GRC - Shared SAP GRC Configuration

In GRC system --> we need to do this configuration.

IMG screen in GRC system.

T-code for IMG - SPRO

* General settings, shared master data  settings, reporting & Common component settings are common settings for access control, Process control and Risk Management customizing.

Then we have Access control --> Which is specific to Access control.

Process control --> Which is specific to Process Control.

Risk Management --> Which is specific to Risk Management.

Step1:

* Based on license, we have with SAP. Need to active the component.

Once after activating the components in IMG. You will see specific info in NWBC

Step2:

Let create one admin user, GRAC_ALL in both GRC and ERP system
Roles tab --> SAP_GRAC*
Add all the roles with filter SAP_GRAC* to user.

SAVE


Step3:

Login to ERP system

Create user GRAC_ALL in ERP system 
Add profiles --> SAP_ALL & SAP_NEW
SAVE

Step4:

From GRC system.

Access T-code: SPRO
Click on - SAP Reference IMG

Now Click on Clock symbol- General settings.

Click on -> New Entries                                                                                                                                 
Select the required component
 1.GRC-AC - Access control.
2.GRC-PC - Process control.
3.GRC-RM - Risk Management.

Click on Active check box to activate realted component data. SAVE & Followed by TR details need to provide.

Step 5:

Create logical system in GRC system.

T-code: BD54

<SID>CLNT<client no.>

Transport request no.2


Step 6:

Access T-code - SCC4

Logical system, which is created in step 5 need to assign that in Step 6.
To the respective client.

Step 7: In ERP( satellite) system:
Login with user: GRAC_ALL

Ensure correct logical system is updataed in ECC(satellite) system.

Step 8: RFC connection 

Communication user in ERP system:
User Name: RFC_GRCAC
Profiles: SAP_ALL and SAP_new

Step 9:

Communication user in GRC system:
User Name: RFC_GRCAC
Profiles: SAP_GRAC_ALL

*Role - SAP_GRAC_ALL is super user with all authorization of GRC AC component.

Step 10:

Now from GRC system, Access T-code: SM59
Click on create ABAP type RFC connection.

RFC Destination: <Logical system name of ERP system --> Client eg: ERPCLNT500>
Connection type: 3
Description: GRC to ERP rfc connnection

in Technical settings tab:
Target Host - < lost name of erp system >
Instance No. < instance number of ERP system>

Go to logon & security tab:
Client no.
user: RFC_GRCAC
Password:

SAVE

Utilities --> Connection test.
              --> Authorization test.


Step 11:

Login to ERP(satellite system) with user: GRAC_ALL

Access T-code: SM59
Crete ABAP RFC connection.
 RFC Destination: < Logical system name of GRC system).
Connection type: 3
Description: ERP to GRC

Technical settings tab:
Target Host: <GRC system host name>

Instance no: <instance number of GRC system>
Client: <client no. of GRC system>
User: RFC_GRCAC
password: 

SAVE

Utilities --> Connection test & Authorization test.

Step 12:
Now login to GRC system.

Access T-code: SPRO --> SAP REFERENCE IMG -->Goverence, Risk and Compliance --> Common component settings --> Integration Framework -->Maintain connectors and Connection types.

SAP SYSTEM option is already available in the below screen. if not we can create by selecting New Entries option.

Select SAP : SAP SYSTEM option --> Click on Define Connectors

Resultant screen:                                                                                                                                             

Now from the above screen. Click on --> New Entries option --> Select RFC connection name for ERP system.                                                                           

    Connection type as SAP as ABAP system is SAP based system.

Source connector: <GRC system Logical system name>                                                                             

Logical port : <Logical system name of ERP system>                                                                                 Max No.of BG: 3                                                                                                                                            

Now, navigate to Define subsequent connectors.                                                                                         

In case if we have any subsequesnt system to pull same data. can maintain that data here... in Define Subsequent connectors section.

Define Connector group:                                                                                                               

Conn.Group: Free text - SAP_R3_LG 

Connect Group Text - Free text - SAP R/3

Con. Type - Help button --> SAP

 

Select the above connector Group --> Click on Assign Connector Groups to Group types.

From the drop down --> select Logical Group 

SAVE --> Provide TR number.

now once after saving TR. Now do below 3 steps.                                                                                            

Hence by the above process, we have completed Maintain connectors and Connection types.

                                  ---------------------------------------XXX-------------------------------------



Now we need to - Maintain Connection settings
 
To maintain --> ERP (satellite) system details.

Out of 5 options, we can do all the below 5 integration scenarios.

But choose AUTH type now.

Select the AUTH option --> Click on Scenario-connection type Link.                                                                  

1. is already configured, so no need to do any things here.

2.Click on Scenario - Connector Link.

Here we need to define Target connector Link. Click on New Entries.

Select the target connector logical system.

Press Enter, Then automatically Con.Type and Connection Type Text.will auto publish based on previous configuration.

Save the change in to Transport request.
    

Out of 5 options, we can do all the below 5 integration scenarios.

But choose PROV type now.

Select the PROV option --> Click on Scenario-connection type Link.                                                                  

1. is already configured, so no need to do any things here.

2.Click on Scenario - Connector Link.

Here we need to define Target connector Link. Click on New Entries.

Select the target connector logical system.

Press Enter, Then automatically Con.Type and Connection Type Text.will auto publish based on previous configuration.

Save the change in to Transport request.

Similarly do for 3. ROLMG - Role management

4.SUPMG - Super user Privilege managent.

Save in TR.

SAME set of configuration required for each satellite(ERP ) system

Till now, it is completed for one ERP(satellite) sytstem. For each system. we need to do same configuration.

TABLE partition in SAP HANA using HANA studio

#6 GRC ARA flowchart

#4 GRC phases - Managing Risk by SOD

 3 Phases:

Phase one (Recognize)	Phase two (Analysis)	Phase 3
1. Risk Recognition	3.Analysis	6.Continuous complience
2.Rule Building & Validation.	4.Remediation
	5.Mitigation

1.Risk Recognition:

we will open each and every role.
identify risks in each role.

Discuss with business team

                    👇

we will Remediation or Mitigation discussion.

2.Rule building  & Validation:

1. Validates the risks in the role.

2.customize role.

3.test

3.Analysis:

1.check in case we need to do any modifications or not.
2.Ensure Phase1( Risk Recognition & Rule buildings validation) is correct as per the business needs or not.

eg: Providing access to room 4,7.

4.Remediation:

Remove risk 

eg: Swipe in & Swipe out in office to avoid risk of unauthorized people entering in to office.

5.Mitigation:

Compensation control.

6.Continuous Compliance:

• Monitoring the present configuration.
  
• Adopt for the changes as per the business.
• Alert Mechanism.
• Monitoring the mitigation control.
  
  

-----------------------------------------------------------------------------------------------------------------------------

#5 GRC -ROLES

1. Mitigation: Always need to monitoring.
if there is mitigation, Then we need to monitor continuously.

2. Risk --> High, Medium, Low

3.Some companies have zero risks in their business.but, if user want access again. Then user should raise exception requests. 

why user need exception access & business requirements.

In the below screen, we can see the sample page for function id, business process,Risk id. integration.

From the below screen, Multiple action / permissions combined toghether Function.
Multiple functions combined toghether Risk.

Multiple risks combined toghether as Business process.

Multiple business process will be assigned to one single rule set.

* SOD is complex in company code environment.                                                              

3.Analysis:                                                                                                                                                          

Analysis to identify risk:( best way)

object --> Fields --> Values --> Single role --> Composite role --> User.

In the below, Mitigation phase.                                                                                                                           we have 2 types of mitigation controls.
1.preventive control and
2.detective control.
* Need to monitor logs in detective conntrol mitigation.                                                                               * Sometime mitigation of risk. may be taking insurence.                                                                             

6.Continous monitoring with respect to new users creation.

Manually.
or
Configuring automatic alert mechanism.

--------------------------------------------------xxx-----------------------------------------xxx-------------------------