solution helps companies to prevent, manage, and respond to risks.

Figure 2: Meaning for Everyone, Everywhere, Anytime

4


2011

GRC100


GRC requirements are pervasive. Knowledge of your business and the related risks and compliance and policy requirements is critical for everyone, everywhere. Regardless of your industry, regardless of where you sit in the organization, there are a set of questions that you are left to answer.

Figure 3: The Cost of Not Knowing

The cost can be significant if you: • • •

2011

Are not able to answer important questions about your business Cannot confidently address complex and constantly changing regulatory requirements Cannot link your investments in GRC programs to performance


5


GRC100

Figure 4: Proactively Balance Risk and Opportunity

SAP BusinessObjects GRC solutions help companies to proactively balance risk and opportunity through three main concepts: • • •

Customers can better manage risk, compliance, and other GRC initiatives Customers can better protect their value Organizations can perform better.

Ultimately, the goal is to enable organizations to see all risks and compliance issues so that they can make optimal decisions in light of both the opportunity ahead and the related risks.

6


2011

GRC100


Figure 5: Solution Architecture Capability Model

This solution architecture is a capability model illustrating the broad range of capabilities incorporated in SAP's GRC solutions. Note: This capability model is not meant to represent the technical architecture in any way. SAP BusinessObjects GRC solutions are comprised of three main areas of capabilities: Analyze, Manage and Monitor. Successful GRC programs have capabilities and supporting technologies that cross these three areas.

Figure 6: Manage, Protect, Perform

2011


7


GRC100

SAP BusinessObjects GRC solutions are delivered through four primary solutions that help customers automate risk and compliance, protect their value and optimize their performance:

Figure 7: Enterprise GRC: Risk-Intelligent Mangement of Enterprise Performance

Companies that are able to build a level of risk intelligence, and leverage this to increase performance, are able to do so by focusing on the three core capabilities listed above.

Figure 8: Access Risk Management

Business Challenge Companies today continue to struggle to effectively manage access risk, with segregation of duties and excessive access rights showing as top contributors to fraud and audit findings. Regulatory requirements increase, often resulting in multiple

8


2011

GRC100


compliance teams across departments and relying on manual compliance processes. With thousands of users, roles, and processes to test and with multiple compliance applications taxing IT resources, excessive time is spent documenting processes for auditors instead of focusing on business operations. This fragmented and costly approach to managing access risk leads to reactive – rather than proactive – access risk prevention, inefficient compliance processes, and a lack of real-time visibility into access risk. Solution SAP BusinessObjects Access Control addresses these challenges by enabling businesses to confidently manage and reduce access risk across the enterprise. It helps to prevent unauthorized access – including segregation of duties (SoD) and critical access – and achieve real-time visibility to access risk, minimizing the time and cost of access risk management. The Access Control solution unifies access risk analysis and remediation, business role management, compliant identity management, emergency privilege management, and provides a holistic, enterprise-wide view in real time. It can help ensure day-to-day compliance, provide comprehensive management oversight, and perform effective and complete audits. The result is an improved ability to protect information and prevent fraud while minimizing the time and cost of access risk management.

Figure 9: Global Trade Services

Today's global environment is increasingly dynamic and unpredictable – making international trade risky, volatile, and costly. These realities include complex trade compliance demands, fluctuating transportation costs, and increasing cross-border regulations, and drive the need for advanced global trade solutions.

2011


9


GRC100

SAP BusinessObjects Global Trade Services helps companies automate trade compliance and accomplish three key goals: 1. 2. 3.

Better management of global trade operations Ensure ongoing compliance Optimize the cross-border supply chain

Figure 10: Continuous Transaction Monitoring

GRC's continuous transaction monitoring solution allows you to identify and correct errors, waste, abuse, policy violations, and potential fraud. These issues can only be revealed through in-depth analysis of transactions that are recorded as business activities are completed. This in-depth analysis allow you to achieve three key benefits: 1. 2. 3.

10

Improve the quality and speed of your business processes Increase insight into business activities Increase margin contribution


2011

GRC100


Figure 11: The SAP Difference

In summary, some key benefits of the GRC solutions are: • • • •

2011

The most comprehensive set of capabilities available Proactive monitoring across key risk indicators and compliance effectiveness Solutions are delivered with industry-specific risk, compliance, and process content Solutions are proven


11


GRC100

Regional Compliance Regulations

Figure 12: Compliance Regulations & Standards

Compliance regulations can be specific to a particular region or country or may be applicable to multiple regions. In addition, compliance can also be to international or national standards. These items are not put into regulatory law, but do become best practice to follow or may be required by a particular vendor as in the case of PCI DSS, which stands for Payment Card Industry Data Security Standards. This is a contractual Agreement by the U.S. Payment Card Industry to ensure the safe handling of cardholder information at every step, so it is about security standards for account data protection and not a legal regulation.

Figure 13: Regional Compliance Regulations: USA, Canada, Latin America

12


2011

GRC100


Figure 14: Regional Compliance Regulations: Europe, Middle East, Africa

Figure 15: Regional Compliance Regulations: Asia Pacific

2011


13


GRC100

Figure 16: Fragmentation

In many organizations, implementing policies, identifying and measuring risks, and supporting regulatory mandates takes place at the departmental level. The organizational fragmentation resulting from disconnected, departmental activities can result in inconsistent policies, difficulty predicting risk, a lack of enterprise transparency, and duplication of effort. As an organization increases its collaboration with partners and suppliers, the consequences of organizational fragmentation intensify. The organization will be held accountable for good governance and compliance not only within the confines of its own enterprise, but also across the extended enterprise, so risk increases.

14


2011

GRC100


Figure 17: Integrated Governance, Risk, and Compliance

Organizations need an integrated approach if they want move towards operational excellence. They need an approach that simplifies GRC, not isolated disciplines of each, and that dramatically reduces the cost, provides complete compliance and risk visibility, and easily adapts to change. SAP's GRC solution embeds GRC into the way companies do business, into every business process, and provides an integrated approach to governance, risk, and compliance initiatives.

2011


15


GRC100

Lesson Summary You should now be able to: • Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions contribute to improved performance • Identify compliance regulations from various regions and the importance of an integrated solution

16


2011

GRC100

Lesson: GRC Solution Overview

Lesson: GRC Solution Overview Lesson Overview This lesson presents an overview of the GRC 10.0 solution and how each component contributes to encompass people, processes, and products..

Lesson Objectives After completing this lesson, you will be able to: •

Identify key governance, risk, and compliance processes supported in GRC 10.0

Business Example A company is looking for solutions available to assist in managing their Governance, Risk and Compliance (GRC) initiatives. SAP BusinessObjects GRC offers several solutions that will help manage the ability to comply with legal compliance regulations and internal company policies, including: Access Control – Segregation of Duties documentation and analysis; security role management; user access management, emergency access management Process Control – document, monitor and review processes; document and monitor issue remediation of issues Risk Management – document, monitor, and review Key Risk Indicators (KRIs) Global Trade Services– manage and document trade information globally; produce documentation for Customs officials for cross-border shipments Electronic Invoicing for Brazil (Nota Fiscal Eletronica) – Brazilian Electronic Invoice requirement

2011


17


GRC100

Key Governance, Risk, and Compliance Processes Supported in GRC 10.0

Figure 18: Key Processes: Risk Management Process

The Risk Management process allows the company to identify, mitigate and monitor critical business risks that may have a negative impact on an organization's performance, goals and objectives. The ERM process allows management to prioritize often times scarce resources to mitigate the company's highest risk areas.

18


2011

GRC100


Figure 19: Key Processes: Compliance Management

Compliance Management provides documentation of compliance structures and related compliance initiatives. A risk-based approach to scoping helps focus control evaluation efforts on those control activities with the greatest likelihood of failure and potential negative impact to the enterprise. Compliance evaluations include self-assessments and management assessments using user-definable surveys, as well as manual testing using test plans and automated testing and monitoring using business rules. If exceptions are identified during the evaluation process, issues are created and assigned for remediation. Once identified, users review and determine the how the issues will be processed.

2011


19


GRC100

Figure 20: Key Processes: Audit Management

Audit Management involves risk-based audit planning, preparation, fieldwork, execution and reporting. This involves use of the SAP NetWeaver Audit Management application, and it is not covered here because of the focus on Risk Management, Process Control and Access Control solutions.

Figure 21: Key Processes: Policy Management

20


2011

GRC100


Policy Management provides end-to-end management of corporate policies aligned with risk and compliance management including creation, localization, distribution, and acknowledgement.

Figure 22: Key Processes: Access Risk Management

Access Risk Management provides the ability to manage and monitor user privileges, while ensuring compliance with security policies related to segregation of duties and restriction of critical permissions. You can prevent, monitor and manage access conflicts present at the system, infrastructure, and application levels.

2011


21


GRC100

Figure 23: Key Processes: Trade Management

Trade Management involves controlling the cost and risk of international trade by ensuring compliance with global regulations, accelerating trade activity, and minimizing duties. SAP BusinessObjects Electronic Invoicing for Brazil (Nota Fiscal Eletronica) supports companies in complying with the requirements of the Brazilian authorities for electronic invoicing.

22


2011

GRC100


Lesson Summary You should now be able to: • Identify key governance, risk, and compliance processes supported in GRC 10.0

2011


23


GRC100

Lesson: GRC Convergence Lesson Overview This lesson explains why convergence is important and discusses how GRC closes the performance loop when there are disconnects between risks, policies, and compliance.


Explain the business benefits of an integrated solution Describe a business example of how the GRC solution addresses the issue of disconnects between risks, policies, and compliance

Business Example This lesson presents an example of a global enterprise that sees an opportunity to grow.

Business Benefits of an Integrated Solution

Figure 24: GRC Convergence Survey Reponse

In terms of governance, risk and compliance, SAP believes strongly in the topic of convergence, and according to executives from across the world, many of them also find this to be a very relevant topic. In February 2010, KPMG released a global survey on GRC. Working with the Economist Intelligence Unit, they surveyed 542 executives from a wide range of industries and regions with approximately a 1/3 from each major

24


2011

GRC100

Lesson: GRC Convergence

region of the world. One of the very consistent themes that arose in this survey was that almost 2/3 of the respondents (64%) basically said GRC convergence was a priority for their organization—but what does this mean and why is it important? As was stated in the report and also echoed by many SAP customers, GRC is a topic that has unfortunately gotten too unwieldy in most organizations. As folks try to get their arms around GRC, they find that is it is too costly, requires too many resources and leaves them exposed to undue risk. Our customers are telling us that they believe GRC convergence will help them to start addressing these issues by reducing their costs, which is good, but most importantly, reducing their risk exposure and improving the overall performance of their businesses.

Figure 25: Example depicting the importance of GRC Convergence

Leadership sets a strategy to increase penetration in some of the markets that they serve. As in many well-run organizations, when executive leadership says jump, the team jumps. In this example, a variety of related operational initiatives are put into place by different lines of business. Sales and marketing performs analysis to establish and accept a target for the expanded penetration. That analysis is communicated to production planning. That team than makes plans to increase production. The manufacturing team works with strategic sourcing to identify the need for an increased supply of raw materials. They decide on two suppliers for a critical component that, based upon known performance and other factors, can meet the demand. Manufacturing ramps-up additional capacity and pushes more product off the line. Distribution works to get the product into the targeted markets. Sales and marketing work to get the product into customers’ hands and, ultimately, achieve success.

2011


25


GRC100

Figure 26: Core Issues

Ultimately this brings us to what we see as “the core issue”: How do you close the performance loop when there is a clear disconnect between risks, policies and compliance? Add to this the complex composition of most modern companies: a myriad of business processes spanning organizations across several regions, coupled with differing compliance requirements--and the answer is unfortunately that you can’t. First of all, there is a lot of duplication of effort as organizations try to solve this problem, often times duplicating activities and technologies in addressing this issue. But even more important is that without getting a clear view into these elements and understanding them, most companies have undue or even catastrophic risks that lurk within that they are unable to identify or remediate. SAP believes that GRC convergence can help address this problem and is uniquely qualified to deliver solutions to support this movement.

26


2011

GRC100


How GRC Addresses Disconnects between risks, policies, and compliance

Figure 27: Comprehensive Approach to GRC

Enterprise GRC refers to a platform that enables organizations to gain visibility into all of their risk and compliance activities, but also more efficiently manage across the disciplines of risk management, compliance management, audit management, policy management and access management. SAP is committed to enabling customers to realize GRC convergence, a key aspect of which is to ensure that GRC is optimized for SAP, but not tethered to SAP. Many customers maintain hybrid environments or have made the choice for a different business process platform. The GRC 10.0 solution is designed to be tightly integrated to SAP, and can leverage adapters from technology partners and open APIs like web services to losely work with other platforms as well. While the application process stack is key, partnering with vendors like CA, Novell, and Sensage extends the GRC platform across the IT stack, including IT infrastructure and applications, which takes into account categories like Identity Management integration. GRC's content framework allows close work with both system integrators and technology service providers to provide out-of-the-box content that provides a starting point for customers with specific business scenarios. Through integration with SAP Performance Management, GRC is truly able to close the performance loop

2011


27


GRC100

by ensuring that risks are tied closely to key performance indicators in the strategic management process, that risk influences the planning or supply chain process, and that controls can be tied to consolidations processes to ensure a compliant close.

28


2011

GRC100


Lesson Summary You should now be able to: • Explain the business benefits of an integrated solution • Describe a business example of how the GRC solution addresses the issue of disconnects between risks, policies, and compliance

2011


29


GRC100

Lesson: Key Features and Benefits Lesson Overview This lesson introduces key features and benefits of the GRC 10.0 solution.


Identify and describe key benefits of enhancements to the GRC 10.0 solution

Business Example A company is looking for improved ways to efficiently and effectively manage their Governance, Risk and Compliance areas and to reduce the cost of such an effort. The company is also looking for a more unified platform to reduce the amount of training needed to increase the skills of their workforce, reduce hardware utilization, and to reduce the cost of audit services. SAP BusinessObjects GRC 10.0 is now on a common platform to where Risk Management, Process Control, and Access Control are combined into a single solution with a unified work space and improved reporting and audit trail functionality. The common platform will reduce the amount of time to train users because the user interface is the same across all three of the mentioned solutions and will allow for improved efficiency in IT maintenance. Global Trade Services and Nota Fiscal Eletronica also utilize this platform.

30


2011

GRC100

Lesson: Key Features and Benefits

Common Technical Platform

Figure 28: Common Technical Platform Purpose and Value

The unified Risk Management, Access Control, and Process Control data model and technology platform enables optional sharing of selected risk and compliance data and functions. Sharing is optional because some customers prefer a “silo approach,” whereas others seek to consolidate and integrate their GRC activities. GRC 10 reduces the total cost of ownership due to lower overall implementation, administrative and maintenance costs, as GRC solutions now leverage a common technology (ABAP) platform and appropriately shared Implementation Guide (IMG).

2011


31


GRC100

Figure 29: Common Technical Platform Enhancements and Benefits

Enhanced Visualization and Streamlined Navigation

Figure 30: Enhanced Visualization and Streamlined Navigation Purpose and Value

Enhanced Visualization and Streamlined Navigation: Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (for example, one inbox, not three) and facilitates sharing of data and functions.

32


2011

GRC100


The menu items that the individual user sees within each work center is controlled by that user's GRC roles. This also enables data shared across components to be viewed differently by different users.

Figure 31: Visualization and Streamlined Navigation Enhancements and Key Benefits

Configurable User Interface

Figure 32: Configurable User Interface Purpose and Value

2011


33


GRC100

Configurable User Interface allows configuration to determine field status by application components. For example, the organization field “Average Cost per Control” can be shown for those users authorized for Process Control and hidden for those users authorized for Access Control. Field statuses (required field, optional field, displayed, or hidden) can be selected by field by component or even regulation, if applicable. Changes to the field status are reflected in the user interface without requiring programming.

Figure 33: Configurable User Interface Enhancements and Benefits

The configurable user interface allows customers to configure without programming: 1. 2. 3. 4.

34

Which fields are relevant to regulations, or even to specific regulations Which fields are relevant to each underlying component Which fields should be mandatory, optional, or hidden Which fields can be changed locally and which must be maintained centrally. For Process Control, the assignment of subprocess to organization has been made more flexible to allow local editing of some fields in a control while disallowing editing of other fields.


2011

GRC100


Improved Reporting

Figure 34: Improved Reporting Purpose and Value

Improved Reporting: GRC reporting leverages the SAP BusinessSuite ABAP List Viewer (ALV)-Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers total cost of ownership and extends the benefits and functionality of Crystal without the need for a separate SAP BusinessObjects Enterprise server.

Figure 35: Reporting Enhancements and Benefits

2011


35


GRC100

Enhanced Policy Management

Figure 36: Enhanced Policy Management Purpose and Value

Enhanced Policy Management: Policy Management provides complete lifecycle management for corporate policies, and it aligns policies with risk and compliance management activities. Effective policy management reduces enterprise risk and improves corporate governance with management guidance for the organization’s behavior, actions, and decision-making processes.

Figure 37: Policy Management Enhancements and Benefits

36


2011

GRC100


Enhanced Business Rule Framework

Figure 38: Enhanced Business Rule Framework Purpose and Value

Enhanced Business Rules for Automated Testing and Monitoring: The enhanced, user-configurable rule engine gives customers maximum flexibility in defining their automated rules. You can now monitor a much wider range of back end systems, consume data from non-SAP systems without needing third-party tools, process asynchronous events, and automatically analyze SAP Basis change logs.

Figure 39: Business Rule Framework Enhancements and Benefits

2011


37


GRC100

Content Lifecycle Management

Figure 40: Content Lifecycle Management Purpose and Value

Content Lifecycle Management (CLM) supports check-in, version control, comparisons, and deployment of packaged content. CLM also formalizes the ability to export structured content out to Excel and check changes back in—an enormous productivity boost for initial implementations, getting content into GRC from legacy or reference systems, periodic updates, and expanding implementations.

Figure 41: Content Lifecycle Management Solution Enhancements and Benefits

38


2011

GRC100


Lesson Summary You should now be able to: • Identify and describe key benefits of enhancements to the GRC 10.0 solution

2011


39


GRC100

Lesson: Integration Lesson Overview This lesson introduces an overview of various integrations to and within the GRC 10.0 solution.


Discuss how particular applications integrate with the GRC 10.0 solution

Business Example 1.

2.

3.

Your organization is using SAP BusinessObjects Access Control 10.0 Analyze and Manage Access Risk. You want to use SoD analysis results automatically, weekly or monthly to mitigate a risk identified in Process Control. Handling some responses for risks appears to be a complicated and time-consuming process with a lot of resources involved. Therefore, having projects in the appropriate SAP application (Project System) based on such responses is a good way to track response status and completeness. During the internal and external auditing of this fiscal year, auditors address compliance and operational problems outside of the control evaluation cycle. These issues need to be documented and tracked for the improvement of the organizational compliance status. Creating an issue helps to speed up the identification of risk that may lead to putting timely actions in place to mitigate exposure. Timely issue resolution prevents spending excessive amounts of time and efforts in resolving any negative impacts that the delay of resolution may lead to.

Integration Overview The GRC 10.0 solution integrates with several other systems and applications, both across the solution and for specific solution components.

40


2011

GRC100

Lesson: Integration

Figure 42: GRC 10.0 Solution Integration Overview

Access Control Integration

Figure 43: Access Control Integration Overview

2011


41


GRC100

Access Control Integration for Shared Master Data

Figure 44: Access Control Integration for Shared Master Data

Shared Organization Hierarchy With a shared organization hierarchy, you can: • • • •

Centrally maintain organizations and organization hierarchy Use one organization hierarchy in Access Control, Process Control, and Risk Management solutions Access to organization hierarchy is possible from Access Control, Process Control, and Risk Management solutions Maintain different views of organization structures to adapt it to your needs

Mitigating Controls You can create mitigating controls within Access Control from the Analysis Results screen after executing User Risk Analysis. You can also create mitigating controls from the Process Control user interface with Business Processes. To create from Process Control: 1. 2. 3.

Add a mitigating control ID Assign an access risk, mitigation monitor, and mitigation approver Now this control can be utilized in Access Control for mitigating an access risk

Organization Views

42


2011

GRC100

Lesson: Integration

To add an organization view, from the back-end system, execute Transaction SPRO, then choose SAP Reference IMG → Governance, Risk, and Compliance → Shared Master Data Settings → Maintain Organization Views → Maintain Organization Views Configuration Note: While creating more entries with the same name, but a different application component, you can specify for which of the components the hierarchy should be used. Users and Owners Owners are responsible for the correctness of risks, roles, mitigating controls, and so on. These owners have different responsibilities throughout Access Control, however, only Mitigation Monitors and Mitigation Approvers may be assigned to controls and are therefore shared with Process Control and Risk Management.

Access Control Integration: HR Triggers The HR Triggers functionality of Access Control 10.0 allows the creation of automatic access requests, corresponding to changes in master data in SAP or Non-SAP HR systems. When an event is triggered in the SAP HR system, such as hiring a new employee, rules are applied and a corresponding action to create a workflow request is initiated in Access Control. The request can be processed through workflow and can be provisioned to the back-end system by direct assignment or indirect assignment. The configuration of HR Triggers in Access Control 10.0 includes the configuration of actions, rules, and field mapping. Note: Users do not need to complete an access request form.

2011


43


GRC100

Figure 45: HR Integration Process Flow

HR Triggers Process Flow Overview 1. 2. 3. 4.

User is maintained in the HR system A change in the HR system triggers a call to a function module in the GRC system to create the request (GRAC_GET_HR_TRIGGER_DATA) The information is presented to the HR Trigger BRFplus rules and evaluated Based on the BRF rules created in the GRC system, the changes are evaluated and the BRF rules return results that correspond to the actions maintained in the IMG settings for HR triggers

Access Control and Identity Management (IdM) Integration Overview Identity Management (IdM) solutions provide the key infrastructure to manage user accounts in multiple back-end systems. Access Control currently provides integration with IdM solutions for enterprise-wide, compliant provisioning. The integration of Access Control and Identity Management enables customers to deploy an automated business and risk driven Access Control solution enterprise wide. With this solution, business owners can control access, security posture and risk based on business relevant values without requiring the domain-specific knowledge for each of the IT systems.

44


2011

GRC100

Lesson: Integration

GRC Access Control provides robust integration with IdM solutions and continues to focus on its core competencies of risk, SoD and remediation. To support this strategy, Access Control integrates with market leading IdM vendors like SUN, Novell and integrate and optimize for SAP NetWeaver IdM. User Provisioning Scenarios with IdM Integration Two scenarios are supported: GRC-driven provisioning and IdM-driven provisioning.

Figure 46: Access Control - Identity Management Supported Scenarios

GRC-driven provisioning is initiated in GRC, provisioned by GRC for SAP systems, and provisioned in IdM for non-SAP systems. IdM-driven provisioning is initiated in IdM, submitted to GRC through Web Services, provisioned by GRC for SAP systems, and provisioned in IdM for non-SAP systems.

2011


45


GRC100

Figure 47: GRC-Driven Provisioning Process Flow

Figure 48: IdM-Driven Provisioning

Process Control Integration Process Control Integration Overview

46


2011

GRC100

Lesson: Integration

Integrations for Process Control 10.0 include: • •

Process Integration SoD Integration

Figure 49: Process Integration

Process Integration allows you to monitor deficiencies in other systems. The Process Integration Proxy must be completed before you can proceed on the portal.

2011


47


GRC100

Figure 50: Process Integration Job Result

Configure Process Integration, then create an automated monitoring job to test for control deficiencies. Results appear both in the Job Monitor and as a workflow task if the deficiency is high or medium.

Process Control - SoD Integration If you identify a risk in Process Control, you can use Access Control's SoD analysis results to mitigate that risk.

Figure 51: SoD Integration

48


2011

GRC100

Lesson: Integration

Figure 52: View Job Step Result for SoD Integration in Job Monitor

The monitor allows you to see all job results without receiving a task.

Figure 53: View Job Step Related Data in Job Monitor

You have access to the same hyperlinks the person receiving a workflow task receives.

2011


49


GRC100

Figure 54: Prerequisites for SoD Integration

Before you can complete the SoD Integration, you must have completed all the steps listed above. Multiple role owners will have to complete these steps, or someone with GRC_ALL.

Risk Management Integration Risk Management integrates with several other systems to help users identify and manage risk from one location.

Figure 55: Risk Management Integration Overview

Risk Management - SAP Project System Integration Project System Integration allows you to: • •

50

Trigger automatic creation of project definition in Project Systems from Risk Management Track the status of the project definition from the remote Project Systems system


2011

GRC100

Lesson: Integration

A Risk Manager is not required to have any Project System background to create a project out of a Risk Management response. The project is actually maintained by a Project Manager or another responsible person and Risk Managers may only track the current status of the project they created. Current status is obtained by a periodic background job. The Risk Manager just opens the response.

Figure 56: Integration with project system: Process Flow

Plant Maintenance Integration Some responses for risks require that service, maintenance, or quality inspection procedures be performed over the technical objects or fixed assets. Therefore, automatic creation of Plant Maintenance notifications directly from Risk Management can be helpful in this regard.

Figure 57: Risk Management Integration with Plant Maintenance

2011


51


GRC100

The Risk manager is not required to have any Plant Maintenance background to create a notification out of a Risk Management response. A notification is actually processed by a Plant Maintenance manager or another responsible person and Risk manager may only track the current status of the notification created. Current status is obtained by a periodic background job. To see this, the Risk manager just opens the response.

Figure 58: Response Automation - Integration with SAP Plant Maintenance: Process Flow

Environmental Health & Safety Integration Some enterprise risks can be related to the environment and worker safety. SAP has a separate solution, Environmental Health & Safety, where such kind of risks can be processed by the solution-specific mechanisms, which are absent in operational risk management. Having these risks in Risk Management as well allows users to track all the enterprise risks with one application (Risk Management). Analysis Automation creates Environmental Health & Safety risk assessment out of risk analysis in Risk Management, tracks its probability and severity values and replicates them to the corresponding analysis parameters according to the rules predefined in Customizing.

52


2011

GRC100

Lesson: Integration

Figure 59: Environmental Health & Safety Integration Overview

Note: A Risk manager is not required to have any Environmental Health & Safety background to create an Environmental Health & Safety risk assessment out of risk analysis. Risk Assessment is actually processed by an Environmental Health & Safety manager or another responsible person and a Risk manager may only track the current probability and impact level of the risk he or she created Current values are obtained by a periodic background job. To see this, the Risk manager just opens the analysis.

Figure 60: Analysis Automation - Integration with Environmental Health & Safety: Process Flow

2011


53


GRC100

Risk Management - Issue Management Integration Issue Management allows the management of issues identified outside of the standard testing and assessment process.

Figure 61: Issue Management Integration

Features include: • • • •

Enables reporting process for risk and compliance related issues outside of standard evaluation processes Supports central categorization and management of issues Allows flexible determination of appropriate responses/remediation procedures Provides enterprise-wide visibility of issues and their remediation statuses Note: Ad Hoc issues can be created during the Aggregation of Deficiencies and Sign-Off level, but currently are not considered. If you create an issue while working these tasks, you do not get an error message.

Policy Management Integration You can set up automatic updates of response completeness for all responses created, based on the policy. Each time the policy status is updated, the response completeness is updated accordingly. If you would like to customize automatic response completeness update based on policy status: Execute Transaction SPRO-Risk Management → Response and Enhancement Plan → Responses for Policies → Link Policy Status and Response Completeness. Then execute the task Policy Status and Response Completeness link.

54


2011

GRC100

Lesson: Integration

Lesson Summary You should now be able to: • Discuss how particular applications integrate with the GRC 10.0 solution

2011


55

Unit Summary

GRC100

Unit Summary You should now be able to: • Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions contribute to improved performance • Identify compliance regulations from various regions and the importance of an integrated solution • Identify key governance, risk, and compliance processes supported in GRC 10.0 • Explain the business benefits of an integrated solution • Describe a business example of how the GRC solution addresses the issue of disconnects between risks, policies, and compliance • Identify and describe key benefits of enhancements to the GRC 10.0 solution • Discuss how particular applications integrate with the GRC 10.0 solution

56


2011

GRC100

Test Your Knowledge

Test Your Knowledge 1.

How can you begin to leverage your Governance, Risk, and Compliance programs to optimize performance? Choose the correct answer(s).

□ □ □ □ 2.

A B C D

Know your business Know business-related risks Know compliance and policy requirements Know what reserves your company has for litigation

SAP BusinessObjects GRC solutions are comprised of three main areas of capabillities: Choose the correct answer(s).

□ □ □ □ 3.

A B C D

Avoid Analyze Monitor Manage

Continuous Transaction Monitoring helps you to confidently manage and reduce access risk enterprise-wide. Determine whether this statement is true or false.

□ □ 4.

True False

Continuous Transaction Monitoring provides protection against fraud, waste, misuse, and errors. Determine whether this statement is true or false.

□ □ 5.

True False

Compliance regulations can be specific to a particular region or country, or may be applicable to multiple regions. Determine whether this statement is true or false.

□ □

2011

True False


57

Test Your Knowledge

6.

GRC100

Implementing policies and supporting regulatory mandates at the departmental level is an example of . Fill in the blanks to complete the sentence.

7.

The Enterprise Risk Management process allows management to prioritize scarce resources to mitigate the company's highest risk areas. Determine whether this statement is true or false.

□ □ 8.

True False

Which component in the SAP BusinessObjects GRC solution supports Compliance Management by providing documentation of compliance structures and related compliance initiatives? Choose the correct answer(s).

□ □ □ □ 9.

A B C D

Risk Management Access Control Process Control Global Trade Services

Which component in the SAP BusinessObjects GRC solution provides the ability to manage and monitor user privileges? Choose the correct answer(s).

□ □ □ □

A B C D

Risk Management Access Control Process Control Global Trade Services

10. When it comes to managing governance, risk, and compliance efforts, GRC Convergence helps companies: Choose the correct answer(s).

□ □ □ □

58

A B C D

Reduce costs and required resources Reduce risk exposure Reduce reporting requirements Improve overall business performance


2011

GRC100

Test Your Knowledge

11. Enterprise GRC enables organizations to more efficiently manage across the disciplines of risk management, compliance management, audit management, policy management, and access management. Determine whether this statement is true or false.

□ □

True False

12. The unified Risk Management, Access Control, and Process Control data model and technology platform enables optional sharing of selected risk and compliance data and functions because some customers prefer a silo approach. Determine whether this statement is true or false.

□ □

True False

13. Streamlined user navigation with shared work centers emphasizes each component rather than function. Determine whether this statement is true or false.

□ □

True False

14. The Configurable User Interface allows configuration to determine: Choose the correct answer(s).

□ □ □ □

A B C D

Field status by application components Field status by regulation A and B None of the above; programming is required

15. Considering the business use and purpose of the Access Control solution, which of the following would be logical integrations? Choose the correct answer(s).

□ □ □ □

2011

A B C D

HR Triggers SAP Issue Management Identity Management SAP Crystal Reports


59

Test Your Knowledge

GRC100

16. SoD Integration is between which solution components? Choose the correct answer(s).

□ □ □ □

A B C D

Process Control and Risk Management Access Control and Risk Management Process Control and Access Control Process Control, Access Control, and Risk Management

17. With a shared organization hierarchy, you can configure whether an organization view is used for one solution component or shared between all GRC components. Determine whether this statement is true or false.

□ □

60

True False


2011

GRC100

Test Your Knowledge

Answers 1.

How can you begin to leverage your Governance, Risk, and Compliance programs to optimize performance? Answer: A, B, C Knowledge of your business, related risks, and compliance and policy requirements are the starting point to leveraging your Governance, Risk, and Compliance programs to optimize performance.

2.

SAP BusinessObjects GRC solutions are comprised of three main areas of capabillities: Answer: B, C, D Analyze, Manage, and Monitor are the three main areas of capabilities.

3.

Continuous Transaction Monitoring helps you to confidently manage and reduce access risk enterprise-wide. Answer: False The statement is false. Access Risk Management helps you to confidently manage and reduce access risk enterprise-wide.

4.

Continuous Transaction Monitoring provides protection against fraud, waste, misuse, and errors. Answer: True The statement is true.

5.

Compliance regulations can be specific to a particular region or country, or may be applicable to multiple regions. Answer: True The statement is true.

2011


61

Test Your Knowledge

6.

GRC100

Implementing policies and supporting regulatory mandates at the departmental level is an example offragmentation. Answer: fragmentation Implementing policies and supporting regulatory mandates at the departmental level is an example of fragmentation.

7.

The Enterprise Risk Management process allows management to prioritize scarce resources to mitigate the company's highest risk areas. Answer: True The statement is true.

8.

Which component in the SAP BusinessObjects GRC solution supports Compliance Management by providing documentation of compliance structures and related compliance initiatives? Answer: C The correct answer is Process Control.

9.

Which component in the SAP BusinessObjects GRC solution provides the ability to manage and monitor user privileges? Answer: B The answer is Access Control.

10. When it comes to managing governance, risk, and compliance efforts, GRC Convergence helps companies: Answer: A, B, D GRC Convergence helps companies reduce costs and required resources, reduce risk exposure, and improve overall business performance.

62


2011

GRC100

Test Your Knowledge

11. Enterprise GRC enables organizations to more efficiently manage across the disciplines of risk management, compliance management, audit management, policy management, and access management. Answer: True The statement is true. 12. The unified Risk Management, Access Control, and Process Control data model and technology platform enables optional sharing of selected risk and compliance data and functions because some customers prefer a silo approach. Answer: True The statement is true. 13. Streamlined user navigation with shared work centers emphasizes each component rather than function. Answer: False Streamlined user navigation with shared work centers emphasized function rather than component. 14. The Configurable User Interface allows configuration to determine: Answer: C The Configurable User Interface allows configuration to determine field status by application components and by regulation. 15. Considering the business use and purpose of the Access Control solution, which of the following would be logical integrations? Answer: A, C, D HR Triggers, Identity Management, and SAP Crystal Reports are all logical integrations with the Access Control solution. 16. SoD Integration is between which solution components? Answer: C SoD Integration is between Process Control and Access Control.

2011


63

Test Your Knowledge

GRC100

17. With a shared organization hierarchy, you can configure whether an organization view is used for one solution component or shared between all GRC components. Answer: True The statement is true.

64


2011

Unit Summary

65

GRC100


2011

Unit Summary

66

GRC100


2011

Unit 2 Information Architecture, Security and Authorizations Unit Overview This unit describes the GRC 10.0 information architecture and harmonization goals of that architecture. In addition, authorization concepts and role requirements are discussed, as they relate to the user interface.

Unit Objectives After completing this unit, you will be able to: • • • • • •

Explain what the information architecture is and why it is important Explain the harmonization goals of the information architecture Describe major changes to the GRC 10.0 information architecture Identify required PFCG roles Ensure requirements are met to access GRC 10.0 solutions Describe how authorizations affect what is seen in the user interface

Unit Contents Lesson: Information Architecture .................................................. 68 Exercise 1: Connect to the System and View IMG Structure.............. 73 Lesson: Security and Authorizations .............................................. 80 Exercise 2: View Role Assignments .......................................... 85

2011


67

Unit 2: Information Architecture, Security and Authorizations

GRC100

Lesson: Information Architecture Lesson Overview This lesson presents the information architecture for the GRC 10.0 solution.

Lesson Objectives After completing this lesson, you will be able to: • • •

Explain what the information architecture is and why it is important Explain the harmonization goals of the information architecture Describe major changes to the GRC 10.0 information architecture

Business Example You want to do some online shopping and access retailer's web site to get started. The buttons, tabs, and other navigation items that you see in the user interface represents the information architecture.

The Importance of the Information Architecture

Figure 62: Information Architecture Example

68


2011

GRC100

Lesson: Information Architecture

The information architecture (IA) determines the presentation of user interface elements: • • •

Menu structure Tabs Navigation alternatives

The IA presents the application or solution to its users and defines much of the initial user experience.

Harmonization Goals of the Information Architecture Goals of information architecture harmonization include: • • •

Providing a consistent user experience across GRC Optimizing for users of multiple GRC applications by minimizing redundancy and streamlining navigation. Enhancing the user experience while providing users the tools needed to do their job.

Figure 63: Information Architecture Harmonization

The Information architecture harmonization for GRC solutions goal is to provide an easier and more consistent user experience for users who may interact with multiple GRC products.

2011


69


GRC100

Major Changes to the Information Architecture

Figure 64: Prior Information Architecture: PC 3.0, RM 3.0, and AC 5.3

In these screen samples from prior versions, navigation is separate for each component. This required that users with cross-product responsibilities navigate each application separately, and even login multiple times if Access Control, Process Control, and Risk Management were used. This also resulted in multiple inboxes, multiple document searches, and so on. The GRC 10.0 Information Architecture: • • • •

70

Provides direct navigation to Access Control, Process Control and Risk Management components. Eliminates redundant menu items. Varies based upon user authorization. Allows configuration changes for the SAP NetWeaver Portal component or SAP NetWeaver Business Client software.


2011

GRC100


Figure 65: GRC 10.0 Information Architecture in SAP NetWeaver Portal Component

This is an excerpt of the updated information architecture as seen in the SAP NetWeaver Portal component by a user with authorization crossing multiple underlying components. As an example of streamlining, note that there is a single shared work inbox (no longer multiple inboxes) for AC, PC and RM. The user navigates the work centers (tabs) based upon the tasks they need to perform or the data they need to access, not the product they wish to use. This better supports the concept of GRC convergence and facilitates appropriate sharing of data and functions.

2011


71


GRC100

Figure 66: GRC 10.0 Information Architecture in the SAP NetWeaver Business Client

This is a similar look at the information architecture, this time as seen in the SAP NetWeaver Business Client software.

72


2011

GRC100


Exercise 1: Connect to the System and View IMG Structure Exercise Objectives After completing this exercise, you will be able to: • Connect to the training environment • Log on to the GRC 10.0 system ABAP client, NWBC and SAP GUI • Identify high-level nodes for IMG Customizing

Business Example You must connect to the training environment before you can log on to the GRC 10.0 system for this course. You will use the ABAP client and the NetWeaver Business Client (or SAP GUI) to perform various tasks. From the ABAP client view, you will access the IMG, where customizing activities are performed, and view its high-level structure.

Task 1: Connect to the Training Environment. 1.

Open a browser window and enter http://mywts.sap.com in the address bar.

2.

Choose EMEA, then choose Training under CORP.

3.

Enter the logon and password provided by your instructor.

Task 2: Connect to the Remote Desktop 1.

Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK.

2.

Enter the system name provided by your instructor, then click Connect.

3.

Enter Train-XX as your user name, where XX is your Participant ID. Enter password initial.

4.

Click OK in the Language Dialog box.

Continued on next page

2011


73


GRC100

Task 3: Log On to the GRC 10.0 ABAP Client. 1.

Click Start → SAP Logon. Note: If you do not see the Start button in the lower left corner, you may need to maximize the Remote Desktop window.

2.

Choose ZMC, then click Log On.

3.

Enter User ID XX_Custom, where XX is your Participant ID. Enter password or press Enter. initial, then click the system OK icon

4.

Note the user menu items displayed for your User ID.

Task 4: Access the IMG for Customizing Activities 1.

Enter Transaction SPRO in the transaction field, then click the system OK icon.

2.

Click SAP Reference IMG.

3.

Expand the Governance, Risk, and Compliance node.

4.

View the nodes listed here. This is where you perform customizing activities and maintain configuration settings for the GRC solution. Note that there are nodes for shared configuration settings as well as for solution component-specific configuration settings.

Task 5: Log on to the NetWeaver Business Client 1.

Enter NWBC (/nnwbc) in the transaction entry field, then click the system OK icon.

2.

On the Launch NetWeaver Business Client screen, choose /nwbc.

3.

Click through the various work centers and note the work sets under each one.

Task 6: Log On via the SAP GUI 1.

Log out of the NWBC, then re-execute /nnwbc from the ABAP client.

2.

On the Launch NetWeaver Business Client screen, copy the address of the page, ending with the forward slash after nwbc. What you copy should be similar to this: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/

3.

From the Remote Desktop Start menu, choose Start → Programs → SAP NWBC → Version 3.0 → NetWeaver Business Client.

4.

Click the New icon for a new connection. Continued on next page

74


2011

GRC100


5.

Enter the following information: Note: For the URL, paste the one you copied. Data

Data Value

Name

ZMC

URL

http:wdfbmt2299.wdf.sap.corp:51080/nwbc/

Type

ABAP

Client

800

Language

EN

6.

Click OK when finished.

7.

You can now use this SAP GUI to logon to NWBC. Note: You can still logon to NWBC by using the Steps 1 - 5 of this exercise.

Result You should now be able to access and logon to the training environment, remote desktop, ABAP client, IMG, and SAP GUI.

2011


75


GRC100

Solution 1: Connect to the System and View IMG Structure Task 1: Connect to the Training Environment. 1.

Open a browser window and enter http://mywts.sap.com in the address bar. a)

2.

Choose EMEA, then choose Training under CORP. a)

3.

Enter the logon and password provided by your instructor. a)

Task 2: Connect to the Remote Desktop 1.

Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK. a)

2.

Enter the system name provided by your instructor, then click Connect. a)

3.

Enter Train-XX as your user name, where XX is your Participant ID. Enter password initial. a)

4.

Click OK in the Language Dialog box. a)

Task 3: Log On to the GRC 10.0 ABAP Client. 1.

Click Start → SAP Logon. Note: If you do not see the Start button in the lower left corner, you may need to maximize the Remote Desktop window. a)

2.

Choose ZMC, then click Log On. a) Continued on next page

76


2011

GRC100


3.

Enter User ID XX_Custom, where XX is your Participant ID. Enter password initial, then click the system OK icon or press Enter. a)

4.

Note the user menu items displayed for your User ID. a)

Task 4: Access the IMG for Customizing Activities 1.

Enter Transaction SPRO in the transaction field, then click the system OK icon. a)

2.

Click SAP Reference IMG. a)

3.

Expand the Governance, Risk, and Compliance node. a)

4.

View the nodes listed here. This is where you perform customizing activities and maintain configuration settings for the GRC solution. Note that there are nodes for shared configuration settings as well as for solution component-specific configuration settings. a)

Task 5: Log on to the NetWeaver Business Client 1.

Enter NWBC (/nnwbc) in the transaction entry field, then click the system OK icon. a)

2.

On the Launch NetWeaver Business Client screen, choose /nwbc. a)

3.

Click through the various work centers and note the work sets under each one. a)

Task 6: Log On via the SAP GUI 1.

Log out of the NWBC, then re-execute /nnwbc from the ABAP client. a) Continued on next page

2011


77


2.

GRC100

On the Launch NetWeaver Business Client screen, copy the address of the page, ending with the forward slash after nwbc. What you copy should be similar to this: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/ a)

3.

From the Remote Desktop Start menu, choose Start → Programs → SAP NWBC → Version 3.0 → NetWeaver Business Client. a)

4.

Click the New icon for a new connection. a)

5.

Enter the following information: Note: For the URL, paste the one you copied. Data

Data Value

Name

ZMC

URL

http:wdfbmt2299.wdf.sap.corp:51080/nwbc/

Type

ABAP

Client

800

Language

EN

a) 6.

Click OK when finished. a)

7.

You can now use this SAP GUI to logon to NWBC. Note: You can still logon to NWBC by using the Steps 1 - 5 of this exercise. a)

Result You should now be able to access and logon to the training environment, remote desktop, ABAP client, IMG, and SAP GUI.

78


2011

GRC100


Lesson Summary You should now be able to: • Explain what the information architecture is and why it is important • Explain the harmonization goals of the information architecture • Describe major changes to the GRC 10.0 information architecture

2011


79


GRC100

Lesson: Security and Authorizations Lesson Overview This lesson presents high-level authorization engine changes for GRC 10.0 and explains what types of authorizations are used for different components. It also identifies key roles and how they are used, as well as what controls the user interface from an authorization perspective.


Identify required PFCG roles Ensure requirements are met to access GRC 10.0 solutions Describe how authorizations affect what is seen in the user interface

Business Example A company segregates its access risk management based upon a specific attribute of a user (User Group, Company, Connector ID) and wishes to limit the items that a reviewer can view. SAP BusinessObjects GRC 10.0 contains permission (authorization object) level security to help limit the data that a user can access, whether this is in a view only or maintenance mode. This also drives what the user will have access to in regards to Work Centers (both in general and what can be accessed within a Work Center) and Reports.

80


2011

GRC100

Lesson: Security and Authorizations

Authorization Overview

Figure 67: Authorization Changes for GRC 10.0

Figure 68: GRC 10.0 Access and IMG Configuration

Figure 69: Process Control or Risk Management Access

2011


81


GRC100

Figure 70: GRC Solutions and Access Control

Figure 71: Authorization Types by Component

82


2011

GRC100


Figure 72: Key Roles

Authorizations and the User Interface

Figure 73: What Can You See?

2011


83


GRC100

The above shows the My Home work center as displayed in the SAP NetWeaver Portal component. The look would be similar, but not identical, in the SAP NetWeaver Business Client (NWBC) software. 1.

2.

3.

Work centers are defined in PCD roles for the Portal and in PFCG roles for NWBC. The work centers are fixed in each base role. SAP delivers these roles, but they can be modified by the customer. The locations of application folders and subordinate applications within the service map are controlled by the SAP NetWeaver LaunchPad application. You may see this in the IMG configuration. The service map is then generated dynamically based upon user authorization. That is, if the user does not have authorization to see given application folders or applications, they will be hidden from view (not grayed out).

Figure 74: Reminder About How What you See is Determined

As a reminder, what the end user sees is determined by a combination of factors, as shown above. • • •

84

The product licensing determines access to components The UI framework configuration controls what fields are displayed to each underlying component Roles/authorizations determine more granular access, all the way down to individual business entities (such as Control XYZ in Organization ABC) in the case of Process Control and Risk Management.


2011

GRC100


Exercise 2: View Role Assignments Exercise Objectives After completing this exercise, you will be able to: • Locate and review role assignments for business subprocesses via GRC Role Assignment • Locate and review role assignments for business subprocesses via Organizations

Business Example To access specific Process Control or Risk Management data or transactions, you must ensure that entity-level authorizations are assigned within the application. This will permit actions to specific entities, such as organizations, processes, subprocesses, controls, and risks.

Task 1: Review Role Assignments in the Access Management Work Center Review role assignments for business subprocesses via GRC Role Assignment in the Access Management work center. 1.

Log on to the ABAP client (ZMC) as XX_CUSTOM, where XX is your Participant ID.

2.

Execute Transaction NWBC (/nnwbc).

3.

Choose /nwbc.

4.

Choose Business Processes located under GRC Role Assignments in the Access Management work center.

5.

Enter a time frame of Year 2011, then click Apply.

6.

Choose the Subprocess role level.

7.

Accept the default value of Yes for Show Cross-Regulation Roles.

8.

Add a filter for Organizations. Choose 00-GRC General Accounting .

9.

Choose Next to continue to the Assign Roles section.

10. Review the roles assigned to the subprocesses which are listed under the Object header. On this screen, you will see role assignments for Access Control, Process Control, and Risk Management. A white space in the role column means that no role is assigned. Continued on next page

2011


85


GRC100

11. Roles have been assigned, so do not save your changes. Click Cancel to exit.

Task 2: Review Role Assignments in the Master Data Work Center Review role assignments for business subprocesses via Organizations in the Master Data work center. 1.

Navigate to the Master Data work center.

2.

Choose Organizations under the Organizations work set.

3.

Choose any organization from the list, then click Open. Note that the triangle next to the organization means that there are sub-organizations and the dot next to the organization means that it is the lowest level. Use today’s date.

4.

Choose the Subprocess tab, then click Assign Subprocess.

5.

Choose one or more subprocess(es) from the list, then click Next.

6.

Without making any changes, click Next on both the Shared Services Used and Shared Services Offered steps.

7.

Change the Allow Local Changes value to Yes, then click Next.

8.

Without making any changes, click Finish on the Select Controls step.

9.

Choose the first subprocess from the list, then click Open. You should see the Subprocess details.

10. Click the Roles tab. Choose a role from the list, then click Assign. 11. Select XX_CUSTOM user from the list, where XX is your Participant ID, then click OK. 12. You should now see XX_CUSTOM listed under the Name column next to the subprocess you chose. 13. Normally you would Save your changes, but for the purposes of this exercise, choose Cancel. Do not Save your changes.

86


2011

GRC100


Solution 2: View Role Assignments Task 1: Review Role Assignments in the Access Management Work Center Review role assignments for business subprocesses via GRC Role Assignment in the Access Management work center. 1.

Log on to the ABAP client (ZMC) as XX_CUSTOM, where XX is your Participant ID. a)

2.

Execute Transaction NWBC (/nnwbc). a)

3.

Choose /nwbc. a)

4.

Choose Business Processes located under GRC Role Assignments in the Access Management work center. a)

5.

Choose Access Management → GRC Role Assignments → Business Processes

Enter a time frame of Year 2011, then click Apply. a)

6.

Choose the Subprocess role level. a)

7.

Accept the default value of Yes for Show Cross-Regulation Roles. a)

8.

9.

Add a filter for Organizations. Choose 00-GRC General Accounting . a)

Choose Add next to Organizations.

b)

Choose the organization 00-CRG General Accounting, then click the Right arrow to move this organization to the Selected list.

c)

Click OK.

Choose Next to continue to the Assign Roles section. a) Continued on next page

2011


87


GRC100

10. Review the roles assigned to the subprocesses which are listed under the Object header. On this screen, you will see role assignments for Access Control, Process Control, and Risk Management. A white space in the role column means that no role is assigned. a) 11. Roles have been assigned, so do not save your changes. Click Cancel to exit. a)

Task 2: Review Role Assignments in the Master Data Work Center Review role assignments for business subprocesses via Organizations in the Master Data work center. 1.

Navigate to the Master Data work center. a)

2.

Choose Organizations under the Organizations work set. a)

3.

Choose any organization from the list, then click Open. Note that the triangle next to the organization means that there are sub-organizations and the dot next to the organization means that it is the lowest level. Use today’s date. a)

4.

Choose the Subprocess tab, then click Assign Subprocess. a)

5.

Choose one or more subprocess(es) from the list, then click Next. a)

6.

Without making any changes, click Next on both the Shared Services Used and Shared Services Offered steps. a)

7.

Change the Allow Local Changes value to Yes, then click Next. a)

8.

Without making any changes, click Finish on the Select Controls step. a) Continued on next page

88


2011

GRC100


9.

Choose the first subprocess from the list, then click Open. You should see the Subprocess details. a)

10. Click the Roles tab. Choose a role from the list, then click Assign. a) 11. Select XX_CUSTOM user from the list, where XX is your Participant ID, then click OK. a) 12. You should now see XX_CUSTOM listed under the Name column next to the subprocess you chose. a) 13. Normally you would Save your changes, but for the purposes of this exercise, choose Cancel. Do not Save your changes. a)

2011


89


GRC100

Lesson Summary You should now be able to: • Identify required PFCG roles • Ensure requirements are met to access GRC 10.0 solutions • Describe how authorizations affect what is seen in the user interface

90


2011

GRC100

Unit Summary

Unit Summary You should now be able to: • Explain what the information architecture is and why it is important • Explain the harmonization goals of the information architecture • Describe major changes to the GRC 10.0 information architecture • Identify required PFCG roles • Ensure requirements are met to access GRC 10.0 solutions • Describe how authorizations affect what is seen in the user interface

2011


91

Unit Summary

92

GRC100


2011

GRC100

Test Your Knowledge


The presentation of user interface elements.

determines the

Fill in the blanks to complete the sentence.

2.

A key feature of the GRC 10.0 information architecture is: Choose the correct answer(s).

□ □ □ □ 3.

A B C D

Separate work inboxes for each solution component A single shared work inbox for all solution components A single shared work inbox for Process Control and Risk Management A single shared work inbox for Process Control and Access Control

Users navigate the work centers based upon the tasks they need to perform or the data they need to access, not the product they wish to use. Determine whether this statement is true or false.

□ □ 4.

True False

While authorization concepts are similar to prior releases, changes in GRC 10.0 solutions required enhancements to the engine. Fill in the blanks to complete the sentence.

5.

To access GRC 10.0 solutions, you must have at least the following: 1. Portal authorization or NWBC authorization; 2. Applicable PFCG base roles; and 3. PFCG role(s) relative to specific components (AC, PC, RM). Determine whether this statement is true or false.

□ □ 6.

True False

If you use Access Control 10.0 with other GRC solution components, you can leverage this functionality to: Choose the correct answer(s).

□ □ □ □

2011

A B C D

Create GRC users Assign and manage PFCG roles used with GRC Perform SoD analysis for PFCG role authorizations Perform SoD analysis for entity-level authorization


93

Test Your Knowledge

7.

GRC100

The locations of application folders and subordinate applications within the service map are controlled by the SAP NetWeaver LaunchPad application. Determine whether this statement is true or false.

□ □ 8.

True False

Which of the following determine what users see in the GRC 10.0 user interface? Choose the correct answer(s).

□ □ □ □

94

A B C D

Product Licensing User Interface Framework Configuration Roles and Authorizations Work Centers


2011

GRC100

Test Your Knowledge

Answers 1.

The information architecture determines the presentation of user interface elements. Answer: information architecture The correct answer is information architecture.

2.

A key feature of the GRC 10.0 information architecture is: Answer: B A key feature of the GRC 10.0 information architecture is a single shared work inbox for all solution components.

3.

Users navigate the work centers based upon the tasks they need to perform or the data they need to access, not the product they wish to use. Answer: True The statement is true.

4.

While authorization concepts are similar to prior releases, changes in GRC 10.0 solutions required enhancements to the authorization engine. Answer: authorization The answer is authorization.

5.

To access GRC 10.0 solutions, you must have at least the following: 1. Portal authorization or NWBC authorization; 2. Applicable PFCG base roles; and 3. PFCG role(s) relative to specific components (AC, PC, RM). Answer: True The statement is true.

6.

If you use Access Control 10.0 with other GRC solution components, you can leverage this functionality to: Answer: A, B, C SoD risk analysis cannot be performed for entity-level authorization.

2011


95

Test Your Knowledge

7.

GRC100

The locations of application folders and subordinate applications within the service map are controlled by the SAP NetWeaver LaunchPad application. Answer: True The statement is true.

8.

Which of the following determine what users see in the GRC 10.0 user interface? Answer: A, B, C Product licensing, the user interface framework configuration, and roles & authorizations determine what users see in the GRC 10.0 user interface.

96


2011

Unit Summary

97

GRC100


2011

Unit Summary

98

GRC100


2011

Unit 3 The GRC 10.0 User Interface Unit Overview This unit presents an overview of work centers, including their purpose, and use. Harmonized navigation concepts are discussed, as well as how authorizations affect what users can view and access. Hands-on activities include navigating the work centers and assigning a delegate.

Unit Objectives After completing this unit, you will be able to: • • • • •

Identify and access key components of the GRC 10.0 User Interface Describe the purpose of each work center Describe how to control work center display for NWBC vs Portal Describe how authorizations affect what users see Describe examples of what users see in Access Control, Process Control, and Risk Management

Unit Contents Lesson: Work Centers ............................................................. 100 Exercise 3: Navigate the Work Centers and Assign a Delegate ......... 113 Lesson: Harmonized Navigation in the GRC 10.0 Portal ...................... 121 Exercise 4: Harmonized Navigation ......................................... 125

2011


99

Unit 3: The GRC 10.0 User Interface

GRC100

Lesson: Work Centers Lesson Overview This lesson introduces work centers and their purpose.


Identify and access key components of the GRC 10.0 User Interface Describe the purpose of each work center Describe how to control work center display for NWBC vs Portal

Business Example A user in SAP BusinessObjects GRC 10.0 is responsible for managing several different areas of the solution. Utilizing the Work Center concept, the user can navigate easily to the specific area that is desired and have similar actions available on the screen. This helps to correctly find the specific task more efficiently and also helps in managing the security between different types of users more easily.

Work Centers Overview Work centers provide a central access point for GRC 10.0. They can be organized based on what the customer has been licensed to operate. Delivered work centers are shown below.

Figure 75: Work Centers in GRC 10.0

100


2011

GRC100

Lesson: Work Centers

The default delivered system contains the work centers displayed above. However, your system administrator can customize the work centers to support your organization's preferred structures. Depending on the products that you have licensed, different components of the GRC solution are displayed (Access Control, Process Control, or Risk Management).

My Home Work Center The My Home work center allows you to: • • • •

View, access, and perform workflow tasks assigned to you, including viewing completed reports that you scheduled. Perform document searches across all documents (including document content) for which you have authorization. Assign delegates to perform your tasks or activities. View and process your user data.

The service maps and applications under each work center are controlled by your access. If you are a delegate and choose to work as that person, you will inherit their authorization.

Figure 76: My Home Work Center in the Portal

My Home provides a central location to view and act on your assigned tasks and accessible objects: organizations, processes, subprocesses, and controls. Depending on the products you have licensed, the My Home work center contains these sections:

2011


101


GRC100

Work Inbox - The Work Inbox lists the tasks you need to process for GRC applications. Ad Hoc Tasks - From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents and issues, depending on the applications to which you have access. In the My Objects section of the My Home work center, you can maintain the GRC objects to which you have access Document Search - Document Search enables you to search for documents across GRC solutions, including business entities and compliance initiatives. The search includes documents and hyperlinks, which you can add as attachments. This can only be used if you have activated TREX. My Delegation - You can delegate the access rights and tasks of one user, the delegator, to another user, the delegate, for a specific time period or indefinitely. This relates to PC and RM applications. Delegator: From My Home work center, click My Delegation. Assign one or more delegates for the desired period. Delegate: From My Home, click Change Delegation. Choose to work on behalf of yourself or on behalf of another person.

Figure 77: My Delegation for Process Control and Risk Management

The above delegation does not apply to Access Control, which has its own delegation function. This applies to Process Control and Risk Management only. Delegation does not remove access or forward tasks from the delegator. Instead, it allows the delegate to work with the same access and tasks as if he or she were the delegator. Both the delegator and the delegate can access the system at the same time, as long as they do not access the same objects or activities.

102


2011

GRC100


Master Data Work Center Depending on the GRC products you have licensed, the Master Data work center contains the following sections: Organizations Regulations and Policies Objectives Activities and Processes Mitigating Controls Risks and Responses Accounts Consistency Checks Reports The service map and applications under each work center are controlled by your access.

Figure 78: Master Data Work Center in the Portal

The Organizations section of the Master Data work center enables you to define and work with the organizations of your company. Regulations and Policies gives you visibility into your compliance framework and access to end-to-end policy management.

2011


103


GRC100

Objectives define statements of desired results or purposes. Business objectives relate to strategies and risks, while control objectives are assigned to relevant subprocesses. The Activities and Processes section is where you maintain your company's activities, business processes, subprocesses, and controls. The Risks and Responses section of the Master Data work center enables you to maintain your organization's risk, opportunity, and response catalogs. Use the Accounts section to create account groups that are relevant to your compliance initiatives. Consistency checks are a set of reports to help ensure data validity.These are especially useful during initial implementation and after significant changes. Currently these are for the Risk Management product only. The Reports section includes links to master data reports.

Rule Setup Work Center Depending on the GRC products you have licensed, the Rule Setup work center provides links to the following areas: Access Rule Maintenance Critical Access Rules Exception Access Rules Generated Rules Continuous Monitoring Scheduling Legacy Automated Monitoring Reports The service map and applications under each work center are controlled by your access.

104


2011

GRC100


Figure 79: Rule Setup Work Center in the Portal

The Access Rule Maintenance section includes the ability to maintain rule sets, access risks and functions. The Critical Access Rules section allows you to identify individual roles and profiles that pose an access risk to your company. If your system uses profiles, you may have defined profiles that pose an access risk. Make sure that you designate these profiles as critical profiles. The Exception Access Rules section allows you to eliminate false positives based on organizational-level restrictions. This functionality was created to aid exception-based reporting for organizational rules and supplemental rules. The Generated Rules section shows generated rules and related details including access risks, functions. The Continuous Monitoring section (not displayed above due to space) gives you access to data sources, business rules, assignment of business rules and Key Risk Indicators (KRIs). The Scheduling section enables you to maintain schedules for continuous control monitoring and track job progress in the areas of monitoring and automated testing. The Legacy Automated Monitoring section allows you to continue to use automated rules created in Process Control 3.0. The Reports section of this work center include reports specifically related to continuous control monitoring setup and execution.

2011


105


GRC100

Setup Work Center for Access Control The Setup work center is available in Access Control and provides links to the following areas: Access Rule Maintenance Exception Access Rules Critical Access Rules Generated Rules Organizations Mitigating Controls Superuser Assignment Superuser Maintenance Access Owners

Figure 80: Setup Work Center in NWBC

The Access Rule Maintenance section allows you to manage access rule sets, functions, and the access risks used to identify access violations Under Exception Access Rules, you can manage rules that supplement access rules. The Critical Access Rules section allows you to define additional rules that identify access to critical roles and profiles.

106


2011

GRC100


The Generated Rules section allows you to find and view generated access rules. Under Organizations, you can maintain the company's organization structure for compliance and risk management with related assignments. The Mitigating Controls section allows you to manage controls to mitigate segregation of duty, critical action, and critical permission access violations. Superuser Assignment is where you assign owners to firefighter IDs and assign firefighter IDs to users. Superuser Maintenance is where you maintain firefighter, controller, and reason code assignments. Under Access Owners, you manage owner privileges for access management capabilities.

Assessments Work Center Depending on the GRC products you have licensed, the Assessments work center contains the following sections: Surveys Manual Test Plans Risk Assessments Incident Management Scenario Management Assessment Planning Reports

2011


107


GRC100

Figure 81: Assessments Work Center in the Portal

The Surveys section of the Assessments work center provides setup of survey components. Within GRC, surveys are used to obtain information on the existence and evaluation of risks (Risk Management) or the adequacy of controls (Process Control). Surveys are used to carry out assessments of objects such as risks, activities, controls and policies, for example. The Manual Test Plans section allows you to create a manual test plans which consist of test steps performed to determine whether a control is operating effectively. The Risk Assessments section enables you to create activities to be evaluated for risks and opportunities, such as projects or business processes. The Incident Management section provides documentation of risks that occur—that is, incidents. In Scenario Management, you can define and simulate scenarios for Risk Management. In the Assessment Planning section you plan and release workflow tasks for the various evaluations and other assessments. The Reports section of the Assessments work center provides a variety of reports related to assessment results.

108


2011

GRC100


Access Management Work Center Depending on the GRC products you have licensed, the Access Management work center has the following sections: GRC Role Assignments Access Risk Analysis Mitigated Access Access Requests Administration Role Management Role Mining Role Mass Maintenance Superuser Assignment Superuser Maintenance Access Request Creation Compliance Certification Reviews Alerts Scheduling

Figure 82: Access Management Work Center in the Portal

2011


109


GRC100

In the Access Risk Analysis section, you evaluate your systems for access risks across user, role, HR object and organization levels. An access risk is two or more actions or permissions that, when available to a single user or single role, profile, organizational level, or HR Object, create the possibility of error or irregularity. Mitigated Access allows you to identify access risks, assess the level of those risks, and assign mitigating controls to users, roles, and profiles to mitigate the access rule violations. Access Request Administration manages access assignments, accounts, and review processes. Role Management allows you to manage roles from multiple systems in a single unified repository. Role Mining groups features allow you to target roles of interest, analyze them, and take action. Role Mass Maintenance lets you import and change authorizations and attributes for multiple roles. Superuser Assignment allows you to assign firefighter IDs to owners and assign firefighters and controllers to firefighter IDs. In the Superuser Maintenance section, you can perform activities such as researching and maintaining firefighters and controllers, and assigning reason codes by system. Access Request Creation provides creation of access assignments and accounts. Compliance Certification Reviews supports review of users' access, risk violations and role assignments. Alerts are generated by the application for execution of critical or conflicting actions. The Scheduling section of the Rule Setup work center enables you to maintain schedules for continuous control monitoring and automated testing, and to track related job progress.

Reports and Analytics Work Center Depending on the GRC products you have licensed, the Reports and Analytics work center has the following sections: Management Compliance Risks and Opportunities Access Management Incidents and Losses

110


2011

GRC100


Print Reports BI Analytics

Figure 83: Reports and Analytics Work Center in the Portal

These are the delivered reports. When you execute reports you only see objects you are authorized to view.

2011


111


112


GRC100

2011

GRC100


Exercise 3: Navigate the Work Centers and Assign a Delegate Exercise Objectives After completing this exercise, you will be able to: • Identify work sets and key tasks in various work centers • Assign a delegate

Business Example Work centers contain work sets that include links to functions across the GRC solution. Your view and available choices depend on your user authorizations. You are the Internal Control Manager working in Process Control and must assign another user to fill in for you while you are on vacation. You identify the Cross Regulation Process Owner as your delegate.

Task 1: Explore the Access Control Setup Work Center Explore the Setup work center, which is unique to Access Control. 1.

Logon as XX_CUSTOM, where XX is your Participant ID.

2.

Go to the Setup work center and explore the work sets. Click some of the links under each one and explore the various screens.

3.

Choose Rule Set under the Access Rule Maintenance work set. Note the Rule Set IDs and descriptions.

4.

Choose Rule Set Comparison, then enter two rule sets to compare.

5.

Choose which components to compare, then click Run in Foreground.

6.

On the Analysis Results screen, you can see which rule set each Access Risk belongs to in the Rule Set ID column.

7.

Close the current window and the Rule Set Comparison window to return to the Setup work center.


2011


113


GRC100

Task 2: View the Organization Hierarchy Access the Organization Hierarchy from two separate work centers. 1.

Still in the Setup work center, choose Organizations under the Organizations work set.

2.

Find the organization XX_GRC GLB INTL, where XX is your Participant ID. Expand the organization hierarchy nodes to view the levels of the hierarchy. Remember that this Setup work center is specific to Access Control.

3.

Close the Organization Hierarchy window and navigate to the Master Data work center.

4.

Choose Organizations under the Organizations work center.

5.

Note that you are viewing the same Organization Hierarchy information from this Master Data work center as you saw in the Setup work center.

Task 3: Explore the Reports and Analytics Work Center Navigate to the Reports and Analytics work center and view the work sets contained therein. 1.

Go to the Reports and Analytics work center. Note the work sets in this work center and the links under each one.

2.

Note that the report links you see in this work center are for Access Control, Risk Management, and Process Control, and that access is grouped in this one place for any of these components.

3.

Explore the remaining work centers and choose some of the links under the various work sets to examine what can be done in each one.

Task 4: Assign a Delegate Log in as the Internal Control Manager and assign a delegate to process tasks in your absence. 1.

Exit the application and log in as the Internal Control Manger, XX_G_ICMAN, where XX is your Participant ID.

2.

Review the various work centers to review the activities that are available to ICMAN.

3.

Choose the My Home work center, then find the My Delegation work set.

4.

Click My Delegation to open the Assign Own Delegate window. Continued on next page

114


2011

GRC100


5.

Click Create.

6.

Click the search icon in the User field to choose a user who will act as your delegate.

7.

Choose XX_G_PRCOWN from the list, where XX is your Participant ID, then click OK.

8.

Enter today’s date for the Start Date.

9.

Enter any future date for the End Date.

10. Click Save. You should now see XX_G_PRCOWN listed on the Assign Own Delegate screen.

Task 5: Change Settings to Work as the Assigned Delegate You are the delegate named by the Internal Control Manager and must now logon and change your settings to work on behalf of this person.

2011

1.

Exit the system, then log in as XX_G_PRCOWN, where XX is your Participant ID.

2.

View the work centers and activities that are available to XX_G_PRCOWN.

3.

Choose Change Delegation, located at the top right of the My Home work center next to your user welcome message.

4.

Ensure that any other sessions are closed, and verify this by checking the All Sessions Closed check box.

5.

Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save.

6.

You should now see a message displayed at the top of the My Home work center indicating that you are working on behalf of XX_G_ICMAN. Note that you now have access to all the activities and screens assigned to the ICMAN role.


115


GRC100

Solution 3: Navigate the Work Centers and Assign a Delegate Task 1: Explore the Access Control Setup Work Center Explore the Setup work center, which is unique to Access Control. 1.

Logon as XX_CUSTOM, where XX is your Participant ID. a)

2.

Go to the Setup work center and explore the work sets. Click some of the links under each one and explore the various screens. a)

3.

Choose Rule Set under the Access Rule Maintenance work set. Note the Rule Set IDs and descriptions. a)

4.

Choose Rule Set Comparison, then enter two rule sets to compare. a)

5.

Choose which components to compare, then click Run in Foreground. a)

6.

On the Analysis Results screen, you can see which rule set each Access Risk belongs to in the Rule Set ID column. a)

7.

Close the current window and the Rule Set Comparison window to return to the Setup work center. a)

Task 2: View the Organization Hierarchy Access the Organization Hierarchy from two separate work centers. 1.

Still in the Setup work center, choose Organizations under the Organizations work set. a)

Choose Setup → Organizations work set→ Organizations


116


2011

GRC100


2.

Find the organization XX_GRC GLB INTL, where XX is your Participant ID. Expand the organization hierarchy nodes to view the levels of the hierarchy. Remember that this Setup work center is specific to Access Control. a)

3.

Close the Organization Hierarchy window and navigate to the Master Data work center. a)

4.

Choose Organizations under the Organizations work center. a)

5.

Choose Master Data work center → Organizations work set → Organizations

Note that you are viewing the same Organization Hierarchy information from this Master Data work center as you saw in the Setup work center. a)

Task 3: Explore the Reports and Analytics Work Center Navigate to the Reports and Analytics work center and view the work sets contained therein. 1.

Go to the Reports and Analytics work center. Note the work sets in this work center and the links under each one. a)

2.

Note that the report links you see in this work center are for Access Control, Risk Management, and Process Control, and that access is grouped in this one place for any of these components. a)

3.

Explore the remaining work centers and choose some of the links under the various work sets to examine what can be done in each one. a)


2011


117


GRC100

Task 4: Assign a Delegate Log in as the Internal Control Manager and assign a delegate to process tasks in your absence. 1.

2.

Exit the application and log in as the Internal Control Manger, XX_G_ICMAN, where XX is your Participant ID. a)

Logoff the NWBC or SAP GUI, whichever you are using.

b)

Use the system Exit icon

c)

At the SAP Logon window, choose ZMC and click Log On.

d)

Enter XX_G_ICMAN as the user ID and initial as the password.

e)

Click the system OK icon

to logoff the ZMC system.

or press Enter.

Review the various work centers to review the activities that are available to ICMAN. a)

3.

Choose the My Home work center, then find the My Delegation work set. a)

4.

Choose My Home → My Delegation work set

Click My Delegation to open the Assign Own Delegate window. a)

5.

Click Create. a)

6.

Click the search icon in the User field to choose a user who will act as your delegate. a)

7.

Choose XX_G_PRCOWN from the list, where XX is your Participant ID, then click OK. a)

8.

Enter today’s date for the Start Date. a)

9.

Enter any future date for the End Date. a) Continued on next page

118


2011

GRC100


10. Click Save. You should now see XX_G_PRCOWN listed on the Assign Own Delegate screen. a)

Task 5: Change Settings to Work as the Assigned Delegate You are the delegate named by the Internal Control Manager and must now logon and change your settings to work on behalf of this person. 1.

2.

Exit the system, then log in as XX_G_PRCOWN, where XX is your Participant ID. a)

Logoff the NWBC or SAP GUI, whichever you are using.

b)

Use the system Exit icon

c)

At the SAP Logon window, choose ZMC and click Log On.

d)

Enter XX_G_PRCOWN as the user ID and initial as the password.

e)

Click the system OK icon

to logoff the ZMC system.

or press Enter.

View the work centers and activities that are available to XX_G_PRCOWN. a)

3.

Choose Change Delegation, located at the top right of the My Home work center next to your user welcome message. a)

4.

Choose My Home → Change Delegation

Ensure that any other sessions are closed, and verify this by checking the All Sessions Closed check box. a)

5.

Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save. a)

6.

You should now see a message displayed at the top of the My Home work center indicating that you are working on behalf of XX_G_ICMAN. Note that you now have access to all the activities and screens assigned to the ICMAN role. a)

2011


119


GRC100

Lesson Summary You should now be able to: • Identify and access key components of the GRC 10.0 User Interface • Describe the purpose of each work center • Describe how to control work center display for NWBC vs Portal

120


2011

GRC100

Lesson: Harmonized Navigation in the GRC 10.0 Portal

Lesson: Harmonized Navigation in the GRC 10.0 Portal Lesson Overview In this lesson you will see examples of how authorization affects what users see.


Describe how authorizations affect what users see Describe examples of what users see in Access Control, Process Control, and Risk Management

Business Example In the Rule Setup work center, a Control Owner for Process Control would see things like Data Sources, Business Rules, and Business Rule Assignment for Continuous Monitoring, while a Risk Manager would be more interested in viewing KRI templates and KRI Implementation information in the Continuous Monitoring section. In this example, an Access Control user won't see the Continuous Monitoring section at all, but would see sections like Access Rule Maintenance and Critical Access Rules.

2011


121


GRC100

How Authorizations Affect what Users See Examples of What Users see in Access Control, Process Control, and Risk Management

Figure 84: Rule Setup as Viewed by a Control Owner in Process Control

A Control Owner can see Process Control specific tasks, but not Access Control and Risk Management. Note: The open space on the lower left is caused by use of SAP NetWeaver Floorplan Manager, which does not allow service map contents to flow seamlessly from one side to the other. Depending upon the user authorization and layout of application groups within the service map, these white spaces may appear, and it does not indicate a problem.

122


2011

GRC100


Figure 85: Rule Setup as Viewed by a Risk Manager in Risk Management

A Risk Manager can only see Risk Management Tasks and Reports.

Figure 86: Rule Setup as Viewed by an Access Control User

This Access Control user will only see those objects included in the assigned role.

2011


123


124


GRC100

2011

GRC100


Exercise 4: Harmonized Navigation Exercise Objectives After completing this exercise, you will be able to: • Examine various user views based on different authorizations • Experience how harmonized navigation improves accessibility • Personalize the Work Inbox

Business Example Users who only need to see certain aspects of each application will see only those components when logging onto the system. Users with broader authorizations will have access to more work centers and work sets, with additional choices under each one. Users can personalize the view of the Work Inbox to meet their business needs.

Task 1: View Access Control-Specific Objects Logon as an Access Control user with limited authorizations and view Access Control-Specific work centers and work sets. 1.

Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is your Participant ID, using password initial.

2.

Access the NWBC or SAP GUI.

3.

Note the work centers across the top of the screen. Which work center is unique to Access Control?

4.

Note the work sets and links displayed under each work center and that they are specific to Access Control functions. Remember that there is shared master data. For example, the organizations you see here are the same ones you can see from the Process Control-specific and Risk Management-specific user interfaces.

Task 2: View Process Control-Specific Objects Log on as a Process Control user with limited authorizations and view Process Control-specific work centers and work sets. 1.

Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST, where XX is your Participant ID. Use the password initial. Continued on next page

2011


125


GRC100

2.

Launch the NWBC.

3.

Note the work centers. Which ones were not seen in the Access Control-specific user interface?

4.

Note the work sets and links displayed under each work center and that they are specific to Process Control functions.

5.

Why is the Access Management work center empty?

Task 3: View Risk Management-Specific Objects Logon as a Risk Management user with limited authorizations and view Risk Management-specific work centers and work sets. 1.

Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN, where XX is your Participant ID. Use the password initial.

2.

Launch the NWBC.

3.

Note the work centers, work sets, and functions.

4.

Navigate to the Assessments work center, then note that Risk Assessments is the work set. What type of assessments would be done in Process Control that are not listed here?

Task 4: Explore a Harmonized View Logon as a user with broader authorizations to explore a harmonized view of work centers and work sets.

126

1.

Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is your Participant ID. Remember that you changed your password in an earlier exercise when you first logged onto the system.

2.

Launch NWBC.

3.

Explore the work centers, work sets, and functions. You can now see work centers across GRC, including Access Control, Process Control, Risk Management, and Global Trade Services.

4.

Choose the Assessments work center, then click Planner under the Assessment Planning work set.

5.

In the list of plans, you can see that some are for Risk Management assessments and some are for Process Control assessments.

6.

Navigate to the My Home work center, then choose My Profile under the My Profile work set. Continued on next page


2011

GRC100


7.

Note the role assignments for your user. The Request Access button allows you to request access for you or another user and to run a simulation so that you can see any access risks potentially resulting from the change.

Task 5: Personalize your Work Inbox In this task, you will personalize your work inbox. You will create a query, a new query category, and personalize inbox settings. 1.

You should already be logged on as XX_CUSTOM.

2.

Choose the My Home work center, then click the Work Inboxlink.

3.

Click Personalize at the top right of the window.

4.

Choose Add Category to add a category for your Active Queries. Enter a description for this category: XX Category, where XX is your Participant ID, then choose OK.

5.

In the Personalization window, add a query to your Active Queries under your new category.

6.

Click Apply to save changes.

7.

Define a new query, using the Define New Query link at the top right of the screen.

8.

Choose an Object Type.

9.

Choose an existing query as a template.

10. Click Next. 11. Set Status equal to Ready. 12. Enter 01.01.2010 to 01.01.2011 for the Created On and Created To dates. 13. Click Next. 14. Enter XX Query for the Description, where XX is your Participant ID. 15. Activate Query should be checked. 16. Choose the category you created for your Work Inbox: XX Custom. 17. Click Finish. 18. Return to the Work Inbox, and then choose Personalize. You should see your new query, XX Query, listed under your new category. 19. Click Cancel to return to the Work Inbox. Continued on next page

2011


127


GRC100

20. Choose Settings, located above the elevator box. 21. Select some settings from the Hidden Columns list to add to the Displayed Columns list. Change the sequence if you’d like and choose the number of columns that will be fixed to the left of the display. Click OK when finished. 22. You should now see your chosen columns and indicated display order in the Work Inbox view.

128


2011

GRC100


Solution 4: Harmonized Navigation Task 1: View Access Control-Specific Objects Logon as an Access Control user with limited authorizations and view Access Control-Specific work centers and work sets. 1.

Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is your Participant ID, using password initial. a)

2.

Access the NWBC or SAP GUI. a)

3.

From the ABAP client, enter /nnwbc, then click the system OK icon or press Enter.

Note the work centers across the top of the screen. Which work center is unique to Access Control? a)

4.

Exit NWBC by logging off, then exit the ABAP client, using the system Exit icon . Use the SAP Logon window to log on to ZMC as a new user.

The Setup work center.

Note the work sets and links displayed under each work center and that they are specific to Access Control functions. Remember that there is shared master data. For example, the organizations you see here are the same ones you can see from the Process Control-specific and Risk Management-specific user interfaces. a)

Task 2: View Process Control-Specific Objects Log on as a Process Control user with limited authorizations and view Process Control-specific work centers and work sets. 1.

Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST, where XX is your Participant ID. Use the password initial. a)

2.

Launch the NWBC. a)

/nnwbc


2011


129


3.

Note the work centers. Which ones were not seen in the Access Control-specific user interface? a)

4.

GRC100

Master Data, Rule Setup, Assessments

Note the work sets and links displayed under each work center and that they are specific to Process Control functions. a)

5.

Why is the Access Management work center empty? a)

Access Management is an Access Control function and your current user authorizations only allow you to view Process Control-specific functions.

Task 3: View Risk Management-Specific Objects Logon as a Risk Management user with limited authorizations and view Risk Management-specific work centers and work sets. 1.

Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN, where XX is your Participant ID. Use the password initial. a)

2.

Launch the NWBC. a)

3.

/nnwbc

Note the work centers, work sets, and functions. a)

4.

Navigate to the Assessments work center, then note that Risk Assessments is the work set. What type of assessments would be done in Process Control that are not listed here? a)

Control Risk Assessments

Task 4: Explore a Harmonized View Logon as a user with broader authorizations to explore a harmonized view of work centers and work sets. 1.

Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is your Participant ID. Remember that you changed your password in an earlier exercise when you first logged onto the system. a) Continued on next page

130


2011

GRC100


2.

Launch NWBC. a)

3.

/nnwbc

Explore the work centers, work sets, and functions. You can now see work centers across GRC, including Access Control, Process Control, Risk Management, and Global Trade Services. a)

4.

Choose the Assessments work center, then click Planner under the Assessment Planning work set. a)

5.

Choose Assessments → Assessment Planning → Planner

In the list of plans, you can see that some are for Risk Management assessments and some are for Process Control assessments. a)

6.

Navigate to the My Home work center, then choose My Profile under the My Profile work set. a)

7.

Choose My Home → My Profile work set → My Profile

Note the role assignments for your user. The Request Access button allows you to request access for you or another user and to run a simulation so that you can see any access risks potentially resulting from the change. a)

Task 5: Personalize your Work Inbox In this task, you will personalize your work inbox. You will create a query, a new query category, and personalize inbox settings. 1.

You should already be logged on as XX_CUSTOM. a)

2.

Choose the My Home work center, then click the Work Inboxlink. a)

3.

Choose My Home → Work Inbox

Click Personalize at the top right of the window. a)

Personalize is a link on the screen.


2011


131


4.

GRC100

Choose Add Category to add a category for your Active Queries. Enter a description for this category: XX Category, where XX is your Participant ID, then choose OK. a)

5.

In the Personalization window, add a query to your Active Queries under your new category. a)

6.

Click Apply to save changes. a)

7.

Define a new query, using the Define New Query link at the top right of the screen. a)

8.

Choose an Object Type. a)

9.

Choose an existing query as a template. a)

10. Click Next. a) 11. Set Status equal to Ready. a) 12. Enter 01.01.2010 to 01.01.2011 for the Created On and Created To dates. a) 13. Click Next. a) 14. Enter XX Query for the Description, where XX is your Participant ID. a) 15. Activate Query should be checked. a)


132


2011

GRC100


16. Choose the category you created for your Work Inbox: XX Custom. a) 17. Click Finish. a) 18. Return to the Work Inbox, and then choose Personalize. You should see your new query, XX Query, listed under your new category. a) 19. Click Cancel to return to the Work Inbox. a) 20. Choose Settings, located above the elevator box. a) 21. Select some settings from the Hidden Columns list to add to the Displayed Columns list. Change the sequence if you’d like and choose the number of columns that will be fixed to the left of the display. Click OK when finished. a) 22. You should now see your chosen columns and indicated display order in the Work Inbox view. a)

2011


133


GRC100

Lesson Summary You should now be able to: • Describe how authorizations affect what users see • Describe examples of what users see in Access Control, Process Control, and Risk Management

134


2011

GRC100

Unit Summary

Unit Summary You should now be able to: • Identify and access key components of the GRC 10.0 User Interface • Describe the purpose of each work center • Describe how to control work center display for NWBC vs Portal • Describe how authorizations affect what users see • Describe examples of what users see in Access Control, Process Control, and Risk Management

2011


135

Unit Summary

136

GRC100


2011

GRC100

Test Your Knowledge


Work centers: Choose the correct answer(s).

□ □ □ □ 2.

A B C D

Provide a central access point for GRC 10.0 Are independent of customer licensing Can be customized by a system administrator Do not contained shared tasks across solution components

The My Home work center is used as an entry point for any other work centers. Determine whether this statement is true or false.

□ □ 3.

True False

The My Home work center allows you to: Choose the correct answer(s).

4.

□

A

□ □

B C

□

D

View, access, and perform workflow tasks, whether assigned to you or not View completed reports scheduled by anyone Perform document searches across all documents, including document content Assign delegates to perform your tasks or activities

Assigning a delegate from the My Home work center does not apply to Access Control, which has its own delegation function. Determine whether this statement is true or false.

□ □ 5.

True False

Which of the following work centers is only used in Access Control? Choose the correct answer(s).

□ □ □ □

2011

A B C D

Rule Setup Master Data Assessments Setup


137

Test Your Knowledge

6.

GRC100

In the Rule Setup work center, a Control Owner for Process Control would be interested in seeing things like Data Sources, Business Rule Assignments for Continuous Monitoring, and KRI templates. Determine whether this statement is true or false.

□ □ 7.

True False

An Access Control user won't see the Continuous Monitoring section of the Rule Setup work center, but would see sections like Access Rule Maintenance and Critical Access Rules. Determine whether this statement is true or false.

□ □ 8.

True False

Users will only see those objects included in the assigned role. Determine whether this statement is true or false.

□ □

138

True False


2011

GRC100

Test Your Knowledge

Answers 1.

Work centers: Answer: A, C Work centers provide a central access point for GRC 10.0 and can be customized by a system administrator.

2.

The My Home work center is used as an entry point for any other work centers. Answer: False The statement is false.

3.

The My Home work center allows you to: Answer: C, D C and D are correct. The My Home work center also allows you to view, access, and perform workflow tasks that are assigned to you and view completed reports that were scheduled by you.

4.

Assigning a delegate from the My Home work center does not apply to Access Control, which has its own delegation function. Answer: True The statement is true.

5.

Which of the following work centers is only used in Access Control? Answer: D The Setup work center is unique to Access Control.

6.

In the Rule Setup work center, a Control Owner for Process Control would be interested in seeing things like Data Sources, Business Rule Assignments for Continuous Monitoring, and KRI templates. Answer: False The statement is false. A Risk Manager would be more interested in seeing KRI templates.

2011


139

Test Your Knowledge

7.

GRC100

An Access Control user won't see the Continuous Monitoring section of the Rule Setup work center, but would see sections like Access Rule Maintenance and Critical Access Rules. Answer: True The statement is true.

8.

Users will only see those objects included in the assigned role. Answer: True The statement is true.

140


2011

Unit Summary

141

GRC100


2011

Unit Summary

142

GRC100


2011

Unit 4 Common Functions and Data Unit Overview This unit discusses sharing master data and common functions across GRC solutions, the User Interface Configuration Framework, local field changes, and setting field status for applications or regulations. Also presented are, master data related implementation considerations for organizations.

Unit Objectives After completing this unit, you will be able to: • • • • • • • • •

Describe how common functions are shared across GRC solutions. Explain which master data can be shared relative to common functions. Describe key features of the User Interface Configuration Framework Specify whether or not a field has regulation-specific values Specify whether or not a field can be changed locally Set the field status for individual application components or for individual regulations Discuss shared master data examples Discuss master data related implementation considerations for organizations Describe various organization hierarchy views and advanced date options

Unit Contents Lesson: Common Functions and Data Overview............................... 144 Lesson: User Interface Configuration Framework .............................. 151 Lesson: Shared Master Data...................................................... 159 Exercise 5: View Shared Master Data Examples .......................... 167

2011


143

Unit 4: Common Functions and Data

GRC100

Lesson: Common Functions and Data Overview Lesson Overview This lesson presents how GRC solutions share common functions and what master data can be shared across solutions relative to these functions.


Describe how common functions are shared across GRC solutions. Explain which master data can be shared relative to common functions.

Business Example Your organization wants to use the GRC 10.0 solution to manage risk and compliance across the enterprise. Management would like to reduce working in silos by sharing common data elements, while building good governance, risk and compliance practices into core business processes. Specific business needs include: Sharing of organization, process and control structures for compliance, risk and access management. Supporting end-to-end processes that leverage these shared structures to better manage risk, lower compliance cost, and increase operational efficiencies. Promoting proactive management of risks through effective decision support, timely risk responses, and alignment of multiple stakeholder groups.

144


2011

GRC100

Lesson: Common Functions and Data Overview

Sharing Common Functions Across GRC Solutions

Figure 87: Overview of Common Functions

Figure 88: Policy Management Overview

Policy Management is a common function available to those companies licensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjects Risk Management 10.0. The end-to-end process begins with creating and approving policies, which often involves attaching or linking the policy documents. You indicate the scope of each policy by assigning it to organizations, processes or activities, and people. You also may associate controls or ERM risks to the policy. Thereafter, you distribute the

2011


145


GRC100

policy to those affected by it and, if desired, you may require formal acceptance or acknowledgment. In addition, you may require that survey assessments or quizzes be completed to indicate understanding of the policy. Information on acceptance, assessments or quizzes can be reported to demonstrate the level of compliance. For the reason that policies may be widely distributed throughout an organization, an SAP logon is not required to receive the policy nor to acknowledge it.

Figure 89: Ad Hoc Issues Overview

Ad hoc issues management is a common function available to those companies licensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjects Risk Management 10.0. This feature is designed to enable identification, remediation and tracking of issues not associated with scheduled compliance evaluations. Examples of ad hoc issues include external audit findings, issues discovered by inspections, and problems reported by individuals outside formal compliance processes. If an issue is not fully complete, it is routed via workflow to an issue administrator, who reviews, completes and assigns the issue. Thereafter, the issue is similar to an evaluation-based issue reported in PC—that is, it may be remediated and then closed. You may associate issues with a variety of business entities such as organizations, risks, regulations, and controls. You may also assign a source of the issue; the sources available are configurable in the IMG.

146


2011

GRC100


Figure 90: Content Lifecycle Management Overview

The Content Lifecycle Management (CLM) function allows external content to be packaged and imported to the CLM repository. This external content could be company data imported for the first time into the GRC solution during implementation, or it could be content developed by third parties. Once imported to CLM, you can review the content, decide what to deploy, and resolve any content conflicts (if the content has been previously deployed). Deploy the content you select, then manage it as needed in GRC (currently RM and PC components). As needed, you may checkpoint and export the content managed in GRC and import it again to the CLM repository. This is done so that it can be edited on a mass basis or used to compare your current content with updated external content you receive.

2011


147


GRC100

Sharing Common Functions Across GRC Solutions Shared Master Data Overview

Figure 91: Key Master Data Pre-GRC 10.0

In prior versions, sharing of master data was limited by different technical platforms.

Figure 92: Shared Master Data in GRC 10.0

148


2011

GRC100


In the GRC 10.0 solutions shown above, technical platforms unite on SAP NetWeaver (ABAP), enabling increased harmonization of key master data. Organization, process and control structures can now be shared across components, which supports a more integrated approach to governance, risk and compliance. Note that control extensions are used to expand the control entity so it can be used for different purposes (for example, as a control that mitigates access violations).

Figure 93: Integrated GRC Example

This example shows an integrated approach to detecting and preventing fraud related to the procure-to-pay process. In short, the company has identified a significant risk of fraud. While several types of risk responses are possible, the company has a hybrid approach to both reduce the risk through an updated security policy and control the risk. The controls include use of Access Control 10.0 to prevent most segregation of duties conflicts. Where SoD violations are identified, one or more mitigating controls are put in place or linked to controls already existing in Process Control. In addition, an automated control in Process Control monitors the status of access risks in Access Control to verify that access management is in place and operating effectively. As in prior versions, controls in Process Control can be assessed or tested to ensure appropriate design and effectiveness. Policies—in this example, a security policy—are managed in the common Policy Management component. As mentioned previously, Policy Management includes the ability to gather acknowledgments or even quizzes from those affected by the policy to determine policy effectiveness.

2011


149


GRC100

Lesson Summary You should now be able to: • Describe how common functions are shared across GRC solutions. • Explain which master data can be shared relative to common functions.

150


2011

GRC100

Lesson: User Interface Configuration Framework

Lesson: User Interface Configuration Framework Lesson Overview This lesson presents how the User Interface Configuration Framework (UICF) enables you to maintain master data fields without programming.

Lesson Objectives After completing this lesson, you will be able to: • • • •

Describe key features of the User Interface Configuration Framework Specify whether or not a field has regulation-specific values Specify whether or not a field can be changed locally Set the field status for individual application components or for individual regulations

Business Example SAP delivers default behavior for GRC solution master data fields, but your organization has determined that some field behavior should be changed to better map to your existing processes and data. It is important that this not involve custom programming, as company policy severely limits SAP customization to facilitate later upgrades. Note: Your team has proposed these changes: Field

Components

RegulationSpecific?

Field Status

Control Significance

PC

Yes - Financial

Required

Yes - FCPA

Hidden

Yes - Operational Optional Control Nature

All

No

Hidden

Control Purpose

All

No

Required

Each of these changes can be performed without programming using the UI Configuration Framework described in this section.

2011


151


GRC100

For the Control Significance field, you determine that it should be required for various regulations related to financial compliance, that it is not relevant at all for the Foreign Corrupt Practices Act, and that it might be useful for operational compliance initiatives. You do this via the regulation-specific configuration by first designating the field as being specific to regulations, then by configuring the field status by regulation. Your company does not consider the Control Nature field useful, so you want to disable it for all components. You determine that by default it is already hidden for AC, but that it is optional for both PC and RM. You configure the field status by application component to make the field status hidden also for PC and RM. For the Control Purpose field (typically used to indicate whether a control is detective or preventive), you want to ensure that this field is required regardless of which component creates or maintains the control. You determine that by default this is required for PC, optional for RM, and hidden for AC. You configure the field status by application component to make the field status required for all components. These changes involve configuration in the IMG and automatically update the user interface. Therefore, this should be done and tested carefully in a non-production system. It is best to severely limit changes after the system is in production.

User Interface Configuration Framework Overview

Figure 94: What the UCIF Enables

152


2011

GRC100


Figure 95: Configuration Steps for User Interface Status at the Field Level

Figure 96: IMG Path for Configuration of UICF

The User Information Configuration Framework settings are all maintained under the Maintain Field-Based Configuration node in the IMG.

2011


153


GRC100

Regulation-Specific Values

Figure 97: Regulation-Specific Configuration

Only those fields that exist in control table GRFNFLDRGSP (also appear in the F4 help list) can be regulation-specific fields. Keep in mind that regulation-specific fields relate to Process Control only.

154


2011

GRC100


Local Field Changes

Figure 98: Allow Local Change Configuration

Only those fields exist in control table GRFNFLDLCHG (also appear in the F4 help list) can be set to allow local changes. Local Changes Allowed fields relate to PC only because these are dependent upon the method of assigning subprocesses to organizations. That is, if during assignment of a subprocess to an organization the subprocess is set to not allow local changes (similar to assigning with reference in prior versions of PC), the settings here do not apply to that subprocess for that organization nor to subordinate controls within that subprocess.

2011


155


GRC100

Setting Field Status for Applications or Regulations

Figure 99: Field Status Configuration by Application Component

Users can only maintain the UI status for those fields that exist in control table GRFNFLD (also appears in the F4 help list for Field ID). The default UI field status is Optional. The predefined Field UI Status Configuration by Application is maintained in the table GRFNAPPFLD. It is recommended that you do not make changes directly to the GRFNAPPFLD table, but instead use this IMG activity.

156


2011

GRC100


Figure 100: Field Status Configuration by Regulation

Users can only maintain the UI status for those fields that exist in control table GRFNFLDRGSP (also appear in the F4 help list for Field ID), which is configured by performing the Regulation-Specific Configuration discussed earlier. Once one or more regulation-specific fields have been maintained, they can be further configured here to set the field status by regulation, if desired. The default UI field status is Optional. The predefined Field UI Status Configuration by Regulation is maintained in Control table GRFNREGFLD. Currently the table GRFNREGFLD is empty, as SAP does not deliver pre-configured UI status for different regulations.

2011


157


GRC100

Lesson Summary You should now be able to: • Describe key features of the User Interface Configuration Framework • Specify whether or not a field has regulation-specific values • Specify whether or not a field can be changed locally • Set the field status for individual application components or for individual regulations

158


2011

GRC100

Lesson: Shared Master Data

Lesson: Shared Master Data Lesson Overview This lesson presents how unified master data for organizations and controls are displayed in each GRC solution component and implementation considerations related to shared master data.


Discuss shared master data examples Discuss master data related implementation considerations for organizations Describe various organization hierarchy views and advanced date options

Business Example SAP BusinessObjects GRC 10.0 is an integrated solution with Risk Management, Process Control and Access Control being contained in a single SAP component. These solutions work together to product a more harmonized and complete picture of the GRC environment. Several configuration items and attributes are shared items between 2 or more of the components. These shared items now can be set up one time and consumed by any of the installed programs as needed rather than maintaining the same information in multiple spots. This reduces the amount of configuration and / or maintenance involved as well as the need to synchronize master data (whether manually or by system) between the components and therefore reduces the amount of time and the possibility of the data being out of sync with the other solutions within the GRC solution.

2011


159


GRC100

Shared Master Data Examples

Figure 101: Master Data for Organizations Before GRC 10.0

Similar master data was created for each module, which could involve: • • •

160

Redundant Maintenance Manual synchronization of data Increased risk of missing, inconsistent or incorrect master data


2011

GRC100


Figure 102: GRC 10.0: Unified Master Data for Organizations

GRC 10.0 allows creation of shared master data for organizations.

Figure 103: Master Data for Controls Before GRC 10.0

Control master data for prior Access Control and Process Control products were created separately in each product.

2011


161


GRC100

Figure 104: GRC 10.0: Unified Master Data for Controls

In GRC 10.0, the control data can be shared and only those fields relevant for the specific view are displayed. Continuous control monitoring and automated testing functionality in Process Control can be used for controls used to mitigate access risks in Access Control.

162


2011

GRC100


Master Data Related Implementation Considerations for Organizations

Figure 105: Implementation Considerations for Organizations

Examples of Different Views of the Same Master Data Entity for Different Users

Figure 106: Organization Hierarchy Views

2011


163


GRC100

The available views can be used by different components in different ways. A single view can act as either the default view, or it can be the available view for none, one, or multiple components. Furthermore, each component can have one default view and multiple available views. A view that is available to a component but is not the default view for the component is only used for hierarchical organization display and reporting purposes.

Figure 107: Sample Organization Hierarchies

The above examples show the following: 1. 2. 3. 4.

164

The first hierarchy shows what a typical Compliance user might see The second hierarchy shows what a Risk Management user might see The third example shows what an Access Control user might see The fourth example shows the Standard Hierarchy, which is defined as an available view for Access Control


2011

GRC100


Figure 108: Advanced Date Options

Advanced Date Options are available for Process Control and Risk Management and can be personalized by user. Access Control sees hierarchies as of the current date. Compliance users often work in arrears, hence the need for availability of a Period with Yearoption. Risk managers more often work as of today’s date, hence the need for Date and Today options.

2011


165


166


GRC100

2011

GRC100


Exercise 5: View Shared Master Data Examples Exercise Objectives After completing this exercise, you will be able to: • View shared components for organizations in the IMG • Review locally managed controls setting in the IMG • View roles shared between business role management and access request management

Business Example One key benefit of harmonization is that objects, such as roles and organizations, are created or loaded once and then used by more than one component of the GRC solution. Another benefit is that you can configure shared settings once and they will apply throughout the solution, for example, the ability to allow controls to be managed locally.

Task 1: View Shared Components for Organizations In this task, you will access the IMG to view shared components for organizations. 1.


2.

Enter SPRO, then choose the system OK icon

3.

Click SAP Reference IMG

4.

Expand Governance, Risk, and Compliance

5.

Expand Shared Master Data Settings

6.

Choose Maintain Organization Views

7.

Select Maintain Organization Views Configurations, then click Choose.

8.

View the Application Components listed for the Organization Views. Do not make any changes to this information.

9.

Close this popup window when finished, using the system Cancel icon

or press Enter.

.


2011


167


GRC100

Task 2: Allow Locally Managed Controls In this task, you will review where to maintain the ability to allow locally managed controls. 1.

From Display IMG, choose Shared Master Data Settings.

2.

Click the Execute icon Controls.

3.

Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set to Active.

next to Maintain Ability to Add Locally-Defined

Task 3: View Shared Roles View roles shared between business role management and access request management.

168

1.

Choose the Access Management work center.

2.

Scroll down to the Role Management work set, and then choose Role Search.

3.

Enter Z_GRC_PR* in the Role Name field, then click Search.

4.

From the search results, choose Z_GRC_PR_APM_VENDOR_MASTER to view role details.

5.

On the Define Role tab, click More Details.

6.

Choose the Owners/Approvers tab. On this tab you can see that this role is used for both access request management and business role management.


2011

GRC100


Solution 5: View Shared Master Data Examples Task 1: View Shared Components for Organizations In this task, you will access the IMG to view shared components for organizations. 1.


2.

Enter SPRO, then choose the system OK icon a)

3.

You should be in the ABAP client and not NWBC.

Click SAP Reference IMG a)

4.

or press Enter.

SAP Reference ID is located at the top left of the screen, just under the transaction entry field.

Expand Governance, Risk, and Compliance a)

5.

Expand Shared Master Data Settings a)

6.

This is a sub-node under Governance, Risk, and Compliance.

Choose Maintain Organization Views a)

7.

Select Maintain Organization Views Configurations, then click Choose. a)

8.

View the Application Components listed for the Organization Views. Do not make any changes to this information. a)

9.

Close this popup window when finished, using the system Cancel icon

.

a)


2011


169


GRC100

Task 2: Allow Locally Managed Controls In this task, you will review where to maintain the ability to allow locally managed controls. 1.

From Display IMG, choose Shared Master Data Settings. a)

2.

Click the Execute icon Controls.

next to Maintain Ability to Add Locally-Defined

a) 3.

Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set to Active. a)

Task 3: View Shared Roles View roles shared between business role management and access request management. 1.

Choose the Access Management work center. a)

2.

Launch NWBC to view work centers. Enter /nnwbc, then click the system OK icon or press Enter.

Scroll down to the Role Management work set, and then choose Role Search. a)

3.

Enter Z_GRC_PR* in the Role Name field, then click Search. a)

4.

From the search results, choose Z_GRC_PR_APM_VENDOR_MASTER to view role details. a)

5.

On the Define Role tab, click More Details. a)

6.

Choose the Owners/Approvers tab. On this tab you can see that this role is used for both access request management and business role management. a)

170


2011

GRC100


Lesson Summary You should now be able to: • Discuss shared master data examples • Discuss master data related implementation considerations for organizations • Describe various organization hierarchy views and advanced date options

2011


171

Unit Summary

GRC100

Unit Summary You should now be able to: • Describe how common functions are shared across GRC solutions. • Explain which master data can be shared relative to common functions. • Describe key features of the User Interface Configuration Framework • Specify whether or not a field has regulation-specific values • Specify whether or not a field can be changed locally • Set the field status for individual application components or for individual regulations • Discuss shared master data examples • Discuss master data related implementation considerations for organizations • Describe various organization hierarchy views and advanced date options

172


2011

GRC100

Test Your Knowledge


Ad hoc issues are issues not associated with compliance evaluations, yet are associated with a variety of business entities, such as organizations, risk, regulations, and controls.. Determine whether this statement is true or false.

□ □ 2.

True False

Policy Management is a common function available to those companies licensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjects Risk Management 10.0. Determine whether this statement is true or false.

□ □ 3.

True False

Ad hoc issues management is a common function available to those companies licensing: Choose the correct answer(s).

□ □ □ □ □ □ 4.

A B C D E F

Access Control Risk Management Process Control Access Control and Process Control Process Control and Risk Management Risk Management and Access Control

The function allows external content to be packaged and imported to the repository. Fill in the blanks to complete the sentence.

5.

Organization structures, process structures, and control structures can be shared across components in the GRC 10.0 solution. Determine whether this statement is true or false.

□ □

2011

True False


173

Test Your Knowledge

6.

GRC100

Where SoD violations are identified, one or more mitigating controls are put in place or linked to controls already existing in Process Control. Determine whether this statement is true or false.

□ □ 7.

True False

An automated control in the solution monitors the status of access risks in the solution to verify that access management is in place and operating effectively. Fill in the blanks to complete the sentence.

8.

The User Interface Configuration Framework enables using a single user interface launch point for maintaining shared master data across: Choose the correct answer(s).

□ □ □ □ 9.

A B C D

Applications only Regulations only Applications and regulations None of the above

The User Interface Configuration framework enables using common and centralized master data, while supporting entity attributes that can be specific to regulations. Determine whether this statement is true or false.

□ □

True False

10. The User Interface Configuration Framework requires programming in order to configure which fields are relevant to each solution component (AC, PC, RM). Determine whether this statement is true or false.

□ □

True False

11. Only those fields that exist in the control table GRFNFLDRGSP can be regulation-specific fields. Determine whether this statement is true or false.

□ □

174

True False


2011

GRC100

Test Your Knowledge

12. Regulation-specific fields relate to Access Control only. Determine whether this statement is true or false.

□ □

True False

13. Local Changes Allowed fields relate to Process Control only because these are dependent upon the method of assigning subprocesses to organizations. Determine whether this statement is true or false.

□ □

True False

14. Setting field status for applications or regulations is maintained in . Fill in the blanks to complete the sentence.

15. Shared master data involves: Choose the correct answer(s).

□ □ □ □

A B C D

Manual synchronization of data Decreased risk of inconsistent master data Redundant maintenance Required sharing of organizations

16. Prior to GRC 10.0, master data for Access Control and Process Control were created once and shared by both solution components. Determine whether this statement is true or false.

□ □

True False

17. In GRC 10.0 control data can be shared by Access Control and Process Control, and only those fields relevant for the specific view are displayed. Determine whether this statement is true or false.

□ □

2011

True False


175

Test Your Knowledge

GRC100

18. Master data-related implementation considerations for organizations include: Choose the correct answer(s).

□ □ □ □

A B C D

To what extent will companies share harmonized structures To what extent does the company work in separate silos Who is responsible for maintaining organization hierarchies How does a company plan to evolve in the future

19. Organization hierarchy views are initially set up in the IMG. Determine whether this statement is true or false.

□ □

True False

20. Each solution component can have one default view and multiple available views, which are used only for hierarchical organization display and reporting purposes. Determine whether this statement is true or false.

□ □

176

True False


2011

GRC100

Test Your Knowledge

Answers 1.

Ad hoc issues are issues not associated with compliance evaluations, yet are associated with a variety of business entities, such as organizations, risk, regulations, and controls.. Answer: True The statement is true.

2.

Policy Management is a common function available to those companies licensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjects Risk Management 10.0. Answer: True The statement is true.

3.

Ad hoc issues management is a common function available to those companies licensing: Answer: B, C, E B, C, and E are correct. Ad hoc issues management is a common function available to those companies licensing Process Control, RiskManagement, or both.

4.

The Content Lifecycle Management (CLM) function allows external content to be packaged and imported to the CLM repository. Answer: Content Lifecycle Management (CLM) , CLM The Content LIfecycle Management (CLM) function allows external content to be packaged and imported to the CLM repository.

5.

Organization structures, process structures, and control structures can be shared across components in the GRC 10.0 solution. Answer: True The statement is true.

2011


177

Test Your Knowledge

6.

GRC100

Where SoD violations are identified, one or more mitigating controls are put in place or linked to controls already existing in Process Control. Answer: True The statement is true.

7.

An automated control in the Process Control solution monitors the status of access risks in the Access Control solution to verify that access management is in place and operating effectively. Answer: Process Control , Access Control An automated control in the Process Control solution monitors the status of access risks in the Access Control solution to verify that access management is in place and operating effectively.

8.

The User Interface Configuration Framework enables using a single user interface launch point for maintaining shared master data across: Answer: C C is correct: Applications and regulations

9.

The User Interface Configuration framework enables using common and centralized master data, while supporting entity attributes that can be specific to regulations. Answer: True The statement is true.

10. The User Interface Configuration Framework requires programming in order to configure which fields are relevant to each solution component (AC, PC, RM). Answer: False The UCIF allows you to configure without programming which fields are relevant to each solution component.

178


2011

GRC100

Test Your Knowledge

11. Only those fields that exist in the control table GRFNFLDRGSP can be regulation-specific fields. Answer: True The statement is true. 12. Regulation-specific fields relate to Access Control only. Answer: False Regulation-specific fields relate to Process Control only. 13. Local Changes Allowed fields relate to Process Control only because these are dependent upon the method of assigning subprocesses to organizations. Answer: True The statement is true. 14. Setting field status for applications or regulations is maintained in the IMG. Answer: the IMG Setting field status for applications or regulations is maintained in the IMG. 15. Shared master data involves: Answer: B Shared master data involves decreased risk of inconsistent master data. Sharing of organizations is optional, but not required. 16. Prior to GRC 10.0, master data for Access Control and Process Control were created once and shared by both solution components. Answer: False The statement is false. Prior to GRC 10.0, master data for Access Control and Process Control were created separately in each product.

2011


179

Test Your Knowledge

GRC100

17. In GRC 10.0 control data can be shared by Access Control and Process Control, and only those fields relevant for the specific view are displayed. Answer: True The statement is true. 18. Master data-related implementation considerations for organizations include: Answer: A, B, C, D All choices are correct. 19. Organization hierarchy views are initially set up in the IMG. Answer: True The statement is true. 20. Each solution component can have one default view and multiple available views, which are used only for hierarchical organization display and reporting purposes. Answer: True The statement is true.

180


2011

Unit Summary

181

GRC100


2011

Unit Summary

182

GRC100


2011

Unit 5 Implementation and Configuration Unit Overview This unit presents IMG organization for GRC 10.0 and how to navigate the IMG by solution and common settings. Basic and common customizing tasks are highlighted, as well as configuring application-specific IMG nodes. Functional implementation is introduced, including project teams, prerequisite tasks, and an overview of the implementation process.

Unit Objectives After completing this unit, you will be able to: • • • • • •

Describe the IMG organization for GRC 10.0 Identify basic and common customizing tasks for Access Control, Process Control, and Risk Management Access IMG customizing documentation Identify members of typical project teams Perform prerequisite tasks Describe key, high-level steps in the GRC 10.0 implementation process

Unit Contents Lesson: Streamlined Configuration............................................... 184 Exercise 6: Review the IMG Structure....................................... 189 Lesson: Functional Implementation .............................................. 197 Exercise 7: Review System Configuration .................................. 205

2011


183

Unit 5: Implementation and Configuration

GRC100

Lesson: Streamlined Configuration Lesson Overview This lesson describes the IMG (Implementation Guide) organization for GRC10.0, including shared configuration and product-specific configuration.


Describe the IMG organization for GRC 10.0 Identify basic and common customizing tasks for Access Control, Process Control, and Risk Management Access IMG customizing documentation

Business Example In prior releases, configuration of Process Control and Risk Management were separate IMG activities with some overlap. Prior Access Control releases did not provide configuration using the IMG. To streamline configuration, the GRC 10.0 solutions’ IMG identifies activities which are shared among multiple products

IMG Organization for GRC 10.0

Figure 109: GRC Implementation Guide (IMG)

184


2011

GRC100

Lesson: Streamlined Configuration

On the left is an example of collapsed activities in the IMG for Process Control and Risk Management 3.0. In this IMG structure, if you implemented both products, you would have to do some similar activities twice, that is once for each product. On the right side is an example of partially collapsed activities for GRC 10.0 solutions. Activities that relate to more than one product are configured in one place. Because some functions are now shared with multiple applications in GRC, the new IMG structure provides a clear picture about common customizing activities and application-specific ones. For detailed usage and customizing steps, please refer to the IMG documentation and Installation Guide.

Figure 110: Customizing IMG Structure for GRC 10.0

Basic and Common Customizing Tasks To access the IMG, first log into the ABAP client for GRC 10.0, then execute transaction SPRO. Click SAP Reference IMG to view the IMG nodes and customizing activities. From here, you can configure: General settings as needed for Access Control, Process Control, or Risk Management Shared master data settings Reporting Common component settings for those components in use

2011


185


GRC100

Figure 111: Basic and Common Customizing for Access Control, Process Control, and Risk Management

Prerequisites Before Beginning the Functional Implementation 1. 2. 3.

Complete technical setup Activate applicable BC sets based upon customer requirements Obtain the authorization roles necessary for access to the IMG Note: Only activate the timeframe-related BC sets if the customer is on a calendar year because January to December is delivered in the BC set.

Some IMG activities are only needed if you would like to change the delivered structure or behavior of the system. Look at the help icon to the left of each task for in-depth instructions in the IMG.

Configuring Product-Specific IMG Nodes After basic and common customizing, configure the product-specific IMG nodes for licensed products to be implemented. If some products are licensed but not yet to be implemented, there is no need to configure them.

186


2011

GRC100


Figure 112: Product-Specific Customizing for Access Control, Process Control, and Risk Management

IMG Customizing Documentation Documentation for IMG customizing is contained within the IMG itself. IMG customizing is performed by users assigned the following roles: SAP_GRAC_SETUP for AC SAP_GRC_SPC_CUSTOMIZING for PC SAP_GRC_RM_CUSTOMIZING for RM

2011


187


188


GRC100

2011

GRC100


Exercise 6: Review the IMG Structure Exercise Objectives After completing this exercise, you will be able to: • Locate IMG nodes for general and report settings • Locate IMG nodes for common component settings • Locate IMG nodes for Access Control, Process Control, and Risk Management

Business Example Before you begin configuration, it is important to familiarize yourself with the sections of the IMG that pertain to general and shared settings across the GRC solution, as well as component-specific sections that pertain to each application component.

Task 1: View General Settings View general settings in the IMG. 1.

Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is your Participant ID.

2.

Enter SPRO in the transaction field, then click the system OK icon Enter.

3.

Click SAP Reference IMG.

4.

Expand Governance, Risk, and Compliance.

5.

Expand the General Settings node.

6.

Explore the various settings and sub-nodes.

7.

Click the Execute icon

8.

What are the roles associated with the RISK Entity?

or press

next to Maintain Entity Role Assignment.

Task 2: View Report Settings View common report settings in the IMG. 1.

Click the system Back icon

to return to the Display IMG screen.

2.

Expand the Reporting node to explore the various settings and sub-nodes.

3.

Click the Execute icon next to Maintain Report Configuration Continued on next page

2011


189


GRC100

4.

Click the Checked icon

5.

Review the report configuration settings in this area.

6.

What are the two report types displayed on the first screen?

when you receive the cross-client message.

Task 3: View Common Component Settings View settings common to all GRC solution components in the IMG. 1.


2.

Expand the Common Component Settings node.

3.

Expand the nodes in this section and explore the various settings.

4.

Click the Execute icon next to Maintain Policy Types and Distribution Methods.

5.

What are the Policy Type Descriptions listed here?


Task 4: View Access Control Settings View Access Control-specific settings in the IMG. 1.

Locate and expand the Access Control node to explore the various settings and sub-nodes.

2.

Click the Execute icon next to Maintain Access Risk Levels.

3.

What risk levels are listed here?

Task 5: View Process Control Settings View Process Control-specific settings in the IMG. 1.


2.

Locate and expand the Process Control node to explore the various settings and sub-nodes.

3.

Expand the Reporting sub-node. Note that you viewed general Reporting settings earlier and that this Reporting section is specific to Process Control.

4.

Click the Execute icon next to Activate BAdI for Weighting of a Report Line During Aggregation.

5.

What is the Return Weight for every line?



190


2011

GRC100


Task 6: View Risk Management Settings View Risk Management-specific settings in the IMG.

2011

to exit the BAdI Weighting window.

1.

Click the Cancel icon

2.

Click the systemBack icon to return to the Display IMG screen.

3.

Locate and expand the Risk Management node to explore the various settings and sub-nodes.

4.

Expand the Incident Loss Database node.

5.

Click the Execute icon next to Maintain Risk and Opportunity Priority IDs.

6.

What are the priority descriptions listed here?


191


GRC100

Solution 6: Review the IMG Structure Task 1: View General Settings View general settings in the IMG. 1.

Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is your Participant ID. a)

2.

Enter SPRO in the transaction field, then click the system OK icon Enter. a)

3.

Your password is the one you chose when you first logged onto the system with this user ID. or press

Perform this task in the ABAP client, not in the NWBC.

Click SAP Reference IMG. a)

4.

Expand Governance, Risk, and Compliance. a)

5.

Expand the General Settings node. a)

6.

Explore the various settings and sub-nodes. a)

7.

Click the Execute icon

next to Maintain Entity Role Assignment.

a) 8.

What are the roles associated with the RISK Entity? a)

SAP_GRC_RM_API_RISK_OWNER and SAP_GRC_RM_API_RISK_EXPERT

Task 2: View Report Settings View common report settings in the IMG. 1.



a)


192


2011

GRC100


2.

Expand the Reporting node to explore the various settings and sub-nodes. a)

3.

Click the Execute icon next to Maintain Report Configuration a)

4.

Click the Checked icon

when you receive the cross-client message.

a) 5.

Review the report configuration settings in this area. a)

6.

What are the two report types displayed on the first screen? a)

End-User and System

Task 3: View Common Component Settings View settings common to all GRC solution components in the IMG. 1.



a) 2.

Expand the Common Component Settings node. a)

3.

Expand the nodes in this section and explore the various settings. a)

4.

Click the Execute icon next to Maintain Policy Types and Distribution Methods. a)

5.

What are the Policy Type Descriptions listed here? a)

Policy, Procedure, Work Instruction, Standard, SOP

Task 4: View Access Control Settings View Access Control-specific settings in the IMG. 1.

Locate and expand the Access Control node to explore the various settings and sub-nodes. a) Continued on next page

2011


193


2.

GRC100

Click the Execute icon next to Maintain Access Risk Levels. a)

3.

What risk levels are listed here? a)

Medium, High, Low, Critical

Task 5: View Process Control Settings View Process Control-specific settings in the IMG. 1.



a) 2.

Locate and expand the Process Control node to explore the various settings and sub-nodes. a)

3.

Expand the Reporting sub-node. Note that you viewed general Reporting settings earlier and that this Reporting section is specific to Process Control. a)

4.

Click the Execute icon next to Activate BAdI for Weighting of a Report Line During Aggregation. a)

5.

What is the Return Weight for every line? a)

The return weight = 1

Task 6: View Risk Management Settings View Risk Management-specific settings in the IMG. 1.

Click the Cancel icon

to exit the BAdI Weighting window.

a) 2.

Click the systemBack icon to return to the Display IMG screen. a)

3.

Locate and expand the Risk Management node to explore the various settings and sub-nodes. a) Continued on next page

194


2011

GRC100


4.

Expand the Incident Loss Database node. a)

5.

Click the Execute icon next to Maintain Risk and Opportunity Priority IDs. a)

6.

What are the priority descriptions listed here? a)

2011

Least Important, Important, Very Important


195


GRC100

Lesson Summary You should now be able to: • Describe the IMG organization for GRC 10.0 • Identify basic and common customizing tasks for Access Control, Process Control, and Risk Management • Access IMG customizing documentation

196


2011

GRC100

Lesson: Functional Implementation

Lesson: Functional Implementation Lesson Overview This lesson presents an overview of the functional implementation process, including potential project team members and their roles, prerequisite tasks, and implementation tasks performed during each phase of the project.


Identify members of typical project teams Perform prerequisite tasks Describe key, high-level steps in the GRC 10.0 implementation process

Business Example A company is embarking on an SAP BusinessObjects GRC 10.0 implementation. During the Project Preparation and Blueprinting phase, the project manager will need to identify the necessary members of the project team, including those who may be the stakeholders, as well as understand the necessary prerequisites needed to be completed prior to engaging the functional team. During this time as well, the Project Manager will need to create a Project Timeline of tasks that will need to be completed depending upon the solution or solutions being implemented (or in some cases to be implemented in the future).

Project Teams You will most likely work on a team to complete a functional implementation. Project teams vary, depending on which applications are in use.

2011


197


GRC100

Figure 113: GRC Project Teams

Solution or Application Consultants are experts in specific solution or application areas and focus on implementation. Tasks include analyzing business process requirements and then transferring those into the software, as well as performing configuration tasks. These consultants advise a customer about the generic functionality and the options for customizing in order to suit the specific customer requirements. Technology Consultants perform tasks such as evaluating landscape choices, analyzing hardware and software requirements, and evaluating sizing requirements. These consultants install software, activate and set up required tools, and activate Business Configuration (BC) sets, in addition to other technical tasks. In general, they prepare the system to be ready for the functional implementation. Security Consultants may perform similar tasks as a Solution or Application consultant, and have some overlapping areas with a Technology Consultant, for example, evaluating sizing requirements. IT Administrators perform tasks such as setting up automated mail service, copying and modifying user roles, setting up users and assigning roles, performing functional and integration tests, and monitoring the go-live process. IT Administrators may also monitor ongoing system performance and provide support for workflow administration. Project Managers in a software implementation are responsible for managing a project team and the successful "going live" of a solution within time and budget. Among other duties, they plan project phases, monitor the project progress, handle change requests, and lead communication with the client, as well as between the project and steering committee. Business Users are a subset of users that typically reference non-transactional activities. They use the software to collect and analyze data that help them support making business decisions. These users are focused on creating new strategies and making decisions based on information from a variety of sources. Examples of business users include Internal and External Auditors, Risk Managers, and Compliance Managers.

198


2011

GRC100


Power Users are a subset of End Users who perform additional tasks beyond an End User's profile in a specific application area, for example, assigning user profiles. They often serve as first support and fulfill a training role for other end users. Executives are responsible for business transformation and SAP selection and deployment. They have a very broad responsibility, but require expert assistance in specific areas, for example, they may be in charge of IT landscape strategy and the implementation of business requirements. They may also monitor the degree of user acceptance and system optimization after implementation. A Works Council typically reviews generic user tasks against tasks that the Works Council represents. Popular in Europe, a Works Council has the task of promoting the interests both of the enterprise and of its workforce and serves to reduce workplace conflict by improving and systematizing communication channels. They give representatives of workers in large multinational companies a direct line of communication to top management and make sure that workers in different countries are all told the same thing at the same time about transnational policies and plans.

Prerequisite Tasks

Figure 114: Prerequisite Tasks

2011


199


GRC100

Prerequisites before beginning the functional implementation include: 1.

3.

Technical setup should be complete before you begin these steps. Technical setup is typically performed by the Technology Consultant and IT Administrator. Example tasks include specifying system architecture, such as identifying front end and reporting components, defining transport mechanisms and the integration framework, validating different steps during installation, including validating proper ABAP installation. Activate applicable Business Configuration (BC) sets based upon customer requirements. While in the IMG, click on Existing BC Sets to see the BC sets appear in a column to the right of the tasks. Only activate the timeframe-related BC sets if the customer is on a calendar year, as January to December is delivered in the BC set. You must have the necessary authorization roles that allow access to the IMG:

• • •

SAP_GRAC_SETUP for Access Control configuration SAP_GRC_SPC_CUSTOMIZING for Process Control configuration SAP_GRC_RM_CUSTOMIZING for Risk Management configuration

2.

Implementation Process

Figure 115: Implementation Process Overview

Once the implementation is complete, you will conduct daily, regular business. While doing this, you will enjoy the benefits of preventive governance, risk, and compliance management.

200


2011

GRC100


Figure 116: Design the Solution

Listed here are general tasks for the Design phase of implementation and may differ, depending on regions and business needs. For example, Security consultants typically ensure and discuss regional data security requirements and act as a NB Works Council liaison. When gathering parameters regarding processes, Security consultants may also define a responsibility matrix during this phase.

2011


201


GRC100

Figure 117: Install or Upgrade and Migrate

Note: During this implementation phase, it is important to ensure that the Pre-10.0 production system data is preserved for auditing purposes, including old log files.

Figure 118: Configure Access Control

202


2011

GRC100


Figure 119: Implement

Figure 120: Optimize and Enhance

2011


203


204


GRC100

2011

GRC100


Exercise 7: Review System Configuration Exercise Objectives After completing this exercise, you will be able to: • Review configuration settings in the IMG • Review existing BC sets in the IMG

Business Example Before beginning the functional implementation, it is important to verify technical settings and activated BC sets.

Task 1: View General Configuration Settings and Activated BC Sets View general configuration settings and the associated activated BC sets in the IMG. 1.


2.

Enter SPRO in the Transaction Entry field and click the system OK icon or press Enter.

3.

Click SAP Reference IMG. Caution: Do not make configuration changes. Review current settings only.

4.

Click Existing BC Sets at the top of the screen.

5.

Expand nodes to view configuration that is maintained in each section, as well as the activated BC sets. Begin with expanding Governance, Risk, and Compliance → General Settings. View Maintain Customer Specific Menus, Key Attributes, Authorizations, Workflow, Shared Master Data Settings, and Reporting.


2011


205


GRC100

Task 2: View Component-Specific Settings and Activated BC Sets View component-specific configuration settings and associated activated BC sets in the IMG.

206

1.

Expand the Access Control node, then note the configuration settings and activated BC sets for this section.

2.

Expand the Process Control node, then note the configuration settings and activated BC sets for this section.

3.

Expand the Risk Management node, then note the configuration settings and activated BC sets for this section.


2011

GRC100


Solution 7: Review System Configuration Task 1: View General Configuration Settings and Activated BC Sets View general configuration settings and the associated activated BC sets in the IMG. 1.


2.

Enter SPRO in the Transaction Entry field and click the system OK icon or press Enter. a)

3.

You changed your password upon initial system logon.

You are working in the ABAP Client and not in the NWBC.

Click SAP Reference IMG. Caution: Do not make configuration changes. Review current settings only. a)

4.

Click Existing BC Sets at the top of the screen. a)

5.

Existing BC Sets is located just under Display IMG.

Expand nodes to view configuration that is maintained in each section, as well as the activated BC sets. Begin with expanding Governance, Risk, and Compliance → General Settings. View Maintain Customer Specific Menus, Key Attributes, Authorizations, Workflow, Shared Master Data Settings, and Reporting. a)

Task 2: View Component-Specific Settings and Activated BC Sets View component-specific configuration settings and associated activated BC sets in the IMG. 1.

Expand the Access Control node, then note the configuration settings and activated BC sets for this section. a) Continued on next page

2011


207


2.

GRC100

Expand the Process Control node, then note the configuration settings and activated BC sets for this section. a)

3.

Expand the Risk Management node, then note the configuration settings and activated BC sets for this section. a)

208


2011

GRC100


Lesson Summary You should now be able to: • Identify members of typical project teams • Perform prerequisite tasks • Describe key, high-level steps in the GRC 10.0 implementation process

2011


209

Unit Summary

GRC100

Unit Summary You should now be able to: • Describe the IMG organization for GRC 10.0 • Identify basic and common customizing tasks for Access Control, Process Control, and Risk Management • Access IMG customizing documentation • Identify members of typical project teams • Perform prerequisite tasks • Describe key, high-level steps in the GRC 10.0 implementation process

210


2011

GRC100

Test Your Knowledge


To access the IMG, first log onto the ABAP client for GRC 10.0, then execute transaction SPRO. Determine whether this statement is true or false.

□ □ 2.

True False

From the IMG, you can configure: Choose the correct answer(s).

3.

□

A

□ □ □

B C D

General settings for Access Control, Process Control, or Risk Management Shared master data settings Reporting Common component settings for those solution components in use.

Before beginning the functional implementation, you must activate BC sets, based upon customer requirements. Determine whether this statement is true or false.

□ □ 4.

True False

Documentation for IMG Customizing is contained within the IMG itself. Determine whether this statement is true or false.

□ □ 5.

True False

IMG customizing is performed by users assigned the following roles: Choose the correct answer(s).

□ □ □ □ □ □

2011

A B C D E F

SAP_GRAC_SETUP SAP_GRC_SAC_CUSTOMIZING SAP_GRC_RM_CUSTOMIZING SAP_GRC_SPC_CUSTOMIZING SAP_GRPC_SETUP SAP_GRC_PC_CUSTOMIZING


211

Test Your Knowledge

6.

GRC100

Business Users, such as Internal and External Auditors, are a subset of users that typically: Choose the correct answer(s).

7.

□ □

A B

□ □

C D

Reference non-transactional activities Use the software to collect and analyze data to support business decisions Serve as first support for end users Fulfill a training role for other end users

Which of the following are not part of the project team? Choose the correct answer(s).

□ □ □ □ 8.

A B C D

Executives Works Council All end users Power users

Technical setup should be complete before beginning the functional implementation. Determine whether this statement is true or false.

□ □ 9.

True False

A POC, prototype, or integration plan is typically developed during which phase? Choose the correct answer(s).

□ □ □ □

A B C D

Implement Configure Optimize/Enhance Design

10. During the Install/Upgrade & Migrate phase, you do not have to preserve Pre-10.0 production system data or old log files. Determine whether this statement is true or false.

□ □

212

True False


2011

GRC100

Test Your Knowledge

Answers 1.

To access the IMG, first log onto the ABAP client for GRC 10.0, then execute transaction SPRO. Answer: True The statement is true.

2.

From the IMG, you can configure: Answer: A, B, C, D All choices are correct.

3.

Before beginning the functional implementation, you must activate BC sets, based upon customer requirements. Answer: True The statement is true.

4.

Documentation for IMG Customizing is contained within the IMG itself. Answer: True The statement is true.

5.

IMG customizing is performed by users assigned the following roles: Answer: A, C, D The correct answers are A, C, and D: SAP_GRAC_SETUP for AC, SAP_GRC_RM_CUSTOMIZING for Risk Management, and SAP_GRC_SPC_CUSTOMIZING for Process Control.

6.

Business Users, such as Internal and External Auditors, are a subset of users that typically: Answer: A, B A and B are correct: Business Users reference non-transactional activities and use the software to collect and analyze data to support business decisions.

2011


213

Test Your Knowledge

7.

GRC100

Which of the following are not part of the project team? Answer: C All end users are not included in the project team.

8.

Technical setup should be complete before beginning the functional implementation. Answer: True The statement is true.

9.

A POC, prototype, or integration plan is typically developed during which phase? Answer: D The correct answer is the Design phase.

10. During the Install/Upgrade & Migrate phase, you do not have to preserve Pre-10.0 production system data or old log files. Answer: False The statement is false; during this phase, it is important to ensure that the Pre-10.0 production system data is preserved for auditing purposes, including old log files.

214


2011

Unit Summary

215

GRC100


2011

Unit Summary

216

GRC100


2011

Unit 6 Reporting Unit Overview This unit presents an overview of the harmonized reporting framework, as well as navigating and customizing reports, and Crystal report integration.

Unit Objectives After completing this unit, you will be able to: • • • •

Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework Navigate reports Create a report without programming Describe Crystal integration options and report layouts

Unit Contents Lesson: Harmonized Reporting Framework..................................... 218 Exercise 8: Run Reports and View Dashboards ........................... 227

2011


217

Unit 6: Reporting

GRC100

Lesson: Harmonized Reporting Framework Lesson Overview This lesson presents an overview of the reporting framework in GRC 10.0 and how to configure reports without programming.

Lesson Objectives After completing this lesson, you will be able to: • • • •

Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework Navigate reports Create a report without programming Describe Crystal integration options and report layouts

Business Example A company wants to provide the necessary reporting tools needed to supply the information needed from a governance, risk and compliance perspective. SAP BusinessObjects GRC 10.0 allows the flexibility to deliver reports in different formats (OnScreen, Excel, Crystal Reports, Dashboards) and with specific attributes. The flexibility provided by the Reporting Framework makes it easy to create variants that can be save and re-utilized at a later date or in continuing operations.

218


2011

GRC100

Lesson: Harmonized Reporting Framework

Harmonized Reporting Framework Overview

Figure 121: GRC 10.0 Harmonized Reporting Framework Key Capabilities

IMG Report Configuration

Figure 122: IMG Report Configuration

2011


219

Unit 6: Reporting

GRC100

Access Control will use the reporting infrastructure to define the reports and attributes, but not the Reporting Datamart. To configure report settings in the IMG: Execute Transaction SPRO → SAP Reference IMG → Governance, Risk, and Compliance → Reporting Additional report settings for Process Control can be found at SPRO → SAP Reference IMG → Governance, Risk, and Compliance → Process Control → Reporting

Report Navigation

Figure 123: Report Navigation - Work Center Example

Each work center contains reports relevant to its business function. For example, the master data work center displayed above shows reports directly related to master data structures from the point of view of a Process Control user. If you were to go to the Assessments work center, you would instead see reports relevant to assessments and other evaluations. The actual reports available in each work center will vary based upon user authorization.

220


2011

GRC100


Figure 124: Report Navigation: Reports and Analytics Work Center

The delivered Reports and Analytics work center is set up with an area for frequently used management, compliance and access management reports. However, this can also be adapted by the customer. If desired, the reports shown here can be configured to include reports also shown in the other work centers.

Reporting Framework for Customizing Reports To configure a new report without programming, you don't need to create the report from scratch. First, copy an existing report and then to make changes to it.

2011


221

Unit 6: Reporting

GRC100

Figure 125: Create a New Report: Maintain View Cluster VC_GRFNREPCUST

This transaction may be added to the IMG to make it easier to configure reports. As shown above, this is done by maintaining the view cluster VC_GRFNREPCUST.

Figure 126: Create a New Report: Copy Source Report

222


2011

GRC100


Figure 127: Create a New Report: Maintain Columns and Filters

Maintaining Columns allows you to determine the order to columns in the report. There may be other options available depending upon the product to which the report relates. For example, for a Process Control report, you may be able to indicate the behavior of columns related to regulations. Maintaining Filters allows you to determine selection screen filters and related behavior.

Figure 128: Setting Default Columns - Process Control and Risk Management Only

2011


223

Unit 6: Reporting

GRC100

Default columns for a report can be defined in VC_GRFNREPCOLUMNSC. This is similar to the procedure shown on prior screens. However, the output determines what is shown on the personalization screens for Process Control and Risk Management, as shown above. The initial population of the fields selected is taken from the default columns in VC_GRFNREPCOLUMNSC, and you can then further personalize the columns by moving fields between the Selected and Available columns.

Crystal Integration GRC 10.0 reports are delivered with three layout options, which provide significant flexibility without programming.

Figure 129: Layout Options for Delivered Reports

Figure 130: Crystal Integration Comparison of Options

224


2011

GRC100


There is no dominating or best practice reporting option here. Choose which report option(s) you will support based on business requirements. As you see above, the ALV grid and the output of the ALV grid to the generic Crystal template is the same, except for the ability to collapse and expand hierarchies.

Figure 131: Examples of Report Display Options

The above figure shows a hierarchical report displayed using the three options. Each options takes the same data and presents it with the benefits and constraints of its technology and format.

2011


225

Unit 6: Reporting

226

GRC100


2011

GRC100


Exercise 8: Run Reports and View Dashboards Exercise Objectives After completing this exercise, you will be able to: • View Risk Management dashboards • View Compliance dashboards for Process Control • View Access Management dashboards for Access Control • Save a report variant

Business Example You want to review information about your company’s risks, compliance status, and access risks. With the Harmonized Reporting Framework, you can view reports and dashboards for all of these areas from one work center, Reports and Analytics.

Task 1: View Risk Management Dashboards View Management dashboards for Risk Management. 1.

Launch the NetWeaver Business Client or log into the SAP GUI.

2.

Choose the Reports and Analytics work center.

3.

Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap.

4.

Choose a currency, then click OK.

5.

Explore the Risk Heatmap. Do you recall the configuration settings you viewed in the IMG for this display, for example, colors associated with risk levels? Those display settings are seen here.

6.

Close the Heatmap when finished.

Task 2: View Compliance Dashboards for Process Control View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1.

Choose the Overall Compliance Status dashboard under the Compliance work set. Continued on next page

2011


227

Unit 6: Reporting

GRC100

2.

Enter Year for the Period and 2010 for the Year, then click Refresh.

3.

View the Compliance Metrics displayed. Click the links to view details, beginning with % of Ineffective Controls.

4.

Choose different display and sort settings. Switch between Number and Percentage views.

Task 3: View Access Management Dashboards View Access Management Dashboards for Access Control in the Reports and Analytics work center.

228

1.

Under the Access Management work set, choose User Risk Violation

2.

Use the drop down arrows to view the analysis criteria options available.

3.

the following information on the Risk Analysis: User Level screen: Field

Data Value

System

ZMGCLNT800

User

GRCRA2

User Group

(Leave Blank)

Custom Group

(Leave Blank)

RIsk Level

High

Rule Set

Global

User Type

Dialog

Remaining Fields

Accept default values

4.

Save this variant as XX_Variant, where XX is your Participant ID.

5.

Click Save.

6.

Choose the Saved Variants drop down arrow. Your newly saved variant should be listed here.

7.

Click Run in Foreground, then view analysis results.


2011

GRC100


Solution 8: Run Reports and View Dashboards Task 1: View Risk Management Dashboards View Management dashboards for Risk Management. 1.

Launch the NetWeaver Business Client or log into the SAP GUI. a)

2.

From the ABAP client, enter /nnwbc, then choose /nwbc in the NWBC launchpad window.

Choose the Reports and Analytics work center. a)

3.

Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap. a)

4.

Choose Reports and Analytics → Management → Heatmap

Choose a currency, then click OK. a)

5.

Explore the Risk Heatmap. Do you recall the configuration settings you viewed in the IMG for this display, for example, colors associated with risk levels? Those display settings are seen here. a)

6.

Close the Heatmap when finished. a)

Task 2: View Compliance Dashboards for Process Control View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1.

Choose the Overall Compliance Status dashboard under the Compliance work set. a)

Choose Reports and Analytics → Compliance work set → Overall Compliance Status


2011


229

Unit 6: Reporting

2.

GRC100

Enter Year for the Period and 2010 for the Year, then click Refresh. a)

3.

Period: Year; Year: 2010

View the Compliance Metrics displayed. Click the links to view details, beginning with % of Ineffective Controls. a)

4.

Choose different display and sort settings. Switch between Number and Percentage views. a)

Task 3: View Access Management Dashboards View Access Management Dashboards for Access Control in the Reports and Analytics work center. 1.

Under the Access Management work set, choose User Risk Violation a)

2.

Choose Reports and Analytics → Access Management → User Risk Violation

Use the drop down arrows to view the analysis criteria options available. a)

3.

the following information on the Risk Analysis: User Level screen: Field

Data Value

System

ZMGCLNT800

User

GRCRA2

User Group

(Leave Blank)

Custom Group

(Leave Blank)

RIsk Level

High

Rule Set

Global

User Type

Dialog

Remaining Fields

Accept default values

a)


230


2011

GRC100


4.

Save this variant as XX_Variant, where XX is your Participant ID. a)

5.

Click Save. a)

6.

Choose the Saved Variants drop down arrow. Your newly saved variant should be listed here. a)

7.

Click Run in Foreground, then view analysis results. a)

2011


231

Unit 6: Reporting

GRC100

Lesson Summary You should now be able to: • Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework • Navigate reports • Create a report without programming • Describe Crystal integration options and report layouts

232


2011

GRC100

Unit Summary

Unit Summary You should now be able to: • Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework • Navigate reports • Create a report without programming • Describe Crystal integration options and report layouts

2011


233

Unit Summary

234

GRC100


2011

GRC100

Test Your Knowledge


Users can see all reports presented in the information architecture, regardless of their user authorization. Determine whether this statement is true or false.

□ □ 2.

True False

Which of the following reports might you find in the Master Data Work Center? Choose the correct answer(s).

□ □ □ □

A B C D

Reports related to compliance structure Reports related to user authorization analysis Reports related to audit analysis Reports related to access rule detail

3.

Which transaction is executed in order to maintain view cluster VC_GRFNREPCUST?

4.

Reports can be displayed in Crystal while leveraging built-in ABAP List Viewer (ALV) functionality. Determine whether this statement is true or false.

□ □

2011

True False


235

Test Your Knowledge

GRC100

Answers 1.

Users can see all reports presented in the information architecture, regardless of their user authorization. Answer: False Reports are presented in the information architecture based upon user authorization.

2.

Which of the following reports might you find in the Master Data Work Center? Answer: A, C Reports related to compliance structure and audit analysis can be found in the Master Data work center. Reports related to user authorization analysis and access rules share a target user function and can be found in the Reports and Analytics work center under Access Management.

3.

Which transaction is executed in order to maintain view cluster VC_GRFNREPCUST? Answer: SM34

4.

Reports can be displayed in Crystal while leveraging built-in ABAP List Viewer (ALV) functionality. Answer: True The statement is True.

236


2011

Test Your Knowledge

237

GRC100


2011

Course Summary

GRC100

Course Summary You should now be able to: • • • • • • • • • •

238

Introduce SAP BusinessObjects Governance, Risk, and Compliance (GRC)10.0 Identify key governance, risk, and compliance processes supported in the GRC 10.0 solution Describe key features and business benefits of the integrated solution Identify applications that integrate with the GRC 10.0 solution Describe the purpose and location of key user interface components Discuss harmonized navigation and how authorizations affect what users see Describe how common functions and relative master data are shared across GRC solutions Describe the IMG organization for GRC 10.0 Describe a general implementation process and key steps Configure report presentation, structure, and content


2011

Feedback SAP AG has made every effort in the preparation of this course to ensure the accuracy and completeness of the materials. If you have any corrections or suggestions for improvement, please record them in the appropriate place in the course evaluation.

2011


239

GRC100 - GRC Principles and Harmonization(Col96).pdf

Recommend Documents