How-To Configure SAP Business Objects Access Control 5.3 For SAP NetWeaver Portal 7.0

How-to Configure SAP BusinessObjects Access Control 5.3 for SAP NetWeaver Portal 7.
0
Version 1.11 Applies to:
SAP BusinessObjects Access Control 5.3 and SAP NetWeaver Portal 7.0
Summary
This document will explain the major steps to configure AC 5.3 to connect and integrate with NW Portal. It will try to give you a hint what scenarios are covered when connecting the NetWeaver Portal to Access Control. If you seek for more information, you should visit the links stated in the Appendix. Author: GRC Regional Implementation Group (RIG)
Company: SAP BusinessObjects Revised on: 1 August 2009
Team Bio
Mission Statement of the SAP BusinessObjects GRC RIG: As recognized experts, our mission is to enable others to successfully implement SAP GRC solutions. We are committed to the continuous improvement of GRC products and services, taking the product from validation to customer deployment. We ensure o o o Field readiness, High customer satisfaction and Customer references.
SAP COMMUNITY NETWORK 2009 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
How-to Configure SAP BusinessObjects Access Control 5.3 for SAP NetWeaver Portal 7.0
Document History
Document Version 1.10 1.11 Description First official release of this guide Implemented updates according to audience feedback
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Description Caution Note or Important Example Recommendation or Tip
Example text
Example text
<Example text>
EXAMPLE TEXT
Table of Contents
Applies to: ....................................................................................................................................... 1 Summary ......................................................................................................................................... 1 Team Bio.......................................................................................................................................... 1 1. Business Scenario............................................................................................................... 1 1.1 Introduction ................................................................................................................... 1 1.1.1 1.1.2 NetWeaver Portal............................................................................................. 2 Access Control ................................................................................................. 3
1.2 Risk Analysis of Portal Items ........................................................................................ 3 1.3 User Provisioning into the Portal .................................................................................. 4 2. 3. Prerequisites ........................................................................................................................ 4 Step-by-Step Procedure ...................................................................................................... 5 3.1 Overview ....................................................................................................................... 5 3.2 Configure Portal ............................................................................................................ 5 3.3 Configure RAR.............................................................................................................. 5 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 Obtain Portal Master Data ............................................................................... 5 Portal Connector .............................................................................................. 7 Test Portal Connectivity ................................................................................... 8 Upload Master Data ......................................................................................... 8 Schedule Role and User Synchronization ....................................................... 9 Create a Function for Portal iViews ................................................................. 9 Create a Function for UME Actions ............................................................... 11 Define Critical Roles ...................................................................................... 11 Generate Rules Based on New Risks ........................................................... 12
3.3.10 Run a Risk Analysis ....................................................................................... 15 3.4 Configure CUP............................................................................................................ 16 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.5.1 3.5.2 Create Connector........................................................................................... 16 Field Mapping ................................................................................................ 18 Import roles .................................................................................................... 19 Provisioning ................................................................................................... 20 Provisioning Users into Groups ..................................................................... 20 Role Mapping ................................................................................................. 21 Password Self-Service ................................................................................... 22 Create Portal System ..................................................................................... 22 Portal Landscape ........................................................................................... 23
3.5 Configure ERM ........................................................................................................... 22
4. 5.
Appendix ............................................................................................................................ 24 Copyright ............................................................................................................................ 25
1. Business Scenario
1.1 Introduction
This section describes possible scenarios for connecting a NetWeaver Portal 7.0 system to Access Control 5.3. One central feature of the NetWeaver Portal is the integration of applications. Such applications can be both SAP and non-SAP components as well as custom developed and legacy software. Standard integration scenarios often involve access to SAP ERP back-ends allowing the business user to access required data. One example is the Employee Self-Service (ESS) usage where a user can change his personal data, like his address or bank details. For this ESS scenario, a user needs both an HR (back-end) role as well as a Portal role. As you will see in this document, Compliant User Provisioning (CUP) can also provision roles in the NetWeaver Portal. With the CUP Role Mapping feature, such dual-role access can be easily facilitated since both the back-end role as well as the Portal role is provisioned in one step. As for non-SAP applications, customers often integrate legacy or custom software in their Portal. Such applications might not provide a full-blown or detailed authorization concept. For example, they may include just an authorization to see a custom component as a whole, but no control of locking certain views or features in that software. In the case where multiple applications are integrated in the Portal, the number of risks that might arise also grows. Access Control can report real time on critical applications or SoD violations of such custom or legacy applications, if they are accessed through the Portal. Another very useful feature within Risk Analysis and Remediation (RAR) is the reporting for all critical Portal roles, i.e. which user has Administrator roles. Also, RAR can be used to mitigate risks relating to such Administrator roles. Such a reporting by RAR provides a good overview of Portal risks to the security and/or internal control team.
1.1.1
NetWeaver Portal
The Portal is used as a front-end to access business data. The smallest units of the Portal user interface (UI) items are so-called "iViews". iViews are added to Portal roles (also to worksets or pages). These items (iViews, worksets, pages, and roles) are stored in the Portal Content Directory (PCD).
The NetWeaver Application Server Java (and therefore also the Portal because it as application running that application server) uses the User Management Engine (UME) for managing user-related data. UME actions define authorizations based on Java permissions. The UME uses UME actions to enforce authorizations. An action is a collection of Java permissions that define which activities a user can perform. UME actions can be assigned to UME roles or Portal roles. If a role with a UME action is assigned to a user, the user gains the authorizations provided by the action. The UME verifies that users have the appropriate UME actions assigned to them before granting them access to UME iViews and functions. Other applications can also define or check for actions. One example where such UME actions are extensively used is in SAPs xApps like xRPM. The UME actions are used to control which user or role has access to what feature within such an xApp. For further information on the Portal and the UME please refer to Appendix B on page 24.
1.1.2
Access Control
In most Access Control modules, you can use the standard features also for Portal back-ends. Here is an overview of the four modules: Risk Analysis and Remediation (RAR) can analyze risks violations caused by Portal iViews and/or UME actions with respect to critical action risks and SoD risks. Compliant User Provisioning (CUP) caters to the management of Portal users (create, change, or delete users, assign roles, password reset, lock/unlock, etc.) Enterprise Role Management (ERM) can be used to document Portal roles. Currently, the ERM connector has no technical connection to the Portal! No integration with Superuser Privilege Management (SPM) exists at this stage.
1.2
Risk Analysis of Portal Items
Risk Analysis and Remediation (RAR) can perform a risk analysis based on UME actions and Portal iViews assigned through UME roles and Portal roles, respectively. Looking at the Portal, many iViews point to functions on ERP back-ends, which makes it unnecessary to analyze these iViews. For example, Sales and Distribution (SD) ERP functions can be integrated to the Portal. Since this SD functionality uses back-end roles, these roles are analyzed by RAR directly in the according back-end. So, another analysis of the same access (role) provided through the Portal is not required. This brings us to which items in the Portal might cause risk violations. These are: UME actions Portal iViews
Which are subject to Segregation of Duty (SoD) or critical action risks.
1.3
User Provisioning into the Portal
Compliant User Provisioning (CUP) cannot only provision into ERP back-ends but also into the Portal. Main features for provisioning to the Portal are: Create new, change, delete user Add/remove Portal and UME roles to/from user Self service to reset password for Portal user Group assignment for users
The provisioning works with any supported user data source (UME DB, LDAP, or ABAP) connected to the Portal as this is handled via the UME service. The mentioned feature (also self-service) works the same way as with ERP back-ends. As mentioned above in the section where the ESS scenario is explained, a user requiring access to ESS needs both an HR (back-end) role as well as a Portal role. With the CUP role mapping feature, such dual-role access can easily be facilitated since both the back-end role as well as the Portal role is provisioned in one step. Enterprise Role Management (ERM) automates the definition and management of roles. It also provides the feature to maintain Portal/UME roles. However, this is only for documentation purposes and has neither physical connection to the Portal nor any synchronization.
2. Prerequisites
For the described scenario, we recommend at least Access Control 5.3 SP05 and NetWeaver Portal 7.0 SP12. On the NetWeaver Portal, the AC 5.3 Portal Real-time Agent (EPRTA) needs to be deployed. Please use the same SP level as your AC 5.3 system. More information is contained in the Installation and Configuration Guides for AC 5.3 (see appendix).
3.
3.1
Step-by-Step Procedure
Overview
This section will show you what configuration tasks are needed in the Portal and AC 5.3. We will focus on the specific tasks needed for this scenario. For example, you will see how to create connectors in each of the AC 5.3 modules and what specific configuration tasks are necessary to successfully implement the AC-Portal integration. General information about installation and configuration tasks can be found in the guides mentioned in the appendix.
3.2
...
Configure Portal
First, you need to create a user in the Portal system, which then will be used by the AC 5.3 application to connect to the Portal. The user needs the role super_admin_role assigned. Make sure that the password for this user does not expire, as this would cause problems for the connection at some point.
3.3
...
Configure RAR
No pre-defined actions, risks, or functions are available in the pre-delivered standard rule set files for Portal-related items. Those have to be defined by the customer. The following sections describe the steps to perform for setting up RAR with the Portal integration in detail such as: transferring Portal master data (iViews) creating a connector defining functions based on Portal iViews and UME Actions declare critical roles run a risk-analysis
3.3.1
Obtain Portal Master Data
The master data in the Portal context includes the Portal items relevant for AC and RAR, in particular. These are UME actions and Portal iViews which have to be loaded to RAR. If you make changes to previously transferred iView- and UME action-data, then you need to re-synch (i.e. re-download and re-upload the master data) again! Call the following URL on your Portal server to download the Portal master data: http://<Portal>:<Port>/webdynpro/dispatcher/sap.com/grc~cceprta/DownloadData?SAPtestID=1
Click on the "download file!" link and save the text file on your computer. Note: you will upload this file at a later stage we first need to create an according system connector!
3.3.2
Portal Connector
Next, you need to establish a physical connection between the Portal and RAR. To do this, navigate to Configuration Connectors Create and create a Portal Connector.
The URL is http://<Server>:<Port>/CCRTAWS/Config1?wsdl&style=document The Server Name represents where the Portal RTA is installed. You need to specify the DNS (or IP address of the server if the server name is not supported) of a specific J2EE engine. In the User ID field, enter the user ID of a system administrator on the Portal and enter the corresponding password in the password field. Enter the Portal server address or IP in the Server Name field and the Portal server port in the Port Number field.
3.3.3
Test Portal Connectivity
You can test if the Portal is correctly connected and if the users and roles where successfully synced by using the debug tool: e.g. Get Actions for a user ID that exists in the Portal. Debugger URL: http://<server>:<port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger
3.3.4
Upload Master Data

Upload Text Objects and upload the file obtained in step 3.3.1
Navigate to Configuration
3.3.5
Schedule Role and User Synchronization
After completing the master data transfer, the Portal iView and UME action IDs are now available in RAR for creating functions based on these Portal items. Since RAR also needs to know about the Portal users and roles, you have to schedule a role and user synchronization from the connected Portal system by selecting Configuration Background Job Schedule Job.
3.3.6
Create a Function for Portal iViews
Next, create a Portal function containing the desired iView(s). One example could be the user administration iView, which can then be used along with a second function/iView for the content administration. This example then allows the definition of an SoD risk if a user has the permission to assign (Portal) roles as well as create (Portal) users. Given this example, it is crucial that you assign all user and content administration iViews to such a function as not to miss any critical iViews!
Important: When defining actions, you need to use the full ID of iViews containing the Portal role path and NOT just the technical iView ID (as it is stored in the PCD)! For example, the above umeAdminWD iView is contained in two Portal roles: portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.delegated_user_admi n_role/com.sap.portal.delegated_user_admin_wd_ws/com.sap.portal.umeAdminWD portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.user_admin_role/com. sap.portal.user_admin_wd_ws/com.sap.portal.umeAdminWD
This means if you create a function for this iView, then you need to add both IDs referring to two Portal roles as actions to your function!
3.3.7
Create a Function for UME Actions
It is also possible to create functions relating to UME actions (these actions are show with the prefix UME). As opposed to functions based on Portal iViews, UME actions exist only with a single ID so you do not need to search for UME actions in multiple places since they are not linked to other objects.
3.3.8
Define Critical Roles
You can also define critical roles as part of the standard RAR functionality. Make sure you successfully synchronized the Portal roles before trying to define a critical (Portal) Role!
Such a critical role could be the local NetWeaver administrator for the J2EE engine:
3.3.9
Generate Rules Based on New Risks
After completing the definition of new risks, you need to update the rule set in RAR. This is necessary so that RAR knows about your new risks. There are a couple of ways of generating these rules: 1.) generate rules based on a single risk, i.e. individually for one certain risk 2.) perform a mass generation to generate rules based on all risks 3.) generate rules for a logical system It may be helpful to define a logical system, which includes multiple physical systems, in RAR. This is useful for defining the same rules for a set of systems. You could, for example, create a logical Portal system containing several physical Portal systems such as pre-production and production. That logical Portal system then would provide the same rules to these two physical Portals, i.e. no need to create the rule twice.
3.3.9.1
Generate Rules Individually
Go to the Rule Architect Tab.
Go to Risks
Search. Search for the particular risk for which you want to update the rules.
Click Update Rules. Select Action and Permission Rules and click Foreground. Once the process completes successfully, an according message will be displayed at the bottom of the screen.
3.3.9.2

Mass Generation of Rules
Go to the Configuration Tab. Go to Rule Upload Generate Rules.
Click Foreground or Background to generate Rules. Depending on the amount of risks you defined and other (system) parameters, you need to decide whether you generate the rules immediately (in foreground) or schedule the generation for a later point in time (in background). If you have a large number of risks and active functions, or if you expect a large number of rules to be generated, it is a good idea to schedule the rule generation for an evening hour or for the weekend. That way a resource-consuming rule generation job will not affect users working on the AC system.
3.3.9.3

Generate Rules for a Logical System

Go to the Configuration Tab. Expand the Logical Systems node. Select Generate Rules.
Same as with the mass-generation, you have the option to generate the rules immediately or at a later stage. See the above section for explanation.
3.3.10 Run a Risk Analysis

Now, you run a risk analysis which will find the previously defined functions and risks. Given the first example of conflicting actions, we can now see a user that has these in an ad-hoc analysis. Of course, the batch risk-analysis and management reports are also available for the portal connector.
Same with the critical NetWeaver administrator role defined above:
3.4
Configure CUP
The following describes the tasks to be performed to integrate AC, and CUP in particular, with the Portal. This integration is targeted at the provisioning of Portal users, groups, and roles and explains the configuration required.
3.4.1
Create Connector
Create connector of type SAP EP, fill in details, and add the parameter mapping (as shown below in Parameter Details). User ID is the user you created on the Portal instance with role super_admin_role. Web service URL: http://<Portal-server-name>:<port>/spml/spmlservice
Parameter Details:
Parameter Name (GRC) ASSIGN_ROLES:OC ASSIGN_GROUPS:OC CHANGE_USER:OC CREATE_USER:OC CREATE_USER:password DELETE_USER:OC LOCK_USER:OC LOCK_USER:islocked LOCK_USER:type ROLESEARCH_URI Parameter Value (Portal) saprole sapgroup sapuser sapuser password sapuser sapuser true CHANGE_USER http://server:port/UserroleSearchForAEService_5_3/Config1?wsdl&style=document
ROLESEARCH_URI_PASSWORD password defined for Portal user (for retrieving roles) ROLESEARCH_URI_USERNAME ROLE_DATA_SOURCE SCHEMA_ID UNLOCK_USER:OC UNLOCK_USER:islocked Portal user id (for retrieving roles) ROLE.UME_ROLE_PERSISTENCE.un : SAPprincipals sapuser false Choose data source as configured in Portal UME: USER.PRIVATE_DATASOURCE.un: USER.R3_DATASOURCE. USER_DATA_SOURCE USER. CORP_LDAP.
3.4.2
Field Mapping
AC fields need to be mapped with UME fields because of different names. These are the minimum field mappings needed. You can configure this according to your needs.
3.4.3
Import roles
Roles can be manually created, imported via template, but also imported via the Portal connector that you created previously. This connector uses the Portal RTA (EPRTA) on the Portal server to bring across Portal roles to CUP:
Below are examples of Portal roles imported to CUP as roles.
3.4.4
Provisioning
You can provision both Portal roles as well as UME roles.
3.4.5
Provisioning Users into Groups
It is common practice to assign UME groups to Portal roles instead of assigning these roles directly to users. That way, assignment to a Portal role can be handled in a more flexible fashion. For example, you might assign regional portal roles to country groups (e.g., a Europe sales role assigned to the sales groups Germany, UK, and France etc.). As of AC 5.3 SP05, you can also provision UME group memberships to a user. These groups are treated the same in RAR as Portal roles are treated. To provision groups you need to: Import groups Use groups in provisioning requests
Therefore, you now can choose Groups under Select type of access in the request.
3.4.6
Role Mapping
As mentioned in the ESS scenario description at the beginning of this document, it is a benefit to map ERP back-end roles with the corresponding Portal roles. For this ESS scenario, a user needs both a HR (back-end) role as well as a Portal role. With the CUP role mapping feature, such dual-role access can easily be facilitated since both the back-end role and the Portal role are provisioned in one step. Therefore, you ensure that when the Portal role is requested the needed back-end role is also added in the request and vice versa. To use Role Mapping in CUP, navigate to Configuration Roles Role Mapping.
3.4.7
Password Self-Service
As part of the standard CUP functionality, users can also reset their password in a Portal environment once the Portal is connected to CUP. This feature does not need a Portal-specific configuration. Also, a user who wants to reset his password does not need Portal knowledge as this works the same as for other systems.
3.5
Configure ERM
Please note that currently there is no connector available for managing Portal roles through Enterprise role Mana gement The steps described here are purely for documenting Portal roles those roles cannot be managed through ERM!
Please note that currently there is no connector available for managing Portal roles through Enterprise Role Management. The steps described here are purely for documenting Portal roles those roles cannot be managed through ERM!
3.5.1
Create Portal System
In Configuration System Landscape Systems, create a new Portal System by choosing create and selecting SAP EP as system type; enter the name and a description.
3.5.2
Portal Landscape
Now create a Portal Landscape for managing your Portal systems by clicking create in Configuration Landscape.
Next, assign the previously configured Portal system to your landscape by clicking Assign Systems, then and select your Portal and save the configuration.
4. Appendix
Appendix A Abbreviations
Short RAR CUP ERM SPM EP RTA Description Risk Analysis and Remediation Compliant User Provisioning Enterprise Role Management Superuser Privilege Management NetWeaver Portal (old term is Enterprise Portal) Real-time Agent
Appendix B Links to related information

Title AC 5.3 Configuration Guide AC 5.3 Installation Guide Portal Administration NetWeaver AS Java Administration Link http://service.sap.com/instguides http://service.sap.com/instguides http://help.sap.com/saphelp_nw04s/helpdata/en/34/76bd3b 6e74d708e10000000a11402f/frameset.htm http://help.sap.com/saphelp_nw70/helpdata/en/1a/819d424 49b0731e10000000a1550b0/frameset.htm
Appendix C Related SAP Notes

Note Number 1282351 1168710 Details Access Control 5.3 Support Package 05 Supplemental Note (Attachment) Enterprise Portal RTA for Access Control 5.3 (VIREPRTA)
5. Copyright
2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. Any software coding and/or code lines/strings (Code) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

How-To Configure SAP Business Objects Access Control 5.3 For SAP NetWeaver Portal 7.0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How-To Configure SAP Business Objects Access Control 5.3 For SAP NetWeaver Portal 7.0

Uploaded by

Copyright:

Available Formats

How-to Configure SAP BusinessObjects Access Control 5.3 for SAP NetWeaver Portal 7.

Company: SAP BusinessObjects Revised on: 1 August 2009

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

3.5 Configure ERM ........................................................................................................... 22

SAP COMMUNITY NETWORK 2009 SAP AG

Appendix ............................................................................................................................ 24 Copyright ............................................................................................................................ 25

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Risk Analysis of Portal Items

Which are subject to Segregation of Duty (SoD) or critical action risks.

User Provisioning into the Portal

Obtain Portal Master Data

Test Portal Connectivity

Upload Master Data

Schedule Role and User Synchronization

Create a Function for Portal iViews

Create a Function for UME Actions

Define Critical Roles

Generate Rules Based on New Risks

Generate Rules Individually

Go to the Rule Architect Tab.

Mass Generation of Rules

Go to the Configuration Tab. Go to Rule Upload Generate Rules.

Generate Rules for a Logical System

3.3.10 Run a Risk Analysis

Same with the critical NetWeaver administrator role defined above:

Below are examples of Portal roles imported to CUP as roles.

You can provision both Portal roles as well as UME roles.

Provisioning Users into Groups

Create Portal System

Appendix B Links to related information

Appendix C Related SAP Notes

You might also like