Professional Documents
Culture Documents
Copyright
Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP AG
Page 2 of 16
Icons
Icon Meaning Caution Example Note or Tip Recommendation Syntax
Typographic Conventions
Type Style Example text Description Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation. Example text EXAMPLE TEXT Emphasized words or phrases in body text, titles of graphics and tables. Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools. Keys on the keyboard, for example, function keys (such as ENTER key.
F2)
Example text
EXAMPLE TEXT
or the
Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
SAP AG
Page 3 of 16
Contents
Master Data: Configuration Guide.................................................................................................. 5 1 Purpose........................................................................................................................................ 5 2 Prerequisites................................................................................................................................ 5 3 System Information...................................................................................................................... 5 3.1 SAP ERP System Information............................................................................................... 5 3.2 SAP GRC Access Control Components................................................................................6 4 Master Data in SAP ERP............................................................................................................. 7 4.1 Create Roles......................................................................................................................... 7 4.2 Create User ID GRC_RFC for Connection............................................................................8 4.2.1 Create User Group.......................................................................................................... 9 4.2.2 Create Users................................................................................................................... 9 4.2.3 Create Superuser Privilege Management Users...........................................................11 5 Configuration in SAP GRC Access Control Components...........................................................12 5.1 Create User SAPGRC in User Management Engine (UME)...............................................12 5.2 Add Roles to Existing Users in User Management Engine..................................................13 5.3 Change User Password in User Management Engine........................................................14 6 Static Text to Risk Analysis and Remediation............................................................................15 6.1 Download Text from SAP.................................................................................................... 15 7 Authorization Objects ................................................................................................................ 16 7.1 Download Data from SAP.................................................................................................... 16
SAP AG
Page 4 of 16
2 Prerequisites
The SAP ERP and SAP GRC Access Control 5.3 (AC) have been successfully installed.
3 System Information
Use
The configuration of AC requires system information from the SAP ERP system and the AC components. Since such information is specific to your installation, your system administrator needs to provide you information that will be used in the subsequent configuration steps.
5. For the client number is the SAP ERP client that connects to the SAP GRC Access Control component, you have to obtain this information from your system administrator. Field name Client Number Value <Client Number> Comment For example, 100
Above system parameters are used in the subsequent configuration steps. You need to make sure that are accurate and complete.
SAP AG
Page 5 of 16
To log into the SAP ERP system, you need to obtain a SAP ERP user ID and password from your system administrator.
You need to get the server name and port from your system administrator.
To log into SAP GRC Access Control components, you need a user_ID and password from your system administrator, for example user java_admin password java123. If you get an error after logging on with this user id, check with your system administrator to make sure you have following roles assigned: Superuser Privilege Management Role, for example FF_ADMIN Compliant User Provisioning Role, for example AE_ADMIN Enterprise Role Management Role, for example RE_ADMIN Risk Analysis and Remediation Role, for example VIRSA_CC_ADMIN Java Administrator Role, for example Administrator
Actual role names may be different than the ones mentioned above. In your browser, create a folder called SAPGRC in your Favorites and save the URLs (mentioned in the table) to access the GRC systems.
SAP AG
Page 6 of 16
Procedure
1. 2. Log into SAP ERP with your user and password provided by the administrator. In the SAP Easy Access screen, in the command line, enter transaction code PFCG. SAP ERP menu Transaction code 3. 4. 5. 6. 7. Tools Administration User Maintenance Role AdministrationRoles PFCG
Enter VS_USER_ADMIN and choose Single Role. Choose the Menu tab (Save the role) and add transaction codes SU01, PFCG, SU05, SU01D. Choose the Authorization tab and choose Change Authorization Data (Save the role). Assign Full Authorization to Org Levels, Choose Save. Maintain all fields with full authorization
8.
Arrow. Choose
Generate
SAP AG
Page 7 of 16
10. Enter VS_FI_AP_DISPLAY_MASTER and choose Single Role. 11. Choose the Menu tab (Save the role) and add transaction codes FK03, XK03. 12. Repeat steps 5 to 9. 13. Enter VS_FI_ACCOUNTS_MANAGER and choose Single Role. 14. Choose the Menu tab (Save the role) and add transaction codes F-41, F-44, F-63, F110, FB00, FB07, FB1K, FB1S, FBL1, FBV0, FBV2, FBV5, FBVB, FBZ0, FSF1, MK03, MM03. 15. Repeat steps 5 to 9. 16. Enter VS_FI_AP_INVOICES and choose Single Role. 17. Choose the Menu tab (Save the role) and add transaction codes F-44, FB60, FB65, FB70, FI01, FIBB, FV60, FV65, XK01, ME21N. 18. Repeat steps 5 to 9. 19. Enter VS_FI_ACCOUNTS_PAYABLE_CLERK and choose Single Role. 20. Choose the Menu tab (Save the role) and add transaction codes F-41, F-43, F-44, FB01, FCH2, MK04. 21. Repeat steps 5 to 9.
In the User Maintenance: Initial Screen, in User, enter GRC_RFC and choose the Create button. In the Maintain User screen, choose the Address tab and enter the following details: Last name: GRC First name: RFC Language: EN English
5.
Choose the Logon data tab and enter the following details: Use Type: Service Initial Password: initial1 Repeat Password: initial1
6.
Choose the Default tab and enter the following information: Decimal Notation: 1,234,567.89 Date Format: MM/DD/YY
7.
Choose the Profiles tab and enter the following profiles: SAP_ALL
SAP AG
Page 8 of 16
Integration Point: This user is used in the connector configuration in building block 681.
4.2.1
1.
On the SAP Easy Access screen, in the command line, enter transaction code SUGR. SAP ERP menu Transaction code
2.
In the Maintain User Groups screen, in User Group, choose the Create button to create the following user groups: User Group AP_GROUP PURCHASING TECHNICAL Description Accounts Payable Group Purchasing Group Technical User
4.2.2
Create Users
Tools Administration User Maintenance Users SU01
1. Access the transaction choosing the following navigation option: SAP ERP menu Transaction code
2. In the User Maintenance: Initial Screen, in User, enter MBOND and choose the Create button. 3. Within the Logon data tab, enter the following: Last name: Bond First name: Maria Department: Accounts Payable Language: EN English Telephone: 650-221-2020 Extension: 202 E-Mail: Enter the e-mail that you would like to use for testing, for example maria.bond@sap.com Comm Meth: E-Mail
4. Choose the Logon data tab and enter the following details: Use Type: Service Initial Password: initial1 Repeat Password: initial1 User Group: AP_GROUP
SAP AG
Page 9 of 16
5. Choose the Roles tab and enter the relevant information. VS_FI_AP_DISPLAY_MASTER /VIRSA/Z_VFAT_FIREFIGHTER
6. Choose the Save button. 7. Repeat steps 1 to 8 to create the following users. Unless the values are different as indicated in the table below, use the same values mentioned in above steps: User Name (USERI D) MWON G Wong Last Name First Nam e Mae Depar tment Telep hone Exten sion User Grou p AP_G ROUP Roles Profiles
1 650 2522252
200
/ VIRSA/Z_VFAT_FIRE FIGHTER
CPERKI NS
Perkins
Cyru s
6502522252
400
AP_G ROUP
/ VIRSA/Z_VFAT_ID_O WNER VS_FI_ACCOUNTS_ MANAGER VS_FI_AP_DISPLAY_ MASTER / VIRSA/Z_VFAT_ID_O WNER VS_FI_ACCOUNTS_ MANAGER VS_FI_AP_INVOICES VS_FI_ACCOUNTS_ MANAGER
FWILSO N
Wilson
Fox
6502522252
202
AP_G ROUP
BLAW
Law
Brian
6502212020 6508582225
101
AP_G ROUP
JMURP HY
Murphy
John
100
AP_G ROUP
VS_USER_ADMIN
SAP_ALL SAP_NEW
WEBUS ER SFRITS HE
SAP_ALL SAP_NEW
SAP AG
Page 10 of 16
4.2.3
1. Access the transaction choosing the following navigation option: SAP ERP menu Transaction code
2. In the User Maintenance: Initial Screen, enter FF_BASIS. 3. Choose the Create button. 4. In the Address tab, enter the following: FIELD Last Name First Name Language Comm. Meth FIELD User Type Initial Password Repeat Password User Group FIELD Decimal Notation Date Format ROLES /VIRSA/Z_VFAT_FIREFIGHTER 8. Choose the Profiles tab and enter the following: PROFILES SAP_ALL SAP_NEW 9. Choose the Save button and the Exit button. 10. Repeat steps 1 to 9 to create following users. Unless the values are different as indicated in the table below, use the same values mentioned in above steps: User FF_VENDORS Last Name Vendor Maintenan ce First Name Firefighter Roles / VIRSA/Z_VFAT_FIREFIGHT ER Profiles Leave blank. VALUE FF_BASIS FIREFIGHTER EN English Remote Mail VALUE Service Initial1 Initial1 Technical VALUE 1,234,567.89 MM/DD/YYYY
SAP AG
Page 11 of 16
Master Data (678): Configuration Guide VS_USER_ADMIN VS_FI_ACCOUNTS_MANA GER VS_FI_AP_INVOICES VS_FI_ACCOUNTS_PAYAB LE_CLERK
FF_WEBUSER
FF_Webu ser
Firefighter
/ VIRSA/Z_VFAT_FIREFIGHT ER
SAP_ALL SAP_NEW
Procedure
1. Log on to J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management 3. Log in with Java administrator user ID and password, for example user java_admin and password java123. 4. Choose the Create User button Logon ID = SAPGRC Last Name: SAP First Name: GRC Define Password: initial1 (for example) Confirm Password: initial1 (for example) Language: English 5. In the General Information tab at the lower panel, enter the following:
6. Choose the Assigned Roles tab. 7. Choose Go. 8. Select the roles FF_ADMIN (for example), and press control key and enter key to select CC_ADMIN (for example), AE_ADMIN (for example), RE_ADMIN(for example) as shown below:
SAP AG
Page 12 of 16
The actual role names can be different depending on the naming convention that the system administrator has used during the system setup. Confirm with the system administrator for the correct role name and use those names accordingly. 9. Choose Add. 10. Choose Save.
You will be logging into SAP GRC Access Control Components as user SAPGRC to create the required configurations in building blocks 678 to 684.
The following procedure to change the existing users is based on the assumption that users already exist in the SAP ERP system and they are available in the UME. If your UME is configured differently (see SAP note 718383), then you may have to create the users independently in UME.
Procedure
1. Log on to J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management. 3. Log in with your Java administrator user ID and password, for example user java_admin and password java123. 4. Under the Identity Management tab, enter user ID WEBUSER in the search criteria field and choose the Go button. 5. In the logon ID column, select the user ID WEBUSER. 6. In the details of user section, choose Modify button. 7. Choose the Assigned Roles tab. 8. Choose Go. 9. Select the roles FF_ADMIN (for example), and hold the control key down to select CC_ADMIN (for example), AE_ADMIN (for example), RE_ADMIN(for example) as shown below:
The actual role names can be different depending on the naming convention that the system administrator has used during the system setup. Confirm with the system administrator for the correct role name and use those names accordingly. 10. Choose Add.
SAP AG
Page 13 of 16
11. Choose Save. At the top left hand corner, you would see a message User attributes successfully modified. 12. Repeat steps 4 to 11 for the following users: User Mae Wong Maria Bond Fox Wilson User ID MWONG MBOND FWILSON Role AEAPPROVER RE_ADMIN CC_ADMIN FF_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN Brian Law BLAW FF_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN AEAPPROVER CC_ADMIN
John Murphy
JMURPHY
Cyrus Perkins
CPERKINS
If you have trouble to log into the UME with the java_admin (for example) ID, close all the web browser sessions and re-log in. 13. Log off and close all the browser windows before you proceed to the next step.
Procedure
1. Log into J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management. 3. Log in with SAPGRC and password initial1 (for example). 4. In the Welcome screen: Enter the old password initial1 (for example). Enter the new password initial2 (for example).
SAP AG
Page 14 of 16
5. Choose the Change button. Ignore the error messages that appear. 6. Click Log Off at the top right pane. 7. Repeat steps 1 6 for the User IDs in the table below. User Mae Wong Fox Wilson Brian Law John Murphy WEBUSER Cyrus Perkins User ID MWONG FWILSON BLAW JMURPHY WEBUSER CPERKINS
Integration Point: Make a note that the user id WEBUSER and its new password are used in the configuration steps in the remaining building blocks.
For development testing, this can be done once but should be done periodically in a Production box.
Procedure
1. Log onto the SAP ERP system. 2. Enter transaction code SE38. The ABAP Editor: Initial Screen is displayed. 3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_DESC. 4. Choose the Execute button. 5. Enter the file path where you want to download the text file and the name of the file in the Local File field (for example, C:\GRC_US_V1530\misc\textdescriptions.txt). 6. Choose the Execute button.
The text file contains the following items: Transaction descriptions (ACT) from table TSTCT
SAP AG
Page 15 of 16
Field Descriptions (FLD) from DD03T Organizational Level descriptions from USORG/USVAR Object descriptions (PRM) from TBOJT Field Values descriptions (VAL)
Data is downloaded in the language designated during sign on. To download multiple languages for upload to Risk Analysis and Remediation, log off, log on in another language, and run the download text program again. Repeat for every language.
7 Authorization Objects
7.1 Download Data from SAP
Use
This step creates a text file with the SU24 check/maintain data from USOBT_C.
Procedure
1. Log onto the SAP ERP system. 2. Enter transaction code SE38. The ABAP Editor: Initial Screen is displayed. 3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_SAPOBJ. 4. Choose the Execute button. 5. Enter the file path where you want to download the text file and the name of the file in the Local File field (for example, C:\GRC_US_V1530\misc\USOBT_C.txt).
Integration Point: This file will be uploaded in the building block 678.2. 6. Choose the Execute button.
The file contains Check/Maintain objects, fields, and default values from USOBT_C.
Result
Your base setup is complete. Proceed to the next building block to continue with the configuration of Access Control 5.3.
SAP AG
Page 16 of 16