Maintaining Configuration Settings in Access Control

Transcription

1 Maintaining Configuration Settings in Access Control Applies to: Access Control 10.1 SP18 Summary: This guide contains information about the parameters used when configuring Access Control. Created: July 2017 Version SAP AG

2 Document History Document Version Description 1.00 Initial release 1.10 Modified parameter 1048, 1049, Modified parameter Added parameter Added parameter 1124 Added parameter 5026 Added parameter 5027 Added parameter 5028 Added parameter Added parameter 1014 Added parameter 1047 Added parameter 1125 Added parameter 1073 Added parameter 2008 Added parameter 3027 Added parameter 4016 Added parameter 4017 Added parameter 4019 Added parameter 5022 Added parameter Removed parameter 1000 Added parameter 1015 Added parameter 1054 Updated parameter 1071 Added parameter 1302 Added parameter 2048 Added parameter 2060 Added parameter 2061 Added parameter 2401 Added parameter 3028 Added parameter 4018 Added parameter 5033 [ii]

3 1.6.0 Modified parameter 1050 Added parameter 1126 Added parameter 1127 Added parameter 2020 Added parameter Modified parameters: [iii]

4 (continued) Added parameter 1115 Added parameter 3029 Added parameter 3040 Modified parameter SP11 November 2015 Removed parameter 1031 Added parameter 1016 Added additional information explaining parameter 2047 (no change in parameter, itself) [iv]

5 1.9.1 December 2015 Reinstated parameter January 2016 Added additional information for parameter SP 13 April 2016 Added parameter 2402 Added parameter 4021 Changed default value from NO to <empty> for parameter 5027 Changed default value from NO to <empty> for parameter SP 14 July 2016 Updated content for parameter 1033 Updated Batch Risk Analysis and ad hoc data information for the following parameters: o 1021 o 1023 o 1024 o 1025 o 1026 (also changed default value from <empty> to A) o 1027 o 1028 o 1029 o 1030 o 1031 o 1032 o 1037 o 1038 o 1048 o SP 15 October 2016 Added parameter 1075 Added parameter 2062 Added parameter 6001 Modified parameter 4021 [v]

6 2.3 SP 15 November 2016 Modified information for parameter 6001 Removed parameter 1075 Removed parameter SP 16 January 2017 Added parameter 2062 Added parameter 1075 Updated description for parameter SP 17 April 2017 Updated default value for parameters 4003, 4004, 4005, Added parameter 3041 Added parameter SP18 July 2017 Updated SAP Note informationfor parameters: 1028 and 1029 Updated parameter 3042 [vi]

7 Typographic Conventions Icons Type Style Description Icon Description Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Caution Note or Important Example Recommendation or Tip Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. [vi]

8 Table of Contents 1. Maintain Configuration Settings Change Log Mitigation Risk Analysis Risk Analysis - Spool Workflow Emergency Access Management UAR Review Performance Risk Analysis - Access Request Role Management Risk Analysis Risk Terminator Access Request Role Selection Access Request Default Roles Access Request Role Mapping SOD Review LDAP Assignment Expiry Access Request Training Verification Authorizations Access Request Business Role Management Dashboard Reports Access Request Validations Simplified Access Request Access Control General Settings Access Controls ILM Configuration Index by Numerical Value Copyright [vii]

9 1. Maintain Configuration Settings Access Control configuration settings allow you to customize the SAP Access Control application. You access the settings, or parameters, in Customizing (transaction SPRO). The menu path from the SAP Easy Access screen is Tools Customizing IMG Execute Project SAP Reference IMG Governance, Risks, and Compliance Access Control Maintain Configuration Settings. To maintain the configuration settings: 1. Choose the New Entries pushbutton and select a parameter group from the dropdown list. 2. In the Parameter ID column, select a parameter ID. 3. Select a Parameter Value from the dropdown list, or, if appropriate, enter a value in the Parameter Value field. 4. Optionally, in the Priority field, enter a number for the priority of the parameter. This is a userdefined field. 5. Choose Save. July 2017 Page 1 of 155

10 Parameter Groups Configuration parameters are organized into Parameter Groups as shown in the table below. Each group corresponds to an area of functionality within SAP Access Control. Group Number Group Description Group Number Group Description 01 Change Log 14 Access Request Role Mapping 02 Mitigation 15 SOD Review 03 Risk Analysis 16 LDAP 04 Risk Analysis - Spool 17 Assignment Expiry 05 Workflow 18 Access Request Training Verification 06 Emergency Access Management 19 Authorizations 07 UAR Review 20 Access Request Business Role 08 Performance 21 Management Dashboard Reports 09 Risk Analysis - Access Request 22 Access Request Validations 10 Role Management 23 Simplified Access Request 11 Risk Analysis Risk Terminator 24 Access Control General Settings 12 Access Request Role Selection 25 Access Controls ILM (Information Lifecycle Management) Configuration 13 Access Request Default Roles 1.1 Change Log The Change Log parameters control how transaction history is logged and displayed in SAP Access Control. July 2017 Page 2 of 155

11 Overview of Change Log Parameters Parameter ID Description 1001 Enable Function Change Log YES 1002 Enable Risk Change Log YES 1003 Enable Organization Rule Log YES 1004 Enable Supplementary Rule Log YES 1005 Enable Critical Role Log YES 1006 Enable Critical Profile Log YES 1007 Enable Rule Set Change Log YES 1008 Enable Role Change Log YES 5001 SLG1 Logs for HR Trigger HIGH Default Value Details of Change Log Parameters Enable Function Change Log YES Set to YES to display the Change History tab on the Function screen July 2017 Page 3 of 155

12 Enable Risk Change Log YES Set to YES to display the Change History tab on the Access Risk screen Enable Organization Rule Log YES Set to YES to display the Change History tab on the Organization Rules screen July 2017 Page 4 of 155

13 Enable Supplementary Rule Log Yes Set to YES to display the Change History tab on the Supplementary Rules screen Enable Critical Role Log Yes Set to YES to display the Change History tab on the Critical Role screen July 2017 Page 5 of 155

14 Enable Critical Profile Log Yes Set to YES to display the Change History tab on the Critical Profile screen Enable Rule Set Change Log Yes Set to YES to display the Change History tab on the Rule Sets screen July 2017 Page 6 of 155

15 Enable Role Change Log YES Set to YES to display the Change History link on the Additional Details tab of the Role Maintenance screen SLG1 Log Level for HR Triggers HIGH The available values are High and Medium. When this parameter is set to High, all the HR Trigger logs are captured under SLG1 whether or not the info types from the HR System satisfy BRF rules. When this parameter is set as Medium, the system only captures those logs that occur after the BRF rules are satisfied. The screen shot below shows the detail SLG1 logs that are captured when the parameter is set to High July 2017 Page 7 of 155

16 1.2 Mitigation The Mitigation parameters control how risk mitigation works in SAP Access Control. Overview of Mitigation Parameters Parameter ID Description Default Value 1011 Default expiration time for mitigating control assignments (in days) 1012 Consider Rule ID also for mitigation assignment NO 1013 Consider System for mitigation assignment NO 1014 Enable separate authorization check for mitigation from access request 1015 Get data for Invalid Mitigation Report from Management Summary table 1016 Specify number of days to exclude from Invalid Mitigation Cleanup 365 NO NO 0 (zero) Details of Change Log Parameters Default expiration time for mitigating control assignments (in days) The default quantity of days you are allowed to mitigate any object (selection on service map). You can overwrite this quantity in the Valid To field July 2017 Page 8 of 155

17 Consider Rule ID also for mitigation assignment By default, the application includes all rules when it mitigates the access risk. Setting the value to YES allows you to specify the specific Rule ID to be included when mitigating the risk. NO 1012 July 2017 Page 9 of 155

18 Consider System for mitigation assignment Setting the value to YES allows you to apply mitigating controls to risks originating from specific systems. NO 1013 July 2017 Page 10 of 155

19 1014 Enable separate authorization check for mitigation from access request This parameter controls how authorization checks are done during the access request risk mitigation process. Previously, when risk mitigation was done during request approval, the mitigation was saved directly to the user mitigation tables. If the request was later rejected or cancelled, the mitigation remained in the user mitigation table even though it was then invalid. By using this parameter, you tell the application to save the mitigation in intermediate tables until the request is fully approved. At that point, the mitigation is transferred to the user mitigation table. This parameter works in conjunction with an activity (88) that is added to authorization object GRAC_MITC. NO Setting the value to YES enables activity 88 and mitigations are saved to an intermediate table until the request is fully approved. Setting the value to NO saves the mitigations directly to the user mitigation tables and activity 88 is not checked. For more information, see SAP Note July 2017 Page 11 of 155

20 1015 Get data for Invalid Mitigation Report from Management Summary table SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls with the option to use Offline Data. The report gets the offline data from the detailed violations table from the last batch risk analysis. The data is very granular (low level) and may take time and more system resources to get. This parameter allows you to get the Offline Data from the Management Summary table. As the data is already at a summary level, it takes less time and less resources to produce the report. NO Set value to No to get the data from the detailed violations table. Set value to Yes to get the data from the Management Summary table. Specify number of days to exclude from Invalid Mitigation Cleanup As an AC Administrator, you can use Invalid Mitigation Cleanup to remove mitigation assignments that are no longer valid because the risks no longer exist. For example, the role assignments have been removed or the roles have changed. Additionally, there may be a scenario where you assign mitigation controls in Role Simulation or User Simulation, which results in invalid mitigation assignments because the roles or the updates do not yet exist in the back-end. The mitigation assignments will show as invalid until the user assignments and role changes have propagated to the back-end system If you use Invalid Mitigation Cleanup, it will remove all invalid mitigation assignments, including those in Simulation. To keep your work from being deleted, you can use this parameter to exclude the assignments that have been maintained within the selected number of days from the cleanup. For example, enter 10 to exclude invalid mitigation assignments maintained in the last 10 days. The calculated date is based on the date of last maintenance of the mitigating control assignments to users and roles. Whether the maintenance is done via a request, manually, or uploaded, the calculation is the same. Note: If you use the upload feature, all items uploaded would have a last maintained date of the upload date even if there is no change. July 2017 Page 12 of 155

21 1.3 Risk Analysis The Risk Analysis parameters control how risk analysis works in SAP Access Control. Overview of Risk Analysis Parameters Parameter ID Description Default Value 1021 Consider Org Rules for other applications NO 1022 Allow object IDs for this connector to be case sensitive <empty> 1023 Default report type for risk analysis Default risk level for risk analysis Default rule set for risk analysis <empty> 1026 Default user type for risk analysis A 1027 Enable Offline Risk Analysis NO 1028 Include Expired Users NO 1029 Include Locked Users NO 1030 Include Mitigated Risks NO 1031 Ignore Critical Roles and Profiles YES 1032 Include Reference user when doing user analysis YES 1033 Include Role/Profile Mitigation in User Risk Analysis YES 1034 Max number of objects in a package for parallel processing Send notification to the monitor of the updated mitigated object 1036 Show all objects in Risk Analysis NO YES 1037 Use SoD Supplementary Table for Analysis YES 1038 Consider FF Assignments in Risk Analysis NO 1046 Extended objects enabled connector <empty> 1048 Business View for Risk Analysis is Enabled NO (Technical View) 1050 Default Report View for Risk Analysis Remediation View July 2017 Page 13 of 155

22 Details of Risk Analysis Parameters Consider Org Rules for other applications Setting the value to YES automatically selects the Consider Org Rule checkbox on the Risk Violations tab of the Access Request and Role Maintenance screens. NO 1021 Note This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. July 2017 Page 14 of 155

23 Allow object IDs for this connector to be case sensitive <empty> On the Risk Analysis screen, you specify the system and the analysis criteria such as User, Risk Level, and so on. This parameter allows you to specify for which systems the information entered is case sensitive. In the example below, z_cup_usr001 is case sensitive for system NCACLNT Note: To enter more than one system or connector, enter additional instances of the parameter. July 2017 Page 15 of 155

24 Default report type for risk analysis 2 The Risk Analysis screen allows you to select several report type options for the risk analysis, such as Access Risk Analysis, Action Level, and Permission Level. This parameter allows you to choose one or more report types that are selected by default. It works as follows: If you do not define a value for parameter 1023 in the IMG, the report type defaults to 2, Permission Level. If you define one or more values for parameter 1023 in the IMG, the report type defaults to those values. Note: In the IMG value cell, press F4 to display the available types, such as Permission Level, and so on. The screenshot below shows the report being run with a default value of 2, Permission Level Note This setting does not affect the Risk Analysis Type fields on the Batch Risk Analysis screens; you must set these separately. July 2017 Page 16 of 155

25 Default risk level for risk analysis 2 The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria This parameter allows you to choose the Risk Level that is selected by default. Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. Default rule set for risk analysis <empty> The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria This parameter allows you to choose the Rule Set that is selected by default. Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. Default user type for risk analysis A The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria This parameter allows you to choose the User Type that is selected by default. Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. July 2017 Page 17 of 155

26 Enable Offline Risk Analysis NO The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria. The parameter value is set to NO to exclude Offline Data in risk analysis by default. On the Risk Analysis screen, the Offline Data checkbox is empty by default. Note: If Parameter 2023 is set to YES, then this parameter must also be set to Yes Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens July 2017 Page 18 of 155

27 Include Expired Users NO 1028 Set to YES to include expired users from plug-in systems for risk analysis. Note This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. SAP NOTE Risk analysis not considering locked and expired users. Include Locked Users NO 1029 Set to YES to include locked users from plug-in systems for risk analysis. Note This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. SAP NOTE Risk analysis not considering locked and expired users. Include Mitigated Risks NO The Risk Analysis screen allows you to select several options for the risk analysis, such as analysis criteria, report options, and additional criteria Set the parameter value to YES to include Mitigated Risks in the risk analysis by default. The application displays the SoD violations, the mitigated risks, and the mitigating control assigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox is automatically selected. Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. Ignore Critical Roles and Profiles YES Set the value to YES to exclude critical roles and profiles for risk analysis Note In Batch Risk Analysis, if this parameter is set to YES, the roles and profiles that are in the Critical Roles and Profiles tables are added to the entries specified in the IMG Activity Maintain Exclude Objects for Batch Risk Analysis. July 2017 Page 19 of 155

28 Include Reference user when doing user analysis YES 1032 Set the value to YES to include referenced users when performing SoD risk analysis for users. This is also valid for Batch Risk Analysis. Note This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. July 2017 Page 20 of 155

29 Include Role/Profile Mitigation in User Risk Analysis YES Set the value to YES to include mitigating controls assigned to roles and profiles when performing user risk analysis. This setting affects both ad hoc user-level analysis and data calculated during batch risk analysis. Background 1033 If Role 1 is mitigated for Risk A, then all users assigned to Role 1 are mitigated for Risk A. If User Jones is mitigated for Risk A, the user-level mitigation supersedes any role or profile level mitigation. Practical use: if businesses do not mitigate risks at the user level, they can use role or profile mitigation as a blanket mitigation technique. Illustration Role 1 and Role 2 both contain Risk A. Role 1 is mitigated for Risk A. User Jones is assigned both Roles 1 and 2 and is not mitigated at the user level. User Smith is assigned both Roles 1 and 2 and is mitigated at the user level. User Williams is assigned only Role 2 and is not mitigated at the user level. With this scenario, how does the system respond? If the setting for Parameter 1033 is: SAP Access Control does this: YES User Jones is mitigated for Risk A due to the mitigation applied to Role 1 (role level mitigation). User Smith is mitigated for Risk A due to the mitigation applied at the user level (user level mitigation). User Williams is not mitigated for Risk A. NO User Jones is not mitigated for Risk A User Smith is mitigated for Risk A due mitigation applied at the user level User Williams is not mitigated for Risk A. NOTE This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. SAP NOTE Risks appear for the Roles/Users whose Mitigation has already done July 2017 Page 21 of 155

30 Maximum number of objects in a package for parallel processing 100 The application uses this parameter in conjunction with the Number of Tasks specified in the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determine the distribution of objects that are processed per job. For example, if there are 10,000 users to analyze and this value is 100, then there will be 100 packages created each having 100 users. Each package is submitted to a separate background process, which is available to the application via the application group If instead, we specify three background processes are available to GRAC_SOD, 100 packages are submitted one by one to these processes. Three packages initially and then one by one to each process, which complete the package execution. Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if the RZ10 parameter is set to 2, then the application ignores the parameter in this setting and uses the value 2 instead. July 2017 Page 22 of 155

31 Send notification to the monitor of the updated mitigated object YES Set the value to YES to send notifications to the owner of the mitigating control when the mitigated object is updated, such as the user/role July 2017 Page 23 of 155

32 Show all objects in Risk Analysis NO Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default The objects that do not have violations are displayed with the Action: No Violations. Note: This setting applies to SoD Batch Risk Analysis. July 2017 Page 24 of 155

33 Use SoD Supplementary Table for Analysis YES Set value to YES to use supplementary rules for SoD risk analysis NOTE This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens. Consider FF Assignments in Risk Analysis NO Set value to YES to use supplementary rules for SoD risk analysis. You can use this parameter to select whether or not to include Firefighter (FF) assignments in risk analysis (cont.) Select YES to include FF assignments for risk analysis. On the Access Management > Access Risk Analysis screens, the application displays the Include FFIDS checkbox. Select NO to exclude FF assignments for risk analysis. On the Access Management > Access Risk Analysis screens, the application does not display the Include FFIDS checkbox. July 2017 Page 25 of 155

34 Note For Access Requests, the application does not allow users to choose whether to include FFIDs for risk analysis. As shown in the graphic below, the Include FFIDs checkbox is not part of the Risk Violation tab on the Access Request screen. If you set the parameter value as YES, the application includes FFIDs in the risk analysis, but it will not display the checkbox on the screen. Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. July 2017 Page 26 of 155

35 Extended objects enabled connector <empty> 1046 Extended objects are objects from non-sap systems. This parameter allows you to specify the connectors for non-sap systems. The connectors can have object lengths greater than SAP objects. For example, SAP User ID length is 12, but the extended object length may be 50. Note: You can set multiple connectors by adding multiple instances of the parameter. Business View for Risk Analysis is Enabled NO (Technical View) The available values are Yes and No. If the parameter is set to Yes, the system displays the Business View format on the Risk Violations tab during creation or approval of a request as shown in the screen shot Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. July 2017 Page 27 of 155

36 Default Report View for Risk Analysis Remediation View There are three types of views for Risk Analysis reports (technical, business and remediation). To change the global default to something other than the Technical View, you can do that through this parameter. This parameter affects the dashboard drill-down for Risk Analysis. You can change the default view on a case-by-case basis for the ad hoc reports through the User Interface (as shown below) Note This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc data screens. July 2017 Page 28 of 155

37 1.4 Risk Analysis - Spool The Risk Analysis - Spool parameters control variables having to do with how Risk Analysis reports are run. Overview of Risk Analysis Spool Parameters Parameter ID Description Default Value 1051 Max number of objects in a file or database record Spool File Location <empty> 1053 Spool Type D 1054 Max number of violations supported in Organization Rule Analysis Details of Risk Analysis Spool Parameters 1051 Max number of objects in a file or database record You can use this parameter to specify the maximum number of analytics data objects the application stores. If parameter 1053 is set to F, the value is the maximum number of objects stored in the file. If parameter 1053 is set to D, the value is the maximum number of objects stored in the REPCONTENT column of the GRACSODREPDATA table. Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table. Prerequisite: You have configured parameters 1052 and Spool File Location <empty> You can specify the file location where the application stores the analytics data, such as \\ <ip_address>\public\sod\. Note: This parameter is only valid if parameter 1053 is set to F. Prerequisite: You have configured parameter July 2017 Page 29 of 155

38 1053 Spool Type You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for access control, such as ad hoc SoD violations. Set the value to F to store the data on the file system. (Set the file location in parameter 1052). Set the value to D to store the data in the GRACSODREPDATA table. Note: You see the intermediate results while risk analysis is running. This gives you an opportunity to see if the desired records are created and choose to stop or cancel the job. If you change the location type (such as from D to F) in mid-course, the report will still read the previously generated files or database records. Index tables keep track of the source of the records when the data was generated. If you cancel the job before the report is finished, you can still read the data up to the point the files or database records were created. D 1054 Max number of violations supported in Organization Rule Analysis SAP Access Control allows you to consider Organizational Rules when performing access risk analysis. Depending on the total number of org rules, the analysis can generate a very large number of violations, which may cause the system to run out of memory and result in a dump. With SP07, a feature has been added to enable the application to exit the analysis before the system runs out of memory. You use this parameter to set the threshold limit. The default is 500,000. For example, you can perform User Level risk analysis and choose the option to Consider Org Rule. If the 500,000 violations threshold is reached, the application stops the analysis for that particular user and displays the message Too many violations. July 2017 Page 30 of 155

39 1.5 Workflow The Workflow parameters control variables across all the processes in SAP Access Control. Examples include specifying whether to send notifications when mitigating controls or risks change. Overview of Workflow Parameters Parameter ID Description 1061 Mitigating Control Maintenance NO 1062 Mitigation Assignment NO 1063 Risk Maintenance NO 1064 Function Maintenance NO 1101 Create Request for Risk Approval Update Request for Risk Approval Delete Request for Risk Approval Create Request for Function Approval Update Request for Function Approval Delete Request for Function Approval Create Request for Mitigation Assignment Approval Update Request for Mitigation Assignment Approval Delete Request for Mitigation Assignment Approval High High High 4 Default Value 1113 Access Control Sender WF-BATCH 1115 Enable Escalation for Requests on Hold NO 2051 Enable User ID Validation in Access Request against Search Data Sources 3022 Request Type for Role Approval Priority for Role Approval 5 YES July 2017 Page 31 of 155

40 Details of Workflow Parameters Mitigating Control Maintenance The application allows users to create and change mitigating controls. Set the value to YES to require that when users create or change mitigating controls, the application sends a workflow item to an approver to approve the action. Note: On the Mitigating Control screen, the Create button is replaced by a Submit button. You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. Figure A below shows that on the control Owners tab the Mitigation Control Approver points to the Approver. Figure B below shows you can use Maintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER). Figure A NO 1061 (cont.) July 2017 Page 32 of 155

41 Figure B July 2017 Page 33 of 155

42 Mitigation Assignment The application allows users to mitigate risks for objects (user, role, profile, and so on). YES: The application sends an approval workflow item to the mitigating control approver. The screen displays a Submit button. If this parameter is set to Yes, you must also configure parameters 1107, 1108, 1109, and Note: You can configure the role that receives the workflow item for approving the mitigating control changes. Use the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. NO NO: The users can mitigate risks without approval. The screen displays a Save button July 2017 Page 34 of 155

43 Risk Maintenance NO The application allows users to create and modify risks. YES: The application sends an approval workflow item to the Risk Owner (or to any alternate workflow agent you set) for approval. The screen displays a Submit button. If this parameter is set to Yes, you must also configure parameters 1101, 1102, 1103, and Note: You can configure the role that receives the approval workflow item using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. NO: Users can create and modify risks without approval. The screen displays a Save button July 2017 Page 35 of 155

44 Function Maintenance The application allows users to create and change functions. YES: The application sends an approval workflow item to the specified workflow agent for approval when functions are created or modified. If this parameter is set to Yes, you must also configure parameters 1104, 1105, 1106, and Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER. You can change the approver agent by using the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. NO 1064 July 2017 Page 36 of 155

45 Create Request for Risk Approval 12 Use F4 help and choose the request type the workflow uses to create requests for risk approval. This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. This parameter is only valid if parameter 1063 is set to Yes July 2017 Page 37 of 155

46 1102 Update Request for Risk Approval 13 Use F4 help and choose the request type the workflow uses to update requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes Delete Request for Risk Approval 14 Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes Create Request for Function Approval 15 Use F4 help and choose the request type the workflow uses to create requests for function approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes Update Request for Function Approval 16 Use F4 help and choose the request type the workflow uses to update requests for function approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes Delete Request for Function Approval 17 Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes. July 2017 Page 38 of 155

47 1107 Create Request for Mitigation Assignment Approval 18 Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes Update Request for Mitigation Assignment Approval 19 Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes Delete Request for Mitigation Assignment Approval 20 Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes High 2 You use this parameter to set the default workflow request priority for Updating and Creating Risks. Use F4 help to display the list of available priorities. You maintain the list of priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk approval priorities. Note: This parameter is only valid if parameter 1063 is set to Yes High 3 You use this parameter to set the default workflow request priority for Creating and Updating Functions. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function approval priorities. Note: This parameter is only valid if parameter 1064 is set to Yes. July 2017 Page 39 of 155

48 1112 High 4 You use this parameter to set the default workflow request priority for Mitigation Control Assignments. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities. Note: This parameter is only valid if parameter 1062 is set to Yes Access Control Sender WF-BATCH The application uses the of this user as defined in SU01 to send the workflow e- mails to the approvers. See the Access Control 10.1 Security Guide for information about required authorizations for the WF-BATCH user Enable Escalation for Requests on Hold Parameter 1115 interacts with Access Control MSMP (Workflow) Configuration to determine whether to escalate an access request that is on hold. The possible values of parameter 1115 are: YES the system escalates a request on hold if Escalation Type is set to Escalate to Specified Agent in MSMP. NO the system does not escalate a request on hold even if Escalation Type is set to Escalate to Specified Agent in MSMP. The screenshot below shows the Escalation Type field in MSMP Configuration. You can find this screen in Customizing under Governance, Risk and Compliance Access Control Workflow for Access Control Maintain MSMP Workflows. NO ( continued ) July 2017 Page 40 of 155

49 Placing an Access Request on Hold An access request approver can place a request on hold during the request review process as illustrated in the screenshot below. Examples of the Interaction Between Access Control Configuration Parameter 1115 and the MSMP Escalation Type Setting The table below shows what happens when you place an access request on hold given the sample settings Setting MSMP Escalation Type Setting YES NO Escalate to Specified Agent Escalate to Specified Agent Result The request is escalated according to your configuration. The request is not escalated. MSMP is overridden. July 2017 Page 41 of 155

50 YES Skip to Next Stage The request is escalated according to your configuration. NO Skip to Next Stage The request is not escalated. MSMP is overridden. YES No Escalation The request is not escalated. NO No Escalation The request is not escalated. More Information See SAP Note UAM: On hold requests are getting escalated The table below shows what happens when you place an access request on hold given the sample settings Setting MSMP Escalation Type Setting YES NO Escalate to Specified Agent Escalate to Specified Agent Result The request is escalated according to your configuration. The request is not escalated. MSMP is overridden. YES Skip to Next Stage The request is escalated according to your configuration. NO Skip to Next Stage The request is not escalated. MSMP is overridden. YES No Escalation The request is not escalated. NO No Escalation The request is not escalated. More Information See SAP Note UAM: On hold requests are getting escalated 2051 Enable User ID Validation in Access Request against Search Data Sources YES July 2017 Page 42 of 155

51 If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does not allow the request to continue. The validation is performed when you select Submit or Enter. Request Type for Role Approval Use F4 help and choose the request type the workflow uses for role approval. The request type is associated with an MSMP process ID. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. (See also parameter 1101) 3023 Priority for Role Approval 5 Priority of the request for Role Approval You use this parameter to set the default workflow request priority for Role Approvals. Use F4 help to display the list of available priorities. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_ROLE_APPR to role approval priorities. July 2017 Page 43 of 155

52 1.6 Emergency Access Management The Emergency Access Management (EAM) parameters control many aspects of how EAM functions. Overview of EAM Parameters Parameter ID Description 4000 Application Type 1 Default Value 4001 Default Firefighter Validity Period (in days) <empty> 4002 OBSOLETE - Send immediately YES 4003 Retrieve Change Log <empty> 4004 Retrieve System Log <empty> 4005 Retrieve Audit Log <empty> 4006 Retrieve O/S Command Log <empty> 4007 Send Log Report Execution Notification Immediately YES 4008 Send Firefight ID Logon Notification YES 4009 Log Report Execution Notification YES 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID 4012 Default users for forwarding the Audit Log workflow Firefighter ID owner can submit request for Firefighter ID owned YES 4014 Firefighter ID controller can submit request for Firefighter ID YES 4015 Enable decentralized Firefighting NO 4017 Enable CUP request number to show in Firefighter ID/Role Assignment Screen 4018 Enable detailed application logging (SLG1) for Firefighter log synchronization programs 4020 Generate EAM log Firefighter sessions with no activity NO 4021 Use ALV Grid for Firefighter filter transaction NO YES 5033 Allow creation of Firefighters with no Controller YES NO July 2017 Page 44 of 155

53 Details of Emergency Access Management Parameters Application Type 1 You use this parameter to set the firefighting configuration: Choose 1 for ID-based firefighting. Choose 2 for Role-based firefighting. Note: Configuration of parameter 4000 in any relevant target system is also required July 2017 Page 45 of 155

54 Default Firefighter Validity Period (Days) <empty> Set the default validity period (in days) of Firefighter ID assignments to a Firefighter. Notes: This is only the default period. You can override the validity period for each assignment as needed in the front-end. Configuration of parameter 4001 in any relevant target system is also required Send Immediately THIS PARAMETER IS OBSOLETE. IT IS NO LONGER USED IN SAP ACCESS CONTROL July 2017 Page 46 of 155

55 Retrieve Change Log The possible values are YES and NO. <empty> If set to YES, the application fetches the Change Log when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Note Plug-in systems must have the O/S time and R/3 time zone matched for the logs to be properly collected. This is because STAD stores the logs in O/S files July 2017 Page 47 of 155

56 4004 Retrieve System Log The possible values are YES and NO. <empty> If set to YES, then the application fetches the System Log (debug changes) when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports Retrieve Audit Log <empty> The possible values are YES and NO. If set to YES, then the application fetches the audit (security) log when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Note You can activate Audit Logs using the transaction SM Retrieve O/S Command Log The possible values are YES and NO. <empty> If set to YES, then the application fetches the O/S Command Log when a user chooses the Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information when O/S commands (SM49) are created, changed, or executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. July 2017 Page 48 of 155

57 Send Log Report Execution Notification Immediately YES The application can send log reports to controllers. The application sends the notifications as s or workflow items based on the configuration of the controllers. (See figure below.) Set the value to YES and the application sends notifications or executes workflow when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports Set the value to NO and the application only collects the logs when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The application sends the notifications or executes the workflow when the GRAC_SPM_WORKFLOW_SYNC program is executed. Notes This parameter is only valid if parameter 4009 is set to YES A separate or workflow is created for each EAM session performed July 2017 Page 49 of 155

58 4008 Send Firefighter ID Logon Notification The possible values are YES and NO. YES Set to YES and the application sends an notification to the controller whenever a firefighter executes a firefighting session. Set to NO if you do not want the application to send an notification to the controller whenever a firefighter executes a firefighting session Log Report Execution Notification The possible values are YES and NO. YES If set to YES then the application sends notifications to the controller or executes workflow when a user chooses the Update Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is executed. The Update Firefighter Log button is available on the Consolidated Log Report under Emergency Access Management Reports. Recommendation Consider parameter 4007 if this parameter is set to YES 4010 Firefighter ID Role Name ZSAP_GRAC_SMP _FFID Enter the name of the role assigned to the firefighter ID in the target systems. This informs the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC system and reads this configuration to check if the user has this role assigned to them. Notes Configuration of parameter 4010 in any relevant target systems is also required If IMG Activity Maintain Firefighter ID Role Name Per Connector is utilized, parameter 4010 is not considered and therefore does not need to be configured See SAP Note for more information. July 2017 Page 50 of 155

59 4012 Default users for forwarding the Audit Log workflow 2 Configuration parameter 4012 is used to restrict the users to whom the EAM log workflow can be forwarded. If it is set to 1, the workflow can be forwarded to any user in the GRC system. If it is set to 2, the workflow can only be forwarded to users who are designated as controllers in the Access Control Owners table Firefighter ID owner can submit request for Firefighter ID owned The available values are Yes and No. YES Based on the parameter value, the firefighter ID owner can submit request for himself (Yes) or not (No) Firefighter ID controller can submit request for Firefighter ID controller The available values are Yes and No. YES Based on the parameter value, the firefighter ID controller can submit a request for himself (Yes) or not (No) Enable decentralized firefighting The possible values are YES and NO. Based on the parameter value, you can enable the EAM launchpad on non-grc systems (Yes) or not (No). NO July 2017 Page 51 of 155

60 Enable CUP request number to show in Firefighter ID/Role Assignment Screen YES The Firefighter ID is requested to be assigned to the Firefighter User during the Access Request process (formerly CUP). Setting the parameter to YES ensures that this request number is visible in the Firefighter ID and Firefighter maintenance screens in the Comment column. This provides a way to track the progress of the request Setting the parameter to NO will result in the request number not being visible in the Firefighter ID and Firefighter maintenance screens in the Comment column. For more information, see SAP Note Enable detailed application logging (SLG1) for Firefighter log synchronization programs SAP Access Control keeps logs of firefighting activities on the plug-in systems. The logs are synchronized back to the central system and the data goes into firefighting reports. Errors may occur that disrupt the synchronization of the logs from the plug-in systems to the central system. Set the parameter to Yes to enable detailed logging in SLG1. You can use the additional information to determine the cause of the disruption. NO July 2017 Page 52 of 155

61 Generate EAM log for Firefighter sessions with no activity This parameter controls whether to send EAM log review workflow even if the Firefighter has not performed any activity. Set the parameter to Yes to generate the EAM log review even if there is no activity. For more information, see SAP Note Note: Parameter 4009 must be set to Yes for this parameter to be considered. For an example, below is the screen that shows the message indicating no activity by the Firefighter. NO 4020 July 2017 Page 53 of 155

62 Use ALV Grid for Firefighter Filter Transaction ONLY FOR CENTRALIZED EAM Launchpad Input the transaction GRAC_EAM_FILTER to display the below landing page and filter by Connector or Firefigter ID. This transaction is available whether the parameter is YES or NO. NO This parameter allows you to use the ABAP List Viewer (ALV) grid for the Firefighter table. NO This is the default and you will see the traditional EAM launchpad YES - Shows the ALV grid with the EAM launchpad. Here you can use all of the ALV features. Refer to SAP Note for more information. July 2017 Page 54 of 155

63 5033 Allow creation of firefighters with no controller YES In SAP Access Control, the controller is the user who reviews and approves log files from firefighting activities. Set the parameter to YES to create firefighters without requiring a controller. Set the parameter to NO to prevent the creation of firefighters without a controller. July 2017 Page 55 of 155

64 1.7 UAR Review The User Access Review (UAR) parameters allow you to make decisions about how to process User Access Reviews. Overview of UAR Parameters Parameter ID Description Default Value 2004 Request Type for UAR <empty> 2005 Default Priority UAR_PRIORITY 2006 Who are the reviewers? MANAGER 2007 Admin. Review required before sending tasks to reviewers YES 2008 Number of line items per UAR request Send automatic notification when roles are removed due to UAR Review No Details of UAR Parameters Request Type for UAR <empty> All request types defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressing F This is important for tagging the workflow in MSMP for UAR Review. July 2017 Page 56 of 155

65 Default Priority UAR_PRIORITY You use this parameter to set the default priority for user access request reviews. Use F4 help to display the list of available priorities for UAR Requests You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. In this example, priority IDs 10, 22, 24, and 36 are relevant for UAR Review. Who are the reviewers? MANAGER Select either Manager or Role Owner as the approver type for user access review requests. The application creates a review workflow for the specified approver type. Managers receive review requests sorted by USER, and Role Owners receive review requests sorted by ROLE July 2017 Page 57 of 155

66 Admin. review required before sending tasks to reviewers YES Set the value to YES to require that users who are assigned the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. You specify reviewers in parameter How many line items per UAR request 100 This parameter allows you to specify the maximum number of items per UAR request when creating a UAR request. For more information, see SAP Note Send automatic notification when roles are removed due to UAR Review This parameter allows you to send an automatic notification to inform end users when their roles are scheduled for removal as part of the User Access Review process. We provide standard text in the notification. To customize the text: 1. Create a new documentation object for your text. 1. Use transaction SE61 (Documentation Maintenance). 2. Choose Document Class General Text. 2. Update the Notification view with your customized documentation object. 1. Use transaction SM30 (View Maintenance). 2. Modify the view GRFNVNOTIFYMSGC. 3. Create new entry using the message class 0AC_UAR_NOTIFY_USERS (UAR Notifications), message number In the Document Object field, enter the name of your customized document object. No July 2017 Page 58 of 155

67 July 2017 Page 59 of 155

68 1.8 Performance The Performance parameters allow you to make decisions about variables that affect the performance of SAP Access Control. Overview of Performance Parameters Parameter ID Description 1120 Batch size for Batch Risk Analysis Batch size for User Sync Default batch size for Role Synchronization Default batch size for Profile Synchronization Default batch size for Authorization Synchronization Pre-aggregate Access Risk Information NO 1126 Number of background jobs created for one Ad-Hoc Risk Analysis job 1127 Minimum number of objects considered for splitting into multiple background jobs in Ad-Hoc Risk Analysis Default Value Details of Performance Parameters 1120 Batch size for Batch Risk Analysis 1000 The application uses this value to determine the size of the batch when performing batch risk analysis. (See also parameter 1121 for an example) Batch size for User sync 1000 The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository. For example, if the batch size is 1000 and there are 10,000 users, the application divides the total users (10,000) by the batch size (1000), and then processes the job in 10 batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in its entirety before continuing with the next. To synchronize users to the GRC AC Repository, you use the Customizing activity Repository Object Synch under Governance, Risks, and Compliance > Access Control > Synchronization Jobs Default batch size for role synchronization 1000 The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter 1121 July 2017 Page 60 of 155

69 1123 Default batch size for profile synchronization 1000 The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter 1121 Default batch size for authorization synchronization 1000 The application uses this value to determine the size of the batch when synchronizing authorization master data from the backend ERP systems to the GRC AC Repository. Each batch is processed in its entirety before moving on to the next. See also parameter Pre-aggregate Access Risk Information Setting the parameter to YES renders the SAP Fiori for SAP GRC transactional applications Compliance Approver and Access Approver more quickly. Setting the parameter to NO can adversely affect the rendering of the SAP Fiori for SAP GRC transactional applications Compliance Approver and Access Approver. When performing risk analysis, the risk count shows the number of risks per access request. This parameter stores the risk count more efficiently. For more information, see SAP Note NO July 2017 Page 61 of 155

70 Number of background jobs created for one Ad-Hoc Risk Analysis job This parameter works with parameter 1127 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects, the one job is split into 2 background jobs for faster processing Minimum number of objects considered for splitting into multiple background jobs in Ad-Hoc Risk Analysis 1000 This parameter works with parameter 1126 for faster processing of Ad-Hoc Risk Analysis jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000 minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects, the one job is split into 2 background jobs for faster processing July 2017 Page 62 of 155

71 2050 Enable Real-time LDAP Search for Access Request User If set to YES, the application searches for the access request user on the specified LDAP source and in real time. Prerequisite You have specified the first user search data source as LDAP, or else the application ignores this parameter. Note Since the search is performed in realtime, it can negatively affect performance. NO 2060 Organization Rules -Maximum allowed to be generated in foreground In SAP Access Control, you can use the Organizational Rule Creation Wizard to generate organizational rules. You can choose to generate the rules in the foreground or the background. Generating the rules in the foreground may use up system resources for other activities or affect performance. You can use this parameter to set a threshold for the maximum organizational rules that can be generated in the foreground, thereby keeping it from negatively affecting the system resources. For example, you set the threshold value at 20,000. If the threshold is reached when someone is generating organizational rules in the foreground, the application halts the task and displays options to either run the job in the background or cancel it. July 2017 Page 63 of 155

72 Duration for displaying confirmation message (in milliseconds) 1000 This parameter applies to the SAP Fiori for SAP GRC transactional application, Compliance Approver. You use this parameter to set how long the confirmation message appears on the screen. The default is 1000 milliseconds. Below is an example of the confirmation message 2061 July 2017 Page 64 of 155

73 1.9 Risk Analysis - Access Request The Risk Analysis - Access Request parameters allow you to make decisions about how Risk Analysis behaves when access requests are created. Overview of Risk Analysis - Access Request Parameters Parameter ID Description 1071 Enable Risk Analysis on form submission NO 1072 Mitigation of critical risk required before approving the request NO 1073 Enable SoD violations detour on risks from existing roles NO 1075 Set Default Report Format for Access Risk Analysis to Management Summary in Access Request Default Value NO Details of Risk Analysis - Access Request Parameters 1071 Enable risk analysis on form submission NO July 2017 Page 65 of 155

74 You can use this parameter to set the application automatically to perform risk analysis on the access request the user submitted. The risk analysis results are added to the access request for the approver to review. Therefore, the risk analysis results appear on the approver s screens but not on the requestor s screens. Set to No to disable automatic risk analysis. Set to Yes to enable automatic risk analysis. This triggers a risk analysis. The user must wait for the risk analysis to finish before proceeding. Set to Asynch to enable automatic risk analysis and allow the user to proceed to the next screen without waiting. The risk analysis is performed in the background and the results are attached to the request. Note: This does not change the workflow for the request. The request will only proceed to the approver after the risk analysis is completed in the background Mitigation of critical risk required before approving the request Set the value to YES to require mitigation of Risks of the type Critical Access. Enable SoD violations detour on risks from existing roles The possible values for this parameter are YES and NO. If an SoD risk exists in an access request, the application considers it a special condition and sends it to a detour path in the workflow. NO NO 1073 However, SoD risks may arise from the new roles the user is requesting and they may arise from the existing roles that are already assigned to the user. Set the value to YES to consider risks from new and existing roles for the detour. Set the value to NO to consider risks only from new roles (and not existing roles) for the detour. July 2017 Page 66 of 155

75 1075 Set Default Report Format for Access Risk Analysis to Management Summary in Access Request Customers can choose one of the following two formats as the default report format when running Access Risk Analysis: Choose NO to set the default report format to Summary Choose YES to set the default report format to Management Summary NO July 2017 Page 67 of 155

76 1.10 Role Management The Role Management parameters allow you to make decisions parameters that affect role creation and processing. Overview of Role Management Parameters Parameter ID Description Default Value 3000 Default Business Process <empty> 3001 Default Subprocess <empty> 3002 Default Criticality Level <empty> 3003 Default Project Release <empty> 3004 Default Role Status <empty> 3005 Reset Role Methodology when Changing Role Attributes YES 3006 Allow add functions to an authorization YES 3007 Allow editing organizational level values for derived roles NO 3008 A ticket number is required after authorization data changes YES 3009 Allow Role Deletion from back-end system YES 3010 Allow attaching files to the role definition YES 3011 Conduct Risk Analysis before Role Generation YES 3012 Allow Role Generation on Multiple Systems NO 3013 User logged-on user credentials for role generation NO 3014 Allow role generation with Permission Level violations NO 3015 Allow role generation with Critical Permission violations NO 3016 Allow role generations with Action Level violations NO 3017 Allow role generation with critical Action violations NO 3018 Allow role generation with Critical Role/Profile violations NO 3019 Overwrite individual role Risk Analysis results for Mass Risk Analysis NO 3020 Role certification reminder notification Directory for mass role import server files <empty> 3024 Enforce methodology process for derived roles during generation YES 3025 Allow selection of Org Value Maps without leading org. NO 3026 Save Role Provisioning Details While Copying Role YES 3027 Automate authorization copy from master role to derived roles NO 3028 Generate derived roles after Creation/Update NO 3029 Notify User When Business Role Assignment Changes NO 3040 A ticket number is required for changes to role master data NO 3041 Perform mandatory risk analysis during role maintenance NO 3042 Do not allow role maintenance with risks NO July 2017 Page 68 of 155

77 Details of Role Management Parameters Default Business Process <empty> Select the business process the application displays by default on the Role Import screen. Use F4 help to display the available business processes. You maintain the list of business processes in the Customizing activity Maintain Business Processes and Subprocesses under Governance, Risk and Compliance > Access Control July 2017 Page 69 of 155

78 3001 Default Subprocess <empty> Select the sub process the application displays by default on the Role Import screen. Use F4 help to display the available subprocesses. You maintain the list of subprocesses in the Customizing activity Maintain Business Processes and Subprocesses under Governance, Risk and Compliance > Access Control Default Criticality Level <empty> Select the criticality level the application displays by default on the Role Import screen. Use F4 help to display the available criticality levels. You maintain the list of sub processes in the Customizing activity Specify Criticality Level under Governance, Risk and Compliance > Access Control > Role Management. Default Project Release <empty> Select the project release the application displays by default on the Role Import screen. Use F4 help to display the available project releases. You maintain the list of project releases in the Customizing activity Maintain Project and Product Release Name under Governance, Risk and Compliance > Access Control > Role Management. Default Role Status <empty> Select the role status the application displays by default on the Role Import screen. Use F4 help to display the available role status. You maintain the list of project releases in the Customizing activity Maintain Role Status under Governance, Risk and Compliance > Access Control > Role Management Reset Role Methodology when Changing Role Attributes The possible values are YES and NO. YES This parameter determines whether the role methodology step is reset to the first step (Definition) after a mass update. It is particularly useful to avoid creating mass approval requests. July 2017 Page 70 of 155

79 Allow add functions to an authorization YES Set the value to YES to display the Add/Delete Function button on the Maintain Authorizations tab of the Role Maintenance screen Allow editing organizational level values for derived roles The maintenance screen for derived roles displays organizational levels from the parent role. Set the value to YES to allow the derived roles to change the values for the organizational levels. NO July 2017 Page 71 of 155

80 A ticket number is required after authorization data changes YES Set the value to YES to require a ticket number when role authorizations are modified in PFCG and the user chooses the Synch with PFCG button. Note: The Ticket Number field is a free text entry field. The application only provides the field and does not have any specific requirements. You can enter information appropriate for your company s change request processes Interaction with parameter 3040: Parameter 3008 interacts with parameter 3040 (A ticket number is required for changes to role master data) in the following way: If 3040 is set to Yes, then 3008 is ignored. If 3040 is set to No, then 3008 behaves as documented. July 2017 Page 72 of 155

81 Allow Role Deletion from back-end system YES Set the value to YES to allow users the option to roles from both Access Control and relevant plug-in systems. Setting this value to Yes deletes the roles in each of the systems the role resided individually. For example, the role is DELETED directly from PRD instead of having a delete request transported through CTS. Set the value to NO to allow users to delete roles only from Access Control Allow attaching files to the role definition YES Set the value to YES to allow users to attach files by displaying the Attachments tab on the Role Maintenance screen July 2017 Page 73 of 155

82 Conduct Risk Analysis before Role Generation YES Set the value to YES to automatically perform risk analysis when the user generates roles July 2017 Page 74 of 155

83 Allow Role Generation on Multiple Systems Set the value to YES to allow users to select multiple systems when generating roles. The application displays systems in the landscape, which are available for role generation action. NO 3012 July 2017 Page 75 of 155

84 Use logged-on user credentials for role generation When generating a role, the application connects to back-end systems to push the authorization data. The application needs a username/password to open the connection to the back-end ERP system. You can use this parameter to specify whether the application uses a generic username/password for all role generation connections to the ERP system, or the username/password of the person generating the role. NO 3013 Set the value to NO to use a generic username/password for the connection to the ERP system. You maintain the generic username/password for the connector in the Customizing activity Create Connectors under Governance, Risk, and Compliance > Common Component Settings > Integration Framework. Set the value to YES to allow the application to use the username/password of the person who is generating the role. The advantage of setting this parameter to Yes is that when you open a role in the ERP system, you can view who generated it. If the parameter is set to No, you can only see which connector, with the generic username/password, that generated it Allow role generation with Permission Level violations Set the value to YES to allow the application to generate roles even if Permission Level violations are present. Set the value to NO to prohibit role generation if permission level violations are present. NO 3014 July 2017 Page 76 of 155

85 3015 Allow role generation with critical permission violations Set the value to YES to allow the application to generate roles even if permission level violations are present. Set the value to NO to prohibit role generation if permission level violations are present Allow role generation with action level violations Set the value to YES to allow the application to generate roles even if action level violations are present. Set the value to NO to prohibit role generation if action level violations are present Allow role generation with critical action violations Set the value to YES to allow the application to generate roles even if critical action violations are present. Set the value to NO to prohibit role generation if critical action violations are present Allow role generation with critical role/profile violations Set the value to YES to allow the application to generate roles even if critical role/profile violations are present. Set the value to NO to prohibit role generation if critical role/profile violations are present. NO NO NO NO July 2017 Page 77 of 155

86 Overwrite individual role risk analysis results for mass risk analysis The possible values are YES and NO. The application allows you to perform ad hoc risk analysis for multiple roles under Access Management > Role Mass Maintenance > Run Risk Analysis. The application stores the results of the analysis. (See also parameters 1052 and 1053). When you next perform mass risk analysis, the application searches the stored data to determine if there are previous risk analysis results for each role. You can choose whether the application overwrites the risk analysis results. NO 3019 Set the parameter to YES to write or overwrite stored results during mass role risk analysis Set the parameter to NO if you do not want to overwrite the stored results during mass role risk analysis. In this case, results are only stored during the risk analysis phase of role maintenance or during ad-hoc role risk analysis. Note The above actions are done per individual role. The application does not automatically overwrite the results for all roles Role certification reminder notification 10 July 2017 Page 78 of 155

87 You use this parameter to set how many days prior to the Next Certification date the application sends a reminder to the role owner. For example, if the next certification is June 15, xxxx, and this parameter value is 10, then the application sends the reminder notification to the role owner on June 5, xxxx. You set the Certification Period in Days and Next Certification date in the Define Role phase, on the Properties tab. Note Additional information about Certification Notifications: You can use the following Customizing activities to maintain custom notification s under Governance, Risks, and Compliance > Access Control > Workflow for Access Control: Maintain Custom Notification Messages Maintain Text for Custom Notification Messages Maintain Background Job for Reminders The following is an example of a notification The application provides notification templates. You can assign custom notification templates in the Customizing activity: Maintain Custom Notification Messages under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. July 2017 You can customize the notification text by using the Customizing activity Maintain Page Text 79 of 155 for Custom Notification Messages under Governance, Risks, and Compliance > Access Control > Workflow for Access Control.

88 Role certification reminder notification (cont.) 10 You can customize the notification text by using the Customizing activity Maintain Text for Custom Notification Messages under Governance, Risks, and Compliance > Access Control > Workflow for Access Control (cont.) For certification notifications to be delivered, you must run the GRAC_ERM_ROLE_CERTIFY_NOTIF program in either the foreground or the background. You can schedule background jobs to run periodically using the Customizing activity Maintain Background Job for Reminders under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. If you run the program in the foreground, the application displays a results screen: July 2017 Page 80 of 155

89 3021 Directory for mass role import server files <empty> The application allows you to perform mass role import under Access Management > Role Mass Maintenance > Role Import. You can select the Import Source as File on Server. You use this parameter to specify the location of the files on the server. Enforce methodology process for derived roles during generation YES You use this parameter to determine the derived roles displayed in the role generation phase of the master role. Set the value to YES to display only the derived roles that reach the role generation phase of the methodology process. Set the value to NO to display all derived roles, regardless of their phase in the methodology process. In the following example, Figure A shows five derived roles available; two of the roles are in Role Generation phase. Figure B shows that if the value is set to YES, only the two roles in Role Generation phase are displayed July 2017 Page 81 of 155

90 Allow selection of Org. Value Maps without leading org. You use this parameter to determine if users may derive roles by using Org Value Maps that do not contain a leading organization. Set the value to YES to allow role derivation using Org Value Maps that do not contain a leading organization. Set the value to NO to require that role derivation is performed using Org Value Maps that do contain a leading organization. Single Role Derivation Choose Access Management Role Management Role Search Search and open any role. Go to the role derivation phase and choose Derive. If the AC Configuration parameter 3025 = YES, the screen appears as below: NO 3025 If the AC Configuration parameter 3025 = NO, the screen appears as below: July 2017 Page 82 of 155

91 Mass Role Derivation Choose Access Management Role Mass Maintenance Role Derivation. Search and select any map and choose Next to go to the Select Master Role screen. If the AC Configuration parameter 3025 = YES, the screen appears as below: If the AC Configuration parameter 3025 = NO, the screen appears as below: July 2017 Page 83 of 155

92 3026 Save Role Provisioning Details While Copying Role YES You use this parameter to specify whether you wish to copy the role details such as the system validity period when copying roles. The default value is YES copy the details when creating a new role Automate authorization copy from master role to its derived roles Possible values are YES and NO. If the parameter is set to YES, the application automatically copies authorization data from the master role to its derived roles. If the parameter is set to NO, the application does not copy the authorization data from the master role to its derived roles Generate Derived roles after Creation/Update In SAP Access Control, you can create derived roles and update them using Role Derivation and Derived Role Org. Values Update. To generate the profiles in the backend system, you must use Role Generation to create the background job. This is a manual step, and if not done, the profiles are not generated and the changes to the derived roles are not implemented. This parameter allows you to schedule the background job for Role Generation automatically. Set this parameter to Yes to schedule the background job automatically at the time you create or update a derived role. NO NO Notify User When Business Role Assignment Changes NO SAP Access uses Parameter 3029 in Business Role Management to determine whether to notify users when their role assignments change. The possible values of parameter 3029 are: YES notify users when their role assignments change. NO Do not notify users when their role assignments change In Access Control 10.1, during business role creation, under Provisioning options, there is an Update Assignment button. If you select this button, when changes occur to the business role assignment, the application sends a notification to all end users who are assigned to this business role. This feature is not available in Access Control 10.0, so there is no notification to users upon changes to the business role. If you are using Access Control 10.1 and you want to turn this notification off, you set parameter 3029 parameter to NO. Example The screenshot below shows a sample user notification. July 2017 Page 84 of 155

93 More Information See SAP Note for more information. July 2017 Page 85 of 155

94 A ticket number is required for changes to role master data Parameter 3040, if set to Yes, requires a ticket number be assigned when any role master data changes. This number allows changes to be traced to the original change request. NO The possible values of parameter 3040 are: YES ticket numbers must be entered when role master data changes NO ticket numbers are not required when role master data changes This functionality applies to all phases of role maintenance as well as changes made using Role Copy, Role Mass Maintenance: Role Import, Role Update, Derived Role Org. Value Update, and Mass Update. When a role is created, a dialog box appears allowing the user to enter a ticket number and description. Ticket Number is mandatory. The screenshot below shows the dialog box that displays for entering a ticket number when you create a new role When a user edits a role that is completed, the same dialog box is displayed for entering a new ticket number. For all subsequent edits, the same ticket number will be used automatically without the user entering a new number. The application tracks all ticket numbers in the role change history. On the Role Maintenance screen, under the Additional Details tab, you can choose Ticket Number to display the current ticket number for the role. By default, this tab is read-only. Only the users with special authorization (GRAC_ROLED V8 Modify ticket) are able to edit the ticket details (including the ticket number) here. July 2017 Page 86 of 155

95 3040 (cont.) Click Additional Details Change History to see the history of changes to this role along with the associated ticket numbers. You can use Role Search to search for roles with a certain ticket number as shown in the screenshot below. Interaction with Parameter 3008 Parameter 3008 (A ticket number is required after authorization data changes) interacts with parameter 3040 in the following way: If 3040 is set to Yes, then 3008 is ignored. If 3040 is set to No, then 3008 behaves as described. July 2017 Page 87 of 155

96 Perform mandatory risk analysis during role maintenance NO Possible values are: Yes: When maintaining a role in Business Role Management, if the risk analysis methodology is mapped, then risk analysis must be run. If you do not perform risk analysis, the error message "Perform Risk Analysis Mandatory" is displayed. No: The Analyze Access Risks phase can be skipped. Role maintenance moves to the next phase without risk analysis Refer to SAP Note GRC AC 10.1: Business Role Management Parameters to enforce Risk Analysis during Role Maintenance for more information. July 2017 Page 88 of 155

97 Do not allow role maintenance with violations NO Possible values are: Yes: When creating or maintaining a role in Business Role Management, if a risk exists, it is mandatory to either remediate the risk by changing the authorizations in the role, or to mitigate the risk using role mitigation. NOTE: If you do the mitigation, this is Role Mitigation. All users that are assigned this role will be grandfathered in with the role mitigation. No: The violations check is skipped. Role creation or maintenance moves to the next phase, regardless of risks Refer to SAP Note GRC AC 10.1: Business Role Management Parameters to enforce Risk Analysis during Role Maintenance, for more information. Consider the interactions with parameter 1062: Mitigation Assignment: Yes: If you mitigate any risk during role maintenance, the mitigation assignment workflow is triggered. Notification is sent to the Mitigation Control Owner. No: If you mitigate any risk during role maintenance, the mitigation assignment workflow is not triggered. July 2017 Page 89 of 155

98 1.11 Risk Analysis Risk Terminator The Risk Analysis Risk Terminator control parameters that affect Risk Terminator. Overview of Risk Analysis Risk Terminator Parameters Parameter ID Description Default Value 1080 Connector enabled for Risk Terminator <empty> 1081 Enable Risk Terminator for PFCG Role Generator NO 1082 Enable Risk Terminator for PFCG User Assignment NO 1083 Enable Risk Terminator for SU10 multiple User Assignment NO 1084 Enable Risk Terminator for SU10 multiple User Assignment NO 1085 Stop role generation if violations exist NO 1086 Comments are required in case of violations NO 1087 Send Notification in case of violations NO 1088 Default report type for Risk Terminator 2 July 2017 Page 90 of 155

99 Connector enabled for Risk Terminator <empty> Enter the name of the connector in the value field to enable it for risk terminator. To use this parameter, you must also configure parameters You can enter multiple values by entering multiple instances of the parameter, as follows: 1080 Note: The following parameters must be configured in the relevant target systems: 1000, 1001, 1002, Parameter 1000 is the target Connector ID (Plug-in Connector). Parameter 1001 is the GRC Connector ID. Parameter 1002 is the rule set to be used. Parameters should be the same in both GRC and the target systems. This is a recommendation, but not a requirement Enable Risk Terminator for PFCG Role Generation Set to YES to trigger the risk terminator service for PFCG Role Generation. This parameter is only valid if parameter 1080 is configured with at least one connector. The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs. NO 1082 Enable Risk Terminator for PFCG User Assignment Set to YES to trigger the risk terminator service for PFCG User Assignment. This parameter is only valid if parameter 1080 is configured with at least one connector. NO 1083 Enable Risk Terminator for SU01 Role Assignment NO July 2017 Page 91 of 155

100 Set to YES to trigger the risk terminator service for SU01 Role Assignment. This parameter is only valid if parameter 1080 is configured with at least one connector Enable Risk Terminator for SU10 multiple User Assignment Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment. This parameter is only valid if parameter 1080 is configured with at least one connector Stop role generation if violations exist Set to YES the risk terminator service stops generating roles if violations exist. This parameter is only valid if parameter 1080 is configured with at least one connector Comments are required in case of violations Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with role generation or role assignment. This parameter is only valid if parameter 1080 is configured with at least one connector Send Notification in case of violations Set the value to YES to enable the application to send notifications to the role owner when violations occur. This parameter is only valid if parameter 1080 is configured with at least one connector Default report type for Risk Terminator 2 Select the default report type the risk terminator service uses to report SoD violations. Use F4 help to display the available report types. This parameter is only valid if parameter 1080 is configured with at least one connector. NO NO NO NO July 2017 Page 92 of 155

101 1.12 Access Request Role Selection The Access Request Role Selection parameters affect how you select and process roles when you create an access request. Overview of Access Request Role Selection Parameters Parameter ID Description 2031 Allow All Roles for Approver YES Default Value 2032 Approver Role Restriction Attribute <empty> 2033 Allow All roles for Requestor YES 2034 Requestor Role Restriction Attribute <empty> 2035 Allow Role Comments YES 2036 Role Comments Mandatory YES 2037 Display expired roles for existing roles YES 2038 Auto Approve Roles without Approvers YES 2039 Search Role by Transactions from Backend System NO 2040 Assignment Comments mandatory on rejection NO 2042 Visibility of Valid from/valid to for profiles Authorization object for role search provisioning GRAC_ROLED 2044 Display profiles in Existing Assignments, My Profile and Model User YES 2045 Default provisioning action after adding roles/profiles/ffid from existing assignment and My Profile 2046 Field type for business process and system fields, in access request role search 2047 Filter business process and systems based on application area NO 010 <empty> 2048 Default provisioning environment for business role <empty> 2031 Allow All Roles for Approver YES The application allows approvers to add additional roles to access requests when reviewing them. Set the value to YES to allow approvers to view and select all roles. Set the value to NO to restrict the roles the approvers can view and select for request creation. You specify the restriction criteria in parameter July 2017 Page 93 of 155

102 Approver Role Restriction Attribute <empty> The application allows approvers to add additional roles to access requests when reviewing them. You can restrict the roles approvers can view and select for request creation. Set the value to A to Restrict on Role Approver. Approvers can view and select only those roles for which they are the role approver. Set the value to B to Restrict on Business Process. Approvers can view and add only those roles with business process attributes that match those in the request Set the value to F to Restrict on Functional Area. Approvers can view and add only those roles with functional area attributes that match those in the request. Prerequisite: You have set parameter 2031 to NO. If parameter 2031 is set to YES, the application ignores the restrictions specified here You can add multiple restriction values by adding additional instances of the parameter Allow All Roles for Requestor YES Set the value to YES to allow the user to view all roles for request creation. Set the value to NO to restrict the roles the user can view for request creation. You specify the restriction criteria in parameter July 2017 Page 94 of 155

103 Requestor Role Restriction Attribute <empty> This parameter allows you to require that, for access request creation, the application displays only the roles that have attributes that match the specified requestor attributes. Set the value to B to Restrict on Business Process. The application displays only the roles that match the requestor s business process attribute. Set the value to F to Restrict on Functional Area. The application displays only the roles that match the requestor s functional area attribute. Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. If parameter 2033 is set to YES, the application ignores the restrictions specified here You can add multiple restriction values by adding additional instances of the parameter Allow Role Comments YES Set value to YES to allow the user to enter Role Comments when creating access requests Role Comments Mandatory YES Set value to YES to require Role Comments when creating access requests. Note: This is a GLOBAL setting and is required for all roles included on requests. Mandatory comments can also be determined at the individual role level. Prerequisite: Parameter 2035 must be set to YES. July 2017 Page 95 of 155

104 Display expired roles for existing roles YES Set the value to YES to include the roles for which the user assignment is expired when the user chooses the Existing Assignment button on the Access Request Auto Approve Roles without Approvers YES Set the value to YES to allow the application to approve access requests for roles without role assignment approvers. July 2017 Page 96 of 155

105 Search Role by Transactions from Backend System Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository. Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time. This has the following effect: It adds the Transaction from Backend System criteria to the Select Roles screen. It makes the System criteria mandatory. It fetches role information from the specified system in real time, which may have an effect on performance. NO Assignment comments mandatory on rejection The available values are YES and NO. If the value is set to NO, when you open an access request, you are not required to enter a comment if you reject a role, a system, or a Firefighter ID assignment. If the value is set to YES, you must enter a comment if you reject a role, a system, or a Firefighter ID assignment NO 2042 Visibility of Valid from/valid to for profiles 0 The available values are: 0,1,2,3,4 The effect on the user experience is based on the value the user selects The visibility of dates and editable property of Valid from and Valid To field will depend on the value selected for the parameter as indicated in the screen shots below. July 2017 Page 97 of 155

106 July 2017 Page 98 of 155

107 2043 Authorization object for role search - provisioning GRAC_ROLED This parameter allows you to determine the behavior of role search based on authorizations and the roles the user can see during role definition and role provisioning. GRAC_ROLED Enter this value to enforce role search authorizations during the role definition. GRAC_ROLEP Enter this value to enforce role search authorizations during role provisioning. BOTH Enter this value enforce role search authorizations during both role definition and role provisioning. For more information about the authorization objects, see the Access Control 10.1 Security Guide Display profiles in Existing Assignments, My Profile, and Model User (Continued ) YES July 2017 Page 99 of 155

108 The available values are Yes and No. Based on the parameter value, the system displays or hides Profiles for Existing Assignments, My Profile, and Model User as illustrated by the screen shots below. July 2017 Page 100 of 155

109 Default provisioning action after adding roles/profiles/ffid from existing assignments and My Profile The available values are: 006,009,010 Based on the parameter value the provisioning action is set for roles/profiles/ffid from existing assignments and My Profile as indicated in the screen shots below July 2017 Page 101 of 155

110 2046 Field type for business process and system fields, in access request role search <empty> This parameter allows you to choose the field type for the Business Process and System search criteria on the Access Request Role Search screen. You can choose the field types as a Text field with F4 help or a dropdown list. Set the value to 0 (zero) to display the field types for both Business Process and System as a text field. (See example below.) Set the value to 1 to display the Business Process field as a dropdown list, and the System field as a text field. Set the value to 2 to display the Business Process field as a text field, and the System field as a dropdown list. Set the value to 3 to display both the Business Process and System fields as a dropdown list. July 2017 Page 102 of 155

111 Filter business process and systems based on Application Area You can use Application Area to group systems that are of the same application type (for example, ECC, BI/BW, etc.). You designate the connector group as an Application Area by connecting it to Group Type CUP-AA - Application Area. (IMG: Governance Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connector Types.) NO 2047 Then, you can assign the Application Area to Business Processes. (IMG: Governance Risk and Compliance > Access Control > Maintain Business Processes and Subprocesses.) Note: Only Connector Groups that have been assigned the group type CUP-AA- Application Area can be assigned to business processes. You can assign a Business Process to multiple Application Areas. Continued July 2017 Page 103 of 155

112 Parameter 2047 continued Set this parameter to Yes to allow filtering of Systems and Business Processes by assigned Application Area during role selection. Set this parameter to No to not allow filtering by Application Area. Setting this parameter to Yes displays the Application Area field in the Advanced Search on the Add Roles to Request screen in the Simplified Access Request, or during F4 System search on the regular Access Request screen. (See figures below) Simplified Access Request screen Continued July 2017 Page 104 of 155

113 Parameter 2047 continued Regular Access Request Note: If this parameter is set to Yes, you must also set Parameter 2046 to 0 or 1 for this functionality to be used in the regular Access Request. For the Simplified Access Request, you can set Parameter 2046 to any setting July 2017 Page 105 of 155

114 Default provisioning environment for business role <empty> Use this parameter to set the default provisioning environment for business roles. For example, if you set the parameter to TST then when a user submits a request for a business role the default provisioning environment is Test The possible values for this parameter are: DEV - Development PRD - Production TST - Test July 2017 Page 106 of 155

115 1.13 Access Request Default Roles The Access Request Default Roles parameters control the assignment and characteristics of default roles assigned during access request creation Overview of Access Request Default Roles Parameter ID Description 1302 Add default roles only for systems specified in the Access Request NO 2009 Consider Default Roles YES Default Value 2010 Request type for default roles <empty> 2011 Default Role Level REQ&ROL 2012 Role Attributes <empty> 2013 Request Attributes <empty> Details of Access Request Default Roles Add default roles only for systems specified in the Access Request Default roles are automatically assigned to users on a system. Typically, these roles have little to no risk and contain authorizations you want everyone to have. For example, you want everyone with access to System_A to have authorization to view data. Therefore, when someone requests access to System_A the application automatically assigns the default roles to him or her in addition to whatever roles they requested. NO 1302 Previously, the application would assign all default roles for all systems in one request even if the systems were not specified in the request. The rationale is that all default roles are safe so the risk is low and it saves you from having to assign the roles in separate requests. For example, someone requests access to System_A. The application assigns them the default roles for System_A and the default roles for all other systems. You can use this parameter to have the application add default roles only for systems explicitly included in the access request. If the parameter is set to YES, the application only adds system-specific roles to the request. If the parameter is set to NO, the application adds default roles for all systems into the request. Note This parameter is only valid if parameter 2009 is set to Yes. July 2017 Page 107 of 155

116 Consider Default Roles YES If set to YES, the application automatically adds the relevant default roles to the access request. Prerequisites: You have maintained the following parameters as needed: 1302, 2010, 2011, 2012, and In this example, the value for the attribute Functional Area maps to a relevant default role, so the application adds the role to the request July 2017 Page 108 of 155

117 Request type for default roles <empty> Enter the request types that are relevant for default roles functionality. The application adds default roles only for the specified roles. Enter multiple request types by adding additional instances of the parameter Use F4 help to display the available request types. You maintain the list of available request types in the Customizing activity Define Request Type under Governance, Risk, and Compliance > Access Control > User Provisioning. See also parameters 2009, 2011, 2012, and Default Role Level REQ&ROL Select which attribute type determines the relevance of the default roles Role The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the user adds the roles to the request. That is, the user does see the added default roles at the time they create the request. You define the relevant role attributes in parameter Request - The application uses the request attributes to determine the relevant default roles and adds the default roles when the request is displayed for the approver. That is, the user does not see the added default roles at the time they create the request. You define the relevant request attributes in parameter Request & Role The application uses both the request and the role attributes to determine the default roles. If a default role is added due to a role attribute, the user will see it after adding it to the request. If a default role is added due to a request attribute, the role is added when the request is displayed for the approver. You define the relevant role attributes in parameter 2012 and the relevant request attributes in parameter In this example, the value is set to Request. The manager receives a request with the default role z_user_admin already added, because Functional Area is a relevant attribute. (Continued ) July 2017 Page 109 of 155

118 In this example, the value is set to Role. On the request screen, the application shows the default roles as Existing and adds them to the request. July 2017 Page 110 of 155

119 (Cont.) See also parameters 2009, 2010, 2012, and July 2017 Page 111 of 155

120 2012 Role Attributes <empty> Enter the role attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributes maintained in parameter You can add multiple role attributes by adding additional instances of the parameter. See also parameters 2009, 2010, 2011, and Request Attributes <empty> Enter the request attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributes maintained in parameter You can add multiple request attributes by adding additional instances of the parameter. See also parameters 2009, 2010, 2011, and July 2017 Page 112 of 155

121 1.14 Access Request Role Mapping The Access Request Role Mapping parameters determine how and if you use role mapping during access request creation. Overview of Access Request Role Mapping Parameters Parameter ID Description 2014 Enable Role Mapping YES 2015 Applicable to Role Removals YES Default Value Details of Access Request Role Mapping Parameters Enable Role Mapping The application allows you to assign roles as child roles (or map the roles). This allows anyone who is assigned this role to be assigned the authorizations and access for the child roles. Set the parameter value to YES to enable this functionality. The role mappings are applicable for provisioning access requests. YES Note: On the Role Maintenance screen, you can select the Consider Parent Role Approver checkbox to use only the approvers associated with the parent roles and ignore any approvers associated with the child roles. In the following example, the user is requesting the role BS_BS_123 of system GF1- >GO7. The mapped role AC_C_ROLE1 is automatically added to the request. The user can choose to remove the role from the request. Note: The Source System dropdown list is from the same landscape you chose on the Detail tab July 2017 Page 113 of 155

122 2015 Applicable to Role Removals YES Set the value to YES to allow users to include mapped roles in requests for role removal. For example, if a user creates a request to remove a role assigned to them, and the role has mapped roles, then the mapped roles are automatically included in the request. The user can choose to keep the mapped roles by deleting them from the removal request. July 2017 Page 114 of 155

123 1.15 SOD Review The Separation of Duties (SOD) Review parameters allow you to make decisions about how to process SOD Reviews. Overview of SOD Parameters Parameter ID Description Default Value 2016 Request Type for SoD <empty> 2017 Default priority for SoD <empty> 2018 Who are the reviewers? MANAGER 2019 Admin. Review required before sending tasks to reviewers YES 2020 Unique number of line items per SoD request (Maximum 9999) <empty> 2023 Is actual removal of role allowed? YES Details of SOD Parameters Request Type for SoD <empty> Use F4 help and select the request type when SoD review requests are created You maintain the list of available request type values in the Customizing activity Define Request Types under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW Default priority for SoD <empty> Use F4 help and select the default priority used for SoD review requests. You maintain the list of available priority values in the Customizing activity Maintain Priority Configuration under Governance, Risk, and Compliance > Access Control > User Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW. July 2017 Page 115 of 155

124 2018 Who are the reviewers? MANAGER Select either Manager or Risk Owner as the approver type for user access review requests. The application creates a review workflow for the specified approver type. Managers receive review requests sorted by USER, and Risk Owners receive review requests sorted by Risk. Admin. review required before sending tasks to reviewers YES Set the value to YES to require that users with the role of access request administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. You specify reviewers in parameter Number of unique line items per SOD request (Maximum 9999) <empty> You use this parameter to control the number of unique line items an approver wants to see in a SOD Review Request. The possible values are all numeric values between 0001 and For more information, see SAP Note UAM: Running Batch Risk Analysis is mandatory for SOD Review Request creation. July 2017 Page 116 of 155

125 2023 Is actual removal of role allowed You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the roles associated with an SOD risk or only propose removal of the roles. Set value as NO This is the recommended setting. On the SoD Review screen, the application displays the Propose Removal button. Reviewers can only propose the removal of roles associated with a SoD risk violation. The workflow goes to the security administrator who is able to view the source of the risk before deciding whether to remove the role. Set value as YES This setting is not recommended. On the SoD Review screen, the application displays the Remove Role button. This allows the reviewer to delete the roles directly without going through approval by the security administrator. Warning: Reviewers do not have the ability to view the source of the risks; therefore, they have the risk of potentially deleting relevant roles. Note If this parameter is set to Yes, then Parameter 1027 must also be set to Yes.. YES July 2017 Page 117 of 155

126 1.16 LDAP The Lightweight Directory Access Protocol (LDAP) parameter determines where you can search for user data. Overview of LDAP Parameters Parameter ID Description 2052 Use LDAP domain forest NO Default Value Details of LDAP Parameters 2052 Use LDAP domain forest The available values are Yes and No. The effect on the user experience is based on the value set in configuration. If the value is Yes, users can search from multiple domains when the user data source is LDAP. NO July 2017 Page 118 of 155

127 1.17 Assignment Expiry The Assignment Expiry parameter controls the time period after which roles expire. Overview of Assignment Expiry Parameters Parameter ID Description Default Value 2041 Duration for assignment expiry in Days <empty> Details of Assignment Expiry Parameters 2041 Duration for assignment expiry in Days <empty> On the My Profile and Existing Assignment screens, the application displays the Status field for the roles. Roles that are about to expire displays the status of Expiring. You use this parameter to specify the timeframe (in days) that triggers the application to display the status as Expiring. In the following example, the My Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to the user that is about to expire in 1 to 45 days. July 2017 Page 119 of 155

128 1.18 Access Request Training Verification The Access Request Training Verification parameter allows you to require training certification for specific roles. Overview of Access Request Training Verification Parameters Parameter ID Description Default Value 2024 Training and verification <empty> July 2017 Page 120 of 155

129 Details of Access Request Training Verification Parameters Training and verification <empty> The application allows you to require that users complete training courses before the application provisions specific roles to them. You enable this functionality by : 1. Setting training requirements (See Example 1 below.) 2. Configuring MSMP routing rule 3. Configuring the data source systems for verifying if the training requirements are completed Example 1: The user is requesting a role that has a TRAINING prerequisite, and Verify on Request is set to Yes. The application will not allow them to submit the request until all the prerequisites are met The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks this parameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add. If the required training is not completed for a particular role, the application does not provision the role, and instead, sends the request to the routing path. Leave the value field empty to disable the function. The workflow does not take any routing paths. Set the value to BAdI and the application uses the specified BAdI to perform the verification. Set the value to WS and the application uses the specified web service to perform the verification. (cont.) July 2017 Page 121 of 155

130 2024 (cont.) Training and verification (cont.) <empty> Note: Specify the prerequisite system in the connector configuration. To configure the connectors, use the Customizing activity Maintain Connectors and Connector Types under Governance, Risk, and Compliance > Common Component Settings > Integration Framework. The connector must be of the type WS and associated with a logical port. You can define the logical port in transaction SOAMANAGER. Prerequisite: You have implemented the BAdI or web service (WS) as needed. Note: You can configure the routing in the Customizing activity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control. July 2017 Page 122 of 155

131 1.19 Authorizations The Authorizations parameters control how authorization messages and logging are handled. Overview of Authorizations Parameters Parameter ID Description 1100 Enable the authorization logging NO 1114 Display authorization message in reports YES Default Value Param ID Description Details of Authorizations Parameters Default 1100 Enable the authorization logging If set to YES, the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. For example, an owner wants to perform an action and is missing the necessary authorizations. NO Display authorization message in reports YES If set to YES, the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. For example, an owner wants to perform an action and is missing the necessary authorizations. The Access Control reports and dashboards display data based on the user s authorizations. You can use this parameter to display a message and link that displays the objects the user is authorized to view. Set the value as YES to display the message and link. Set the value as NO if you do not want to display the message and link July 2017 Page 123 of 155

132 1.20 Access Request Business Role The Access Request Business Role parameters control how business roles are processed during access request creation. Overview of Access Request Business Role Parameters Parameter ID Description 4011 Allow deletion of technical roles if part of business roles YES 4016 Consider only the approved/completed version of a business role when provisioning 4019 Exclude manual changes to role assignments or profiles from repository sync Default Value NO NO Details of Authorizations Parameters Allow deletion of technical roles if part of business roles YES The possible values are YES and NO. Business roles are logical roles that exist only in the Access Control application. They allow you to create relationships with multiple technical roles, and thereby granting the authorizations from multiple roles by assigning a single business role. Use this parameter to set whether to allow the deletion of technical roles if they are assigned to a user as part of business role. Set the value to NO to prohibit the deletion of such technical roles. The application displays an error message: Role TechRole01 cannot be deleted; it is part of BusinessRole_AB. Set the value to YES to allow the application to delete the technical roles July 2017 Page 124 of 155

133 Consider only the approved/completed version of a business role when provisioning NO This parameter allows the system to consider only the Approved or Completed versions of a Business Role for provisioning. The possible values are YES and NO. If 4016 is set to YES: 4016 Setting in IMG BRM Setting Behavior During Provisioning 4016 YES Approval is configured Only the Approved version of the business roles is considered for provisioning. YES Approval is not configured Only the Complete version of the business roles is considered for provisioning. If 4016 is set to N0: 4016 Setting in IMG NO BRM Setting Not equal to Approval or Complete Behavior During Provisioning The system considers the current version of the business role when provisioning, irrespective of whether it is Approved or Complete. For more information, see SAP Note Exclude manual changes to role assignments or profiles from repository sync This parameter controls whether manual changes to role assignments and profiles done in SU01 and SU10 on the backend system are synched to the GRC repository. Set the parameter to No to include the manual changes to role assignments or profiles in the synch job. Set the parameter to Yes to exclude the manual changes to role assignments or profiles in the synch job. For more information, see SAP Note NO July 2017 Page 125 of 155

134 1.21 Management Dashboard Reports The Management Dashboard Reports parameters set defaults for the Access Dashboard reports. Overview of Management Dashboard Reports Parameters Parameter ID Description 1047 Default Management Report Violation Count P 1049 Default Management Report Risk Type ALL Details of Management Dashboard Reports Parameters Default Management Report Violation Count Default Value This parameter is used by the Access Risk Violations Dashboard. It controls the default behavior for how the application displays the violation count. The possible values are P and R. If the parameter is set to P, the application displays the violation count by permission as shown in the example below. If the parameter is set to R, the application displays the violation count by access risk level. P 1047 July 2017 Page 126 of 155

135 1049 Default Management Report Risk Type Management reports consider all three types of access risk types. SOD, Critical Actions and Critical Permission. The inclusion of all risk types does pie chart calculations for all the management reports: Risk Violations, User Analysis and Role Analysis. This parameter provides a way to restrict the access risk types in the management reports. ALL If parameter 1049 is set to *, all three types of access risk types are captured. If parameter 1049 is set to 1, Segregation of Duties will be captured. If parameter 1049 is set to 2, Critical Actions will be captured. If parameter 1049 is set to 3, Critical Permissions will be captured. July 2017 Page 127 of 155

136 1.22 Access Request Validations The Access Request Validations parameters allow you to make decisions about how to process User Access Reviews. Overview of Access Request Validations Parameters Parameter ID Description 5021 Validate the manager ID for the specified User ID YES 5022 Consider the password change in access request YES 5023 Consider details from multiple data sources for missing user details in access requests 5024 Enable in-line editing for user group and parameters in Access Request 5026 Make system and provisioning actions visible for filtering user assignments for model users Default Value 5027 Default value for filtering by system <empty> 5028 Default value for filtering by provisioning action <empty> NO NO NO Details of Access Request Validations Parameters Validate the manager ID for the specified User ID YES The application allows you to choose whether to validate the manager ID against the specified user ID when submitting an access request. The application takes the value from the Manager field on the Access Request > User Details page, and checks it against the information from table USR01 in the current system. Set the value to Yes to enable the validation. Set the value to No to disable the validation July 2017 Page 128 of 155

137 Consider the password change in access request YES On the Access Request screen, users can change their account information including their password. When the request is created and approved, the application sends an notification to the user. Set the value to YES to allow users to change passwords in the request. Set the value to NO to prevent users from changing their passwords in the request. For more information, see SAP Note July 2017 Page 129 of 155

138 Consider details from multiple data sources for missing user details in access requests NO This parameter controls where the system looks for user details when an access request is created using the standard access request method. It does not apply to access requests that are created using templates. The possible values are YES or NO The User Details are defined in the SAP IMG under Governance, Risk, and Compliance Access Control Maintain Data Sources Configuration : (cont.) July 2017 Page 130 of 155

139 (cont.) July 2017 Page 131 of 155

140 The application only searches the entries for User Detail Data Sources. There can be several entries in this table. If the parameter is set to NO, the application obtains the user details from the first connector (User Detail Data Source) where the user exists. It does not check if the user exists in any additional connectors even if it needs more details. If the parameter is set to YES, the application searches the user details of all data sources where the user exists. For example, if the application finds only partial data from the first data source, it continues to retrieve data from additional data sources until there are no more data sources or until the data for the user is complete. July 2017 Page 132 of 155

141 Enable in-line editing for user group and parameter in access request. This parameter applies to the Access Request screen. It enables you to choose whether or not users may freely enter values on the User Group and Parameter tabs or whether they must choose from predetermined values. Set the value to Yes to allow users to enter any value on the screen. Set the value to No to force users to choose from predetermined values NO Make system and provisioning actions visible for filtering user assignments for model users. (cont.) NO July 2017 Page 133 of 155

142 Parameter 5026 allows Access Control to display system and provisioning actions that you can use to filter user assignments for model users. You must enter a value or YES or NO. If you choose NO, the Model User Access screen looks like this: If you choose YES, the Model User Access screen looks like this: Recommendation If this parameter is set to YES, review parameters 5027 and July 2017 Page 134 of 155

143 Default value for filtering by system <empty> This parameter applies to the Model User Access screen. It enables you to choose a default system for filtering when you define the user access. Valid values are any systems in your landscape. If you leave the field empty, the user access is not filtered by the system. Note: This parameter is only valid if parameter 5026 is set to YES July 2017 Page 135 of 155

144 Default value for filtering by provisioning action <empty> This parameter applies to the Model User Access screen. It enables you to choose a default provisioning action for filtering when you define the user access. Valid values are Assign, Remove, Retain, and <empty>. If you leave the field empty, the user access is not filtered by the provisioning action. Note: This parameter is only valid if parameter 5026 is set to YES July 2017 Page 136 of 155

145 1.23 Simplified Access Request The Simplified Access Request parameters control how the Simplified Access Request screen functions. Overview of Simplified Access Request Parameters Parameter ID Description 5031 Enable Open in Advanced Mode option YES 5032 Disable Type-ahead search in Simplified Access Request NO Default Value Details of Simplified Access Request Parameters 5031 Enable Open in Advanced Mode option YES July 2017 Page 137 of 155

146 This parameter applies to the Simplified Access Request screen. It enables you to choose whether to display the button Open in Advanced Mode. Set the value to Yes if you want to display the button Open in Advanced Mode on the Simplified Access Request screen. Set the value to No if you do not want to display the button Open in Advanced Mode on the Simplified Access Request screen. If 5031=Yes, the screen display looks like the image below. The Open in Advanced Mode button is present. If 5031=No, the Open in Advanced Mode button is missing as shown in the image below: July 2017 Page 138 of 155

147 The screenshot below shows what users see if they select the Open in Advanced Mode button. (cont.) The screenshot below shows what users see if they select the Open in Advanced Mode button. Disable Type-ahead search in Simplified Access Request This parameter influences how the search function works when you search for roles during Simplified Access Request. NO 5032 When you choose the Select Roles for Addition button, you are given a choice to search by User, System, Role, or Key Word. You can also have the system anticipate your search value by setting the parameter value to No. Then, as you enter text, the system finds one or more possible matches for the text and presents these to you as choices. Set the parameter value to No if you want to use type-ahead search. July 2017 Page 139 of 155

148 Set the value to Yes if you do not want to use type-ahead search. The image below shows how you access the role search screen. (cont.) Choose a search key such as Role. Begin to type a value. As illustrated below, if parameter 5032 is set to NO, the system proposes possible values from which you can choose. July 2017 Page 140 of 155

149 1.24 Access Control General Settings The Access Control General Settings parameters allow customization for business-use. Overview of Access Control General Settings Parameters Parameter ID Description 2401 Allowed extensions for attachments * 2402 Display Change delegation link for delegated user if only GRC-AC application is active. Default Value YES Details of Access Control General Settings Parameters 2401 Allowed extensions for attachments * The application allows users to attach files. By default, it allows all file types. You can use this parameter to restrict the types of files users can attach. To restrict file types: 1. Enter the allowed file types in this parameter. Separate each file type by a comma. For example: docx, pdf, xlsx 2. Implement the BAdI GRFN_DOCUMENT to enable the logic and configure the wording for the error message. For more information, see SAP Note July 2017 Page 141 of 155

150 Display Change Delegation link for delegated user if only GRC-AC application is active. YES This parameter allows the administrator to hide the Change Delegation link from the enduser. For more information, see SAP Note NOTE: This parameter applies to Access Control only. Select YES to display the Change Delegation link. Select NO to hide the Change Delegation link July 2017 Page 142 of 155