+ All Categories
Home > Documents > AC10 Config Settings SP17

AC10 Config Settings SP17

Date post: 02-Jun-2018
Category:
Upload: spmeher
View: 286 times
Download: 0 times
Share this document with a friend
71
8/10/2019 AC10 Config Settings SP17 http://slidepdf.com/reader/full/ac10-config-settings-sp17 1/71 © 2014 SAP AG  Applies to: SAP Access Control 10.0 SP17 Summary: This guide contains additional information about the implementation guide (IMG) parameters used when configuring Access Control. Created: October 2014 Version 1.90 Maintaining Configuration Settings in Access Control
Transcript
Page 1: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 1/71

© 2014 SAP AG

 Appl ies to:

SAP Access Control 10.0 SP17

Summary:

This guide contains additional information about the implementation guide (IMG) parameters used when

configuring Access Control.

Created:  October 2014

Version 1.90

Maintaining Configuration

Settings in Access Control

Page 2: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 2/71

© 2014 SAP AG

Document History

Document Version Descript ion

1.00 Initial release

1.10 SP07 Updates

1.20     Changed all occurrences of  Superuser Privilege Management or 

SPM to Emergency Access Management  or  EAM.

  In section 1.0 Maintain Configuration Settings, added parameter 

groups 16, 20, 21, 22.

  Added the following parameters:

o  1048

o  2042

o  2044

o  2045o  2046

o  2052

o  3025

o  4011

o  4013

o  4014

o  5001

o  5021

1.30   SP09 Updates:

  Changed the following parameters:

o  1073

o  5001 (deleted excess screenshot)

o  5022

o  5023

  Updated SAP branding changes: removed references to SAP

BusinessObjects Access Control and SAP GRC Access Control

1.40   SP10 Updates:  Changed the following parameters:

o  1027

o  4015

o  3005

1.50   SP10 Updates:

  Changed the following parameters:

o  3026

o  5024

Page 3: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 3/71

© 2014 SAP AG

1.60   SP11 Updates:

  Added the following parameter:

o  1049

  Changed the following parameter:

o  1023  Removed parameter 4016

1.70   SP12 Updates:

  Added the following parameter:

o  4012

1.80   SP13 Updates:

  Added the following parameter:

o  4017

o  4019

1.90   SP17 Updates:

  Added the following parameter:

o  1015

Page 4: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 4/71

© 2014 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. Theseinclude field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other 

documentation

Example text Emphasized words or 

phrases in body text, graphic

titles, and table titles

Exampl e t ext File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

<Exampletext>

Variable user entry. Anglebrackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for 

example, F2 or  ENTER.

Icons

Icon Descr ip tion

Caution

Note or Important

Example

Recommendation or Tip

Page 5: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 5/71

© 2014 SAP AG

Table of Contents

1. Maintain Configuration Settings .....................................................................................1

1.1 Standard Settings .....................................................................................................1

1.2 Activities ...................................................................................................................81.3 Details of Configuration Parameters ..........................................................................8

2. Copyright ....................................................................................................................... 52

Page 6: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 6/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 1

1. Maintain Configuration SettingsThis document covers the use of the Customizing activity Maintain Configuration Settings under 

Governance, Risk and Compliance > Access Control.

In this Customizing activity, you maintain the global configuration settings and parameters used in theaccess control application.

The activity includes settings for the following parameter groups:

01 Change Log 12 Access Request Role Selection

02 Mitigation 13 Access Request Default Roles

03 Risk Analysis 14 Access Request Role Mapping

04 Risk Analysis - Spool 15 SOD Review

05 Workflow 16 LDAP

06 Emergency Access Management 17 Assignment Expiry

07 UAR Review 18 Access Request Training Verification

08 Performance 19 Authorizations

09 Risk Analysis - Access Request 20 Access Request Business Role

10 Role Management 21 Management Dashboard Reports

11 Risk Analysis – Risk Terminator 22 Access Request Validations

1.1 Standard SettingsThe following table lists the delivered parameters and default values.

Note:

Values labeled as <empty> have no default value.

Parameter GroupParameter 

ID Description Default Value

Change Log 1001 Enable Function Change Log YES

Change Log 1002 Enable Risk Change Log YES

Change Log 1003 Enable Organization Rule Log YES

Change Log 1004 Enable Supplementary Rule Log YES

Change Log 1005 Enable Critical Role Log YES

Change Log 1006 Enable Critical Profile Log YES

Change Log 1007 Enable Rule Set Change Log YES

Change Log 1008 Enable Role Change Log YES

Mitigation 1011Default expiration time for mitigatingcontrol assignments (in days)

365

Mitigation 1012Consider Rule ID also for mitigationassignment

NO

Page 7: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 7/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 2

Parameter GroupParameter 

ID Description Default Value

Mitigation 1013Consider System for mitigationassignment

NO

Mitigation 1015 Enable Invalid Mitigation Report frommanagement summary

NO

Risk Analysis 1021Consider Org Rules for other applications

NO

Risk Analysis 1022 Allow object IDs for this connector tobe case sensitive

<empty>

Risk Analysis 1023 Default report type for risk analysis 2

Risk Analysis 1024 Default risk level for risk analysis 3

Risk Analysis 1025 Default rule set for risk analysis <empty>

Risk Analysis 1026 Default user type for risk analysis A

Risk Analysis 1027 Enable Offline Risk Analysis NO

Risk Analysis 1028 Include Expired Users NO

Risk Analysis 1029 Include Locked Users NO

Risk Analysis 1030 Include Mitigated Risks NO

Risk Analysis 1031 Ignore Critical Roles and Profiles YES

Risk Analysis 1032Include Reference user when doinguser analysis

YES

Risk Analysis 1033Include Role/Profile MitigatingControls in Risk Analysis

YES

Risk Analysis 1034 Max number of objects in a packagefor parallel processing 100

Risk Analysis 1035Send e-mail notification to themonitor of the updated mitigatedobject

YES

Risk Analysis 1036 Show all objects in Risk Analysis NO

Risk Analysis 1037Use SoD Supplementary Table for  Analysis

YES

Risk Analysis 1046 Extended objects enabled connector <empty>

Risk Analysis 1048Business View for Risk Analysis isEnabled

<empty>

ManagementDashboard Reports

1049Default Management Report RiskType

<empty>

Risk Analysis - Spool 1051Max number of objects in a file or database record

200000

Risk Analysis - Spool 1052 Spool File Location <empty>

Risk Analysis - Spool 1053 Spool Type D

Workflow 1061 Mitigating Control Maintenance NO

Workflow 1062 Mitigation Assignment NO

Workflow 1063 Risk Maintenance NO

Workflow 1064 Function Maintenance NORisk Analysis - Access 1071 Enable risk analysis on form NO

Page 8: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 8/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 3

Parameter GroupParameter 

ID Description Default Value

Request submission

Risk Analysis - AccessRequest

1072Mitigation of critical risk requiredbefore approving the request

NO

Risk Analysis - AccessRequest

1073Enable SoD violations detour onrisks from existing roles

NO

Risk Analysis - RiskTerminator 

1080Connector enabled for RiskTerminator 

<empty>

Risk Analysis - RiskTerminator 

1081Enable Risk Terminator for PFCGRole Generation

NO

Risk Analysis - RiskTerminator 

1082Enable Risk Terminator for PFCGUser Assignment

NO

Risk Analysis - RiskTerminator  1083 Enable Risk Terminator for SU01Role Assignment NO

Risk Analysis - RiskTerminator 

1084Enable Risk Terminator for SU10multiple User Assignment

NO

Risk Analysis - RiskTerminator 

1085Stop role generation if violationsexist

NO

Risk Analysis - RiskTerminator 

1086Comments are required in case of violations

NO

Risk Analysis - RiskTerminator 

1087Send Notification in case of violations

NO

Risk Analysis - Risk

Terminator 

1088Default report type for Risk

Terminator 

2

 Authorizations 1100 Enable authorization logging NO

Workflow 1101 Create Request for Risk Approval 12

Workflow 1102 Update Request for Risk Approval 13

Workflow 1103 Delete Request for Risk Approval 14

Workflow 1104Create Request for Function Approval

15

Workflow 1105Update Request for Function Approval

16

Workflow 1106

Delete Request for Function

 Approval 17

Workflow 1107Create Request for Mitigation Assignment Approval

18

Workflow 1108Update Request for Mitigation Assignment Approval

19

Workflow 1109Delete Request for Mitigation Assignment Approval

20

Workflow 1110 High 2

Workflow 1111 High 3

Workflow 1112 High 4

Workflow 1113 Access Control E-mail Sender WF-BATCH

Performance 1120 Batch size for Batch Risk Analysis 1000

Page 9: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 9/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 4

Parameter GroupParameter 

ID Description Default Value

Performance 1121 Batch size for User Sync 1000

Performance 1122 Batch size for Role Sync 1000

Performance 1123 Batch size for Profile Sync 1000

UAR Review 2004 Request Type for UAR <empty>

UAR Review 2005 Default Priority 005

UAR Review 2006 Who are the reviewers? MANAGER

UAR Review 2007 Admin. review required beforesending tasks to reviewers

YES

 Access RequestDefault Roles

2009 Consider Default Roles YES

 Access RequestDefault Roles

2010 Request type for default roles <empty>

 Access RequestDefault Roles

2011 Default Role Level <empty>

 Access RequestDefault Roles

2012 Role Attributes <empty>

 Access RequestDefault Roles

2013 Request Attributes <empty>

 Access Request RoleMapping

2014 Enable Role Mapping YES

 Access Request RoleMapping

2015 Applicable to Role Removals YES

SOD Review 2016 Request Type for SoD <empty>

SOD Review 2017 Default priority for SoD <empty>

SOD Review 2018 Who are the reviewers? MANAGER

SOD Review 2019 Admin. review required beforesending tasks to reviewers

YES

SOD Review 2023 Is actual removal of role allowed? YES

 Access RequestTraining Verification

2024 Training and verification <empty>

 Access Request RoleSelection

2031 Allow All Roles for Approver YES

 Access Request RoleSelection

2032 Approver Role Restriction Attribute <empty>

 Access Request RoleSelection

2033 Allow All Roles for Requestor YES

 Access Request RoleSelection

2034 Requestor Role Restriction Attribute <empty>

 Access Request RoleSelection

2035 Allow Role Comments YES

 Access Request RoleSelection

2036 Role Comments Mandatory YES

 Access Request RoleSelection 2037 Display expired roles for existingroles YES

Page 10: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 10/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 5

Parameter GroupParameter 

ID Description Default Value

 Access Request RoleSelection

2038 Auto Approve Roles without Approvers

YES

 Access Request RoleSelection

2039 Search Role by Transactions fromBackend System

NO

 Access Request RoleSelection

2040 Assignment Comments mandatoryon rejection

NO

 Assignment Expiry 2041Duration for assignment expiry inDays

<empty>

 Access Request RoleSelection

2042Visibility of Valid from/Valid to for profiles

0

 Access Request RoleSelection

2044Display profiles in Existing Assignments, My Profile and ModelUser 

YES

 Access Request RoleSelection

2045Default provisioning action after adding roles/profiles/FFID fromexisting assignments and My Profile

010

 Access Request RoleSelection

2046Field type for business process andsystem fields in access request rolesearch

0

Performance 2050Enable Realtime LDAP Search for  Access Request User 

NO

Performance 2051Enable User ID Validation in AccessRequest Against Search DataSources

NO

LDAP 2052 Use LDAP domain forest NO

Role Management 3000 Default Business Process <empty>

Role Management 3001 Default Subprocess <empty>

Role Management 3002 Default Criticality Level <empty>

Role Management 3003 Default Project Release <empty>

Role Management 3004 Default Role Status <empty>

Role Management 3005Reset Role Methodology whenChanging Role Attributes

NO

Role Management 3006 Allow add functions to anauthorization

YES

Role Management 3007 Allow editing organizational levelvalues for derived roles

NO

Role Management 3008 A ticket number is required after authorization data changes

YES

Role Management 3009 Allow Role Deletion from back-endsystem

YES

Role Management 3010 Allow attaching files to the roledefinition

YES

Role Management 3011Conduct Risk Analysis before RoleGeneration

YES

Role Management 3012  Allow Role Generation on MultipleSystems

NO

Page 11: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 11/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 6

Parameter GroupParameter 

ID Description Default Value

Role Management 3013Use logged-on user credentials for role generation

NO

Role Management 3014  Allow role generation withPermission Level violations

NO

Role Management 3015 Allow role generation with CriticalPermission violations

NO

Role Management 3016 Allow role generation with ActionLevel violations

NO

Role Management 3017 Allow role generation with Critical Action violations

NO

Role Management 3018 Allow role generation with CriticalRole/Profile violations

NO

Role Management 3019Overwrite individual role Risk Analysis results for Mass Risk Analysis

NO

Role Management 3020Role certification reminder notification

10

Role Management 3021Directory for mass role import server files

<empty>

Workflow 3022 Request Type for Role Approval 21

Workflow 3023 Priority for Role Approval 5

Workflow 3024Enforce methodology process for derived roles during generation

YES

Role Management 3025  Allow selection of Org. Value Mapswithout leading org.

NO

Role Management 3026Save Role Provisioning Details WhileCopying Role.

YES

Emergency AccessManagement

4000 Application Type 1

Emergency AccessManagement

4001Default Firefighter Validity Period(in days)

<empty>

Emergency AccessManagement

4002 Send E-mail Immediately YES

Emergency Access

Management 4003 Retrieve Change Log YES

Emergency AccessManagement

4004 Retrieve System Log YES

Emergency AccessManagement

4005 Retrieve Audit Log YES

Emergency AccessManagement

4006 Retrieve O/S Command Log YES

Emergency AccessManagement

4007Send Log Report ExecutionNotification Immediately

YES

Emergency AccessManagement

4008 Send FirefightID Logon Notification YES

Emergency AccessManagement

4009 Log Report Execution Notification YES

Page 12: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 12/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 7

Parameter GroupParameter 

ID Description Default Value

Emergency AccessManagement

4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID

 Access RequestBusiness Role

4011  Allow deletion of technical roles if part of business roles

YES

Emergency AccessManagement

4012Default users for forwarding the AuditLog workflow

2

Emergency AccessManagement

4013Firefighter ID owner can submitrequest for Firefighter ID owned

YES

Emergency AccessManagement

4014Firefighter ID controller can submitrequest for Firefighter ID controlled

YES

Emergency AccessManagement

4015 Enable decentralized Firefighting NO

Emergency AccessManagement

4017Enable CUP request not to be shownin Firefighter - Firefighter ID/Roleassignment screen

YES

 Access Request

Business Role4019

Do not copy manual role assignment

changes during repository sync.NO

Change Log 5001 SLG1 Logs for HR Trigger HIGH

 Access Request

Validations5021

Validate the manager ID for the

specified user ID.YES

 Access RequestValidations

5022Consider the password change inaccess request

YES

 Access RequestValidations

5023Consider details from multiple datasources for missing user details inaccess requests

NO

 Access RequestValidations

5024Enable in-line editing for user groupand parameter in access request.

NO

Page 13: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 13/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 8

1.2 ActivitiesTo maintain the configuration settings:

1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.

2. In the Parameter ID column, select a parameter ID for use with the parameter group. The

short description appears on the right-hand side.

3. Select a Parameter Value from the dropdown list, or enter values in the field.

4. In the Priority field, enter a number for the priority.

5. Choose Save.

1.3 Details of Configuration Parameters

The information in this section explains in further detail the configuration parameters. The table is

formatted and ordered to match the table displayed in the actual Customizing activity. For eachparameter, the table includes information about the purpose of the parameter, the available option

values, and screenshots to provide context about how the parameter affects the application.

Note:

The application provides a standard set of work centers. However, your system administrator can

customize them according to your company’s corporate processes and structures. Additionally,

 Access Control is available both as a standalone application and as part of the GRC 10.0 application.

Depending on the GRC applications you have licensed, different areas of the access control

application are displayed. The navigation paths included in this document and in the screenshots may

differ from yours.

Page 14: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 14/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 9

# Parameter Group Parameter ID Description DEFAULT Value

1.

Change Log 1001 Enable Function Change Log YES

Set to YES to display the Change History tab on the Function  screen.

2

Change Log 1002 Enable Risk Change Log YES

Set to YES to display the Change History tab on the Acc ess Ri sk screen.

Page 15: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 15/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 10

# Parameter Group Parameter ID Description Default Value

3

Change Log 1003 Enable Organization Rule Log YES

Set to YES to display the Change History tab on the Organization Rules screen.

4

Change Log 1004 Enable Supplementary Rule Log YES

Set to YES to display the Change History tab on the Supplementary Rules screen.

Page 16: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 16/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 11

# Parameter Group Parameter ID Description Default Value

5

Change Log 1005 Enable Critical Role Log YES

Set to YES to display the Change History tab on the Critical Role screen.

6

Change Log 1006 Enable Critical Profile Log YES

Set to YES to display the Change History tab on the Critical Profile screen.

Page 17: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 17/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 12

# Parameter Group Parameter ID Description Default Value

7

Change Log 1007 Enable Rule Set Change Log YES

Set to YES to display the Change History tab on the Rule Sets screen.

8

Change Log 1008 Enable Role Change Log YES

Set to YES to display the Change History link on the Add iti onal Detai ls  tab of the Role Maintenance screen.

Page 18: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 18/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 13

# Parameter Group Parameter ID Description Default Value

9

Mitigation 1011Default expiration time for mitigatingcontrol assignments (in days)

365

The default quantity of days you are allowed to mitigate any object (selection on service map). You can overwrite this quantity in theValid

To field.

Page 19: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 19/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 14

# Parameter Group Parameter ID Description Default Value

10

Mitigation 1012Consider Rule ID also for mitigationassignment

NO

By default the application includes all rules when it mitigates the access risk.

Setting the value toYES allows you to specify the specific Rule ID to be included when mitigating the risk.

Page 20: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 20/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 15

# Parameter Group Parameter ID Descript ion Default Value

11

Mitigation 1013Consider System for mitigationassignment

NO

Setting the value toYES allows you to apply mitigating controls to risks originating from specific systems.

12

Mitigation 1015Enable Invalid Mitigation Report frommanagement summary

NO

 When this parameter is set toYES, then the Invalid Mitigation report can be run Offline. The Risk Analysis results for this report

 are extracted from the management summary table. The table is populated by running Batch Risk Analysis.

Page 21: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 21/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 16

# Parameter Group Parameter ID Descript ion Default Value

13

Risk Analysis 1021Consider Org Rules for other applications

NO

Setting the value toYES automatically selects theConsider Org Rule checkbox on the Risk Violations tab of the Acc ess Requ est  and

Role Maintenance screens.

Page 22: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 22/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 17

# Parameter Group Parameter ID Descript ion Default Value

14

Risk Analysis 1022 Allow object IDs for this connector tobe case sensitive

<empty>

On the Risk Analysis screen you can perform risk analysis. You specify the system and the analysis criteria such asUser , Risk Level, andso on. This parameter al lows you to specify for which systems the information entered is case sensitive.

In the example below,z_cup_USR001 is case sensitive for system NCACLNT001.

Note:  To enter more than one system or connector, enter additional instances of the parameter.

Page 23: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 23/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 18

# Parameter Group Parameter ID Descript ion Default Value

15

Risk Analysis 1023 Default report type for risk analysis 2

The Risk Analysis screen allows you to select several report type options for the risk analysis, such as Access Risk Analysis, ActionLevel, and Permission Level.

This parameter allows you to choose one or more report types that are selected by default. It works as follows: If you do not define a value for parameter 1023 in the IMG, the report type defaults to 2, Permission Level.

If you define one or more values for parameter 1023 in the IMG, the report type defaults to those values.

Note: In the IMG value cell, pressF4 to display the available types, such as Permission Level, and so on.

The screenshot below shows the report being run with a default value of 2, Permission Level.

Note: This setting does not affect theRisk Analysis Type fields on the Batch Risk Analysis screens; you must set these separately.

Page 24: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 24/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 19

# Parameter Group Parameter ID Descript ion Default Value

16

Risk Analysis 1024 Default risk level for risk analysis 3

The Risk Analysis screen allows you to select se veral options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.

This parameter allows you to choose the Risk Level that is selected by default.

17

Risk Analysis 1025 Default rule set for risk analysis <empty>

The Risk Analysis screen allows you to select se veral options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.

This parameter allows you to choose the Rule Set that is selected by default.

18

Risk Analysis 1026 Default user type for risk analysis A

The Risk Analysis screen allows you to select se veral options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.

This parameter allows you to choose the User Type that is selected by default.

19

Risk Analysis 1027 Enable Offline Risk Analysis NO

The Risk Analysis screen allows you to select se veral options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.

The parameter value is set toNO to exclude Offline Data in risk analysis by default. On theRisk Analysis screen the Offline Datacheckbox is empty by default.

20Risk Analysis 1028 Include Expired Users NO

Set to YES to include expired users from plug-in systems for risk analysis.

21Risk Analysis 1029 Include Locked Users NO

Set to YES to include locked users from plug-in systems for risk analysis.

22

Risk Analysis 1030 Include Mitigated Risks NO

The Risk Analysis screen allows you to select se veral options for the risk analysis, such as analysis criteria, report options, and additionalcriteria.

Set the parameter value toYES to include Mitigated Risks in the risk analysis by default. The application displays the SoD violations, themitigated risks, and the mitigating control assigned to it. On theRisk Analysis screen, the Include Mitigated Risks checkbox is

automatically selected.

Page 25: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 25/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 20

23Risk Analysis 1031 Ignore Critical Roles and Profiles YES

Set the value to YES to exclude critical roles and profiles for risk analysis.

24Risk Analysis 1032

Include Reference user when doinguser analysis

YES

Set the value to YES to include referenced users when performing SoD risk analysis for users. This is also valid for Batch Risk Analysis.

25Risk Analysis 1033

Include Role/Profile MitigatingControls in Risk Analysis

YES

Set the value to YES to include the mitigating controls assigned to the user’s roles and profiles for risk analysis.

26

Risk Analysis 1034Maximum number of objects in apackage for parallel processing

100

The application uses this parameter in conjunction with theNumber of Tasks specified in the Customizing activityDistribute Jobs for Parallel Processing to determine the distribution of objects that are processed per job.

For example, if there are 10,000 users to analyze and this value is 100, then there will be 100 packages created each having 100 users.Each package is submitted to a separate background process which is available to the application via the application group.

If instead, we specify three background processes are available to GRAC_SOD, 100 packages are submitted one by one to theseprocesses. Three packages initially and then one by one to each process which complete the package execution.

Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if the RZ10 parameter is set to 2, then theapplication ignores the parameter in this setting and uses the value 2 instead.

Page 26: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 26/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 21

# Parameter Group Parameter ID Descript ion Default Value

27

Risk Analysis 1035Send e-mail notification to themonitor of the updated mitigatedobject

YES

Set the value to YES to send e-mail notifications to the owner of the mitigating control when the mitigated object is updated, such as theuser/role.

Page 27: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 27/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 22

# Parameter Group Parameter ID Descript ion Default Value

28

Risk Analysis 1036 Show all objects in Risk Analysis NO

Set the value to YES to select the Show All Objects checkbox on the Risk Analysis screen by default.

The objects that do not have violations are displayed with the Act ion : No Violations.

Note: This setting applies to SoD Batch Risk Analysis.

29

Risk Analysis 1037Use SoD Supplementary Table for 

 Analysis YES

Set value to YES to use supplementary rules for SoD risk analysis.

Page 28: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 28/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 23

# Parameter Group Parameter ID Descript ion Default Value

30

Risk Analysis 1046 Extended objects enabled connector <empty>

Extended objects are objects from non-SAP systems. This parameter allows you to specify the connectors for non-SAP systems.The connectors can have object lengths greater than SAP objects. For example, SAP User ID length is 12, but the extended object lengthmay be 50.

Note: You can set multiple connectors by adding multiple instances of the parameter.

31

Risk Analysis 1048Business View for Risk Analysis isEnabled

<empty>

The available values areYes and No.

If the parameter is set to Yes, the system displays the Risk Violations tab when you create or approve a request as shown in the screenshot below.

32

Default Management Report 1049Default Management Report RiskType

<empty>

Management reports consider all three types of access risk types. SOD, Critical Actions and Critical Permission. The inclusion of all risktypes does pie chart calculations accordingly for all the management reports: Risk Violations, User Analysis and Role Analysis. Thisparameter provides a way to display the preferred access risk type in the management reports

If parameter 1049 is set to *, all three types of access risk types are captured.

If parameter 1049 is set to 1, Segregation of Duties will be captured.

If parameter 1049 is set to 2, Critical Actions will be captured.

If parameter 1049 is set to 3, Cri tical Permissions will be captured.

33

Risk Analysis - Spool 1051Max number of objects in a file or 

database record200000

You can use this parameter to specify the maximum number of analytics data objects the application stores.

If parameter 1053 is set to F, the value is the maximum number of objects stored in the file.

If parameter 1053 is set to D, the value is the maximum number of objects stored in the REPCONTENT column of theGRACSODREPDATA table.

Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the analytics data from the file system or table.

Prerequisite: You have configured parameters 1052 and 1053.

34

Risk Analysis - Spool 1052 Spool File Location <empty>

You can specify the file location the application stores the analytics data, such as\\<ip_address>\public\SoD\ .

Note: This parameter is only valid if parameter 1053 is set toF.Prerequisite: You have configured parameter 1053.

Page 29: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 29/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 24

# Parameter Group Parameter ID Descript ion Default Value

35

Risk Analysis - Spool 1053 Spool Type D

You can use this parameter to set whether the application uses the file system or the database table to store the analytics data for accesscontrol, such as ad hoc SoD violations.Set the value to F to store the data on the file system. (You set the file location in parameter 1052).

Set the value to D to store the data in the GRACSODREPDATA table.

Note:

You see the intermediate results while risk analysis is running. This gives you an opportunity to see if the desired records are createdand choose to stop or cancel the job.

If you change the location type (such as from D to F) in mid-course, the report will still read the previously generated files or databaserecords. Index tables keep track of the source of the records when the data was generated.

If you cancel the job before the report is finished, you can still read the data to the point the files or database records were created.

36

Workflow 1061 Mitigating Control Maintenance NO

The application allows users to create and change mitigating controls.

Set the value to YES to require that when users create or change mitigating controls, the application sends a workflow item to an approver to approve the action.

Note: On the Mitigating Control screen, the Create button is replaced by aSubmit button.

You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizing activityMaintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflo w for Access Control.

Figure A below shows that on the controlOwners tab the Mitigation Control Approver points to the App rov er .

Figure B below shows you can useMaintain MSMP Workflows to change the approver agent ID (GRAC_CONTROL_APPROVER).

(cont.)

Page 30: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 30/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 25

# Parameter Group Parameter ID Descript ion Default Value

37

Workflow 1062 Mitigation Assignment NO

The application allows users to mitigate risks for objects (user, role, profile, and so on). Set the value to YES to require the application send an approval workflow item to the mitigating control approver. The screen

displays a Submit button.Note: You can configure the role that receives the workflow item for approving the mitigating control changes using the Customizingactivity Maintain MSMP Workflows under Governance, Risk, and Compliance > Access Control > Workflow for AccessControl.

Set the value to NO and the users can mitigate risks without approval. The screen displays aSave button.

(cont.)

Page 31: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 31/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 26

# Parameter Group Parameter ID Descript ion Default Value

38

Workflow 1063 Risk Maintenance NO

The application allows users to create and modify risks. Set the value to YES to require the application send an approval workflow item to the Risk Owner (or to any alternate workflow agent

you set) for approval. The sc reen displays aSubmit button.Note: You can configure the role that receives the approval workflow item using the Customizing activityMaintain MSMPWorkflows under Governance, Risk, and Compliance > Access Control > Workflow for Access Control.

Set the value to NO and then users can create and modify risks without approval. The screen displays aSave button.

(cont.)

Page 32: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 32/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 27

# Parameter Group Parameter ID Descript ion Default Value

39

Workflow 1064 Function Maintenance NO

The application allows users to create and change functions.

Set the value to YES to require the application send an approval workflow item to the specified workflow agent for approval when functionsare created or modified.

Note: Workflow agents are users who have been assigned the role SAP_GRAC_FUNCTION_APPROVER. You can change the approver agent by using the Customizing activityMaintain MSMP Workflows under Governance, Risk, and Compliance > Access Control >Workflow for Access Control.

Page 33: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 33/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 28

# Parameter Group Parameter ID Descript ion Default Value

40

Risk Analysis - Access Request 1071Enable risk analysis on formsubmission

NO

The application automatically performs risk analysis when the requestor submits the request.

Note: The risk analysis results are intended for the approver. Therefore, the risk analysis results appear on the approver’s screens but noton the requestor’s screens.

41Risk Analysis - Access Request 1072

Mitigation of critical risk requiredbefore approving the request

NO

Set the value to YES to require mitigation of Risks that are of the typeCritical Access.

42

Risk Analysis - Access Request 1073Enable SoD violations detour onrisks from existing roles

NO

If an SoD risk exists in an access request, the application considers it a special condition and sends it to a de tour path in the workflow.SoD risks may arise from the new roles the user is requesting and they may arise from the existing roles that are already assigned to theuser.

Set the value to YES and the application considers risks from new and existing roles for the detour.

Set the value to No and the application considers risks only from new roles (and not existing roles) for the detour.

43

Risk Analysis - Risk Terminator 1080Connector enabled for RiskTerminator 

<empty>

Enter the name of the connector in the value field to enable it for risk terminator.

You can enter multiple values by entering multiple instances of the parameter, as follows:

Note:  The Plug-in Connector is maintained in parameter 1000. The GRC Connector is maintained in parameter 1001.

(cont.)

Page 34: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 34/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 29

# Parameter Group Parameter ID Descript ion Default Value

44

Risk Analysis - Risk Terminator 1081Enable Risk Terminator for PFCGRole Generation

NO

Set to YES to trigger the risk terminator service for PFCG Role Generation.

The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs.

45Risk Analysis - Risk Terminator 1082

Enable Risk Terminator for PFCGUser Assignment

NO

Set to YES to trigger the risk terminator service for PFCG User Assignment.

46Risk Analysis - Risk Terminator 1083

Enable Risk Terminator for SU01Role Assignment

NO

Set to YES to trigger the risk terminator service for SU01 Role Assignment.

47Risk Analysis - Risk Terminator 1084

Enable Risk Terminator for SU10multiple User Assignment

NO

Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment.

48Risk Analysis - Risk Terminator 1085

Stop role generation if violationsexist

NO

Set to YES the risk terminator service stops generating roles if violations exist.

49

Risk Analysis - Risk Terminator 1086 Comments are required in case of violations

NO

Set the value to YES to require the user to enter comments if SoD violations are reported and the user wants to continue with rolegeneration or role assignment.

50Risk Analysis - Risk Terminator 1087

Send Notification in case of violations

NO

Set the value to YES to enable the application to send e-mail notifications to the role owner when violations occur.

51Risk Analysis - Risk Terminator 1088

Default report type for RiskTerminator 

2

Select the default report type the risk terminator service uses to report SoD violations. UseF4 help to display the available report types.

52

 Authorizations 1100 Enable the authorization logging NO

If set to YES, the application logs all occurrences of insufficient authorizations on the GRC box in transaction SLG1. For example, anowner wants to perform an action and is missing the necessary authorizations.

53

Workflow 1101 Create Request for Risk Approval 12

Use F4 help and choose the request type the workflow uses to create requests for risk approval.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provision ing.

This request type is associated with an MSMP process ID such as SAP_GRAC_RISK_APPR.

(cont.)

Page 35: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 35/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 30

# Parameter Group Parameter ID Descript ion Default Value

54

Workflow 1102 Update Request for Risk Approval 13

Use F4 help and choose the request type the workflow uses to update requests for risk approval. The request type is associated with anMSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

55

Workflow 1103 Delete Request for Risk Approval 14

Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with anMSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

56

Workflow 1104Create Request for Function

 Approval15

Use F4 help and choose the request type the workflow uses to create requests for function approval. The request type is associated withan MSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

57

Workflow 1105Update Request for Function

 Approval16

Use F4 help and choose the request type the workflow uses to update requests for function approval. The request type is associated withan MSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

58

Workflow 1106Delete Request for Function

 Approval17

Use F4 help and choose the request type the workflow uses to delete requests for risk approval. The request type is associated with anMSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

59

Workflow 1107Create Request for Mitigation

 Assignment Approval18

Use F4 help and choose the request type the workflow uses to create requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

60

Workflow 1108Update Request for Mitigation

 Assignment Approval19

Use F4 help and choose the request type the workflow uses to update requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning . (See also parameter 1101).

Page 36: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 36/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 31

# Parameter Group Parameter ID Descript ion Default Value

61

Workflow 1109Delete Request for Mitigation

 Assignment Approval20

Use F4 help and choose the request type the workflow uses to delete requests for mitigation assignment approval. The request type isassociated with an MSMP process ID.

You maintain the list of available request types in the Customizing activityDefine Request Type under Governance, Risk, andCompliance > Access Control > User Provisioning .

(See also parameter 1101).

62

Workflow 1110 High 2

You use this parameter to set the default workflow request priority for Updating and Creating Risks. UseF4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activityMaintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisionin g. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk

approval priorities.

63

Workflow 1111 High 3

You use this parameter to set the default workflow request priority for Creating and Updating Functions. UseF4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activityMaintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisionin g. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR to function

approval priorities.

64

Workflow 1112 High 4

You use this parameter to set the default workflow request priority for Mitigation Control Assignments. UseF4 help to display the list of available priorities.

You maintain the list of available priority values in the Customizing activityMaintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisionin g. You assign the MSMP Process ID of SAP_GRAC_CONTROL_ASGN tomitigation control assignment priorities.

65

Workflow 1113 Access Control E-mail sender WF-BATCH

The application uses the e-mail of this user as defined in SU01 to send the workflow e-mails to the approvers.

See the Access Control 10.0 Security Guide for information about required authorizations for the WF-BATCH user.

66

Performance 1120 Batch size for Batch Risk Analysis 1000

The application uses this value to determine the size of the batch when performing batch risk analysis.(See also parameter 1121 for an example).

67

Performance 1121 Batch size for User sync 1000

The application uses this value to determine the size of the batch when synchronizing users to the GRC AC Repository.

For example, if the batch size is 1000 and there are 10,000 users, the application divides the total users (10,000) by the batch size (1000),and then processes the job in 10 batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in its entirety beforecontinuing with the next.

To synchronize users to the GRC AC Repository, you use the Customizing activityRepository Object Synch under Governance, Risks,and Compliance > Access Control > Synchronization Job s

68

Performance 1122 Batch size for Role sync 1000

The application uses this value to determine the size of the batch when synchronizing roles to the GRC AC Repository. Each batch isprocessed in its entirety before moving on to the next. See also parameter 1121.

69

Performance 1123 Batch size for Profile sync 1000

The application uses this value to determine the size of the batch when synchronizing profiles to the GRC AC Repository. Each batch isprocessed in its entirety before moving on to the next. See also parameter 1121.

Page 37: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 37/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 32

# Parameter Group Parameter ID Descript ion Default Value

70

UAR Review 2004 Request Type for UAR <empty>

 All Request Types that are defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by pressingF4.

This is important for tagging the workflow in MSMP for UAR Review.

71

UAR Review 2005 Default Priority 005

You use this parameter to set th e default priority for user access request reviews. UseF4 help to display the list of available priorities for 

UAR Requests.

You maintain the list of available priority values in the Customizing activityMaintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisionin g. You assign the MSMP Process ID of SAP_GRAC_USER_ACCESS_REVIEW

to UAR Review priorities. In this example, priority IDs 10, 22, 24, and 36 are relevant for UAR. Review.

(cont.)

Page 38: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 38/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 33

# Parameter Group Parameter ID Descript ion Default Value

72

UAR Review 2006 Who are the reviewers? MANAGER

Select either Manager  or Role Owner  as the approver type for user access review requests. The application creates a review workflowfor the specified approver type. Managers receive review requests sorted by USER, and Role Owners receive review requests sorted by

ROLE.

73

UAR Review 2007 Admin. review required beforesending tasks to reviewers

YES

Set the value to YES to require that users who are assigned the role of access request administrator (such asSAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers inparameter 2006).

(cont.)

Page 39: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 39/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 34

# Parameter Group Parameter ID Descript ion Default Value

74

 Access Request Default Roles 2009 Consider Default Roles YES

If set to YES, the application automatically adds the relevant Default Roles to the access request.

Prerequisites:  You have maintained the following parameters as needed: 2011, 2012, and 2013.

In this example, the value for the attributeFunctional Area maps to a relevant default role, so the application adds the role to the request.

75

 Access Request Default Roles 2010 Request type for default roles <empty>

Enter the request types that are relevant for default roles functionality. The application adds default roles only for the specified roles.

Enter multiple request types by adding additional instances of the parameter.

Use F4 help to display the available request types. You maintain the list of available request types in the Customizing activityDefine

Request Type under Governance, Risk, and Compliance > Acc ess Cont rol  > User Provisioning.

See also parameters 2009, 2011, 2012, and 2013.

Page 40: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 40/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 35

# Parameter Group Parameter ID Descript ion Default Value

76

 Access Request Default Roles 2011 Default Role Level <empty>

Select which attribute type the application uses to determine the relevance of the default roles.

Role – The application uses the role attributes to determine the relevant default roles and adds the default roles at the time the user 

adds the roles to the request. That is, the user does see the added default roles at the time they create the request. You define therelevant role attributes in parameter 2012.

Request - The application uses the request attributes to determine the relevant default roles and adds the default roles when therequest is displayed for the approver . That is, the user does not see the added default roles at the time they create the request. Youdefine the relevant request attributes in parameter 2013.

In this example, the value is set toRequest. The manager receives a request with the default rolez_user_admin already added, becauseFunctional Area is a relevant attribute.

In this example, the value is set toRole. On the request screen, the application shows the default roles asExisting and adds them to therequest.

(cont.)

Page 41: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 41/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 36

# Parameter Group Parameter ID Descript ion Default Value

See also parameters 2009, 2010, 2012, and 2013.

77

 Access Request Default Roles 2012 Role Attributes <empty>

Enter the role attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the request attributesmaintained in parameter 2013.

You can add multiple role attributes by adding additional instances of the parameter.

See also parameters 2009, 2010, 2011, and 2013.

Page 42: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 42/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 37

# Parameter Group Parameter ID Descript ion Default Value

78

 Access Request Default Roles 2013 Request Attributes <empty>

Enter the request attributes the application considers for Default Role Attribute mapping. These are mutually exclusive of the requestattributes maintained in parameter 2012.

You can add multiple role attributes by adding additional instances of the parameter.

See also parameters 2009, 2010, 2011, and 2012.

79

 Access Request Role Mapping 2014 Enable Role Mapping YES

The application allows you to assign roles as child roles (or map the roles). This allows anyone who is assigned this role to also beassigned the authorizations and access for the child roles.

Set the parameter value toYES to enable this functionality. The role mappings are applicable for provisioning access requests.

Note: On the Role Maintenance screen, you can select theConsider Parent Role Approver  checkbox to use only the approversassociated with the parent roles and ignore any approvers associated with the child roles.

In the following example, the user is requesting the roleBS_BS_123 of system GF1->GO7. The mapped role AC_C_ROLE1 isautomatically added to the request. The user can choose to remove the role from the request.

Note: The Source System dropdown list is from the same landscape you chose on theDetail tab.

80

 Access Request Role Mapping 2015 Applicable to Role Removals YES

Set the value to YES to allow users to include mapped roles in requests for role removal.For example, if a user creates a request to remove a role assigned to them, and the role has mapped roles, then the mapped roles areautomatically included in the request. The user can choose to keep the mapped roles by deleting them from the removal request.

81

SOD Review 2016 Request Type for SoD <empty>

Use F4 help and select the request type when SoD review requests are created.

You maintain the list of available request type values in the Customizing activityDefine Request Types under Governance, Risk, andCompliance > Access Control > User Provisioning . You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.

82

SOD Review 2017 Default priority for SoD <empty>

Use F4 help and select the default priority used for SoD review requests.

You maintain the list of available priority values in the Customizing activityMaintain Priority Configuration under Governance, Risk,and Compliance > Access Control > User Provisionin g. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.

Page 43: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 43/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 38

# Parameter Group Parameter ID Descript ion Default Value

83

SOD Review 2018 Who are the reviewers? MANAGER

Select either Manager  or Risk Owner  as the approver type for user access review requests. The application creates a review workflow for the specified approver type. Managers receive review requests sorted b y USER, and Risk Owners receive review requests sorted b yRisk.

84

SOD Review 2019 Admin. review required beforesending tasks to reviewers

YES

Set the value to YES to require that users who are assigned the role of access request administrator (such as

SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the workflow goes to the reviewers. (You specify reviewers inparameter 2018).

85

SOD Review 2023 Is actual removal of role allowed YES

You use this parameter to configure whether the reviewers of SoD risks are allowed to remove the actual roles associated with a SoD riskor only propose removal of the roles.

Set value as NOThis is the default setting, and the recommended setting. On theSoD Review screen, the application displays theProposeRemoval button. Reviewers can only propose the removal of roles associated with a SoD risk violation. The workflow goes to thesecurity administrator who is able to view the source of the risk before deciding whether to remove the role.

Set value as YESThis setting is not recommended. On theSoD Review screen, the application displays theRemove Role button. This allows thereviewer to delete the roles directly without going through approval by the security administrator.Warning: Reviewers do not have the ability to view the source of the risks; therefore have the risk of potentially deleting relevantroles.

Page 44: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 44/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 39

# Parameter Group Parameter ID Descript ion Default Value

86

 Access Request TrainingVerification

2024 Training and verification <empty>

The application allows you to require that users complete specific training courses before the application provisions specific roles to them.

You enable this functionality by :1. Setting training requirements

(See Example 1 below.)

2. Configuring MSMP routing rule3. Configuring the data source systems for verifying if the training requirements are completed

Example 1: The user is requesting a role that has aTRAINING prerequisite, andVerify on Request is set to Yes. The application will notallow them to submit the request until all the prerequisites are met.

The application has a Routing rule for Training and Verification in MSMP (GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks thisparameter to determine the data source for verifying if the user has completed the training required for the roles they are requesting to add.If the required training is not completed for a particular role the application does not provision the role and, instead, sends the request tothe routing path.

Leave the value field empty to disable the function. The workflow does not take any routing paths. Set the value to BAdI and the application uses the specified BAdI to perform the verification.

Set the value to WS and the application uses the specified web service to perform the verification.

You specify the prerequisite system in the connector configuration. To configure the connectors, use the Customizing activityMaintain Connectors and Connector Types under Governance, Risk, and Compli ance > Common Compon ent Settings> Integration Framework. The connector must be of the typeWS and associated with a logical port. You can define the logicalport in transaction SOAMANAGER.

Prerequisite: You have implemented the BadI or webservice (WS) as needed.

Note: You can configure the routing in the Customizing activityMaintain MSMP Workflows under Governance, Risk, and Compliance > Acc ess Cont rol > Work flo w f or Access Co ntrol .

87

 Access Request Role Selection 2031 Allow All Roles for Approver YES

The application allows approvers to add additional roles to access requests when reviewing them.

Set the value to YES to allow approvers to view and select all roles.

Set the value to NO to restrict the roles the approvers can view and select for request creation . You specify the restriction criteria inparameter 2032.

Page 45: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 45/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 40

# Parameter Group Parameter ID Descript ion Default Value

88

 Access Request Role Selection 2032 Approver Role Restriction Attribute <empty>

The application allows approvers to add additional roles to access requests when reviewing them. You can restrict the roles approvers canview and select for request creation.

Set the value to A to Restrict on Role Approver . Approvers can view and select only those roles for which they are the role approver.

Set the value to B to Restrict on Business Process.

 Approvers can view and add only those roles with business process attributes that match those in the request Set the value to F to Restrict on Functional Area.

 Approvers can view and add only those roles with functional area attributes that match those in the request.

Prerequisite: You have set parameter 2031 toNO. If parameter 2031 is set toYES, the application ignores the restrictions specified here.

You can add multiple restriction values by adding additional instances of the parameter.

89

 Access Request Role Selection 2033 Allow All Roles for Requestor YES

Set the value to YES to allow the user to view all roles for request creation.

Set the value to NO to restrict the roles the user can view for request creation. You speci fy the restriction criteria in parameter 2034.

Page 46: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 46/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 41

# Parameter Group Parameter ID Descript ion Default Value

90

 Access Request Role Selection 2034 Requestor Role Restriction Attribute <empty>

This parameter allows you to require that, for access request creation, the application displays only the roles that have attributes thatmatch the specified requestor attributes.

Set the value to B to Restrict on Business Process. The application displays only the roles that match the requestor’s businessprocess attribute.

Set the value to F to Restrict on Functional Area. The application displays only the roles that match the requestor’s functional area

attribute.

Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) toNO. If parameter 2033 is set toYES, the application ignoresthe restrictions specified here.

You can add multiple restriction values by adding additional instances of the parameter.

91

 Access Request Role Selection 2035 Allow Role Comments YES

Set value to YES to allow the user to enter Role Comments when creating access requests.

92

 Access Request Role Selection 2036 Role Comments Mandatory YES

Set value to YES to require Role Comments when creating access requests.Note: This is a GLOBAL setting and is required for all roles included on requests. Mandatory comments can also be determined at the

individual role level.

Prerequisite: Parameter 2035 must be set toYES.

Page 47: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 47/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 42

# Parameter Group Parameter ID Descript ion Default Value

93

 Access Request Role Selection 2037Display expired roles for existingroles

YES

Set the value to YES to include the roles for which the user assignment is expired when the user chooses theExisting Assignmentbutton on the Access Request.

94 Access Request Role Selection 2038

 Auto Approve Roles without Approvers

YES

Set the value to YES to allow the application to automatically approve access requests for roles without role owners.

95

 Access Request Role Selection 2039Search Role by Transactions fromBackend System NO

Set the value to NO to allow users to search for roles using the role information in the GRC AC Repository.

Set the value to YES to allow users to search for roles by transactions on a specific backend system in real time. This has the followingeffect:

It adds the Transaction from Backend System criteria to the Select Roles screen.

It makes the System criteria mandatory.

It fetches role information from the specified system in real time, which may have an effect on performance.

Page 48: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 48/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 43

# Parameter Group Parameter ID Description Default Value

96

 Access Request Role Selection 2040 Assignment comments mandatoryon rejection

NO

The available values areYes and No.

If the value is set to No, when you open an access request, you are not required to enter a comment if you reject a role or system

assignment.If the value is set to Yes, you must enter a value if you reject a role or system assignment.

97

 Assignment Expiry 2041Duration for assignment expiry inDays

<empty>

On the My Profile and Existing Assignment screens, the application displays theStatus field for the roles. Roles that are about toexpire displays the status of Expiring.  You use this parameter to specify the timeframe (in days) that triggers the application to display thestatus as Expiring.

In the following example, theMy Profile and Existing Assignment screens will show the status of Expiring for all roles assigned to theuser that is about to expire in 1 to 45 days.

98

 Access Request Role Selection 2042Visibility of Valid from/Valid to for profiles

0

The available values are: 0,1,2,3,4

The effect on the user experience is based on the value the user selects – The visibility of dates and editable property of Valid from andValid To field will depend on the value selected for the parameter as indicated in the screen shots below.

(cont.)

Page 49: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 49/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 44

# Parameter Group Parameter ID Description Default Value

Page 50: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 50/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 45

# Parameter Group Parameter ID Description Default Value

99

 Access Request Role Selection 2044Display profiles in Existing

 Assignments, My Profile, and ModelUser 

YES

The available values are: Yes and No.

Based on the parameter value, the system displays or hides Profiles for Existing Assignments, My Profile, and Model User as illustrated bythe screen shots below.

Page 51: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 51/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 46

# Parameter Group Parameter ID Description Default Value

100

 Access Request Role Selection 2045Default provisioning action after adding roles/profiles/FFID fromexisting assignments and My Profile

010

The available values are: 006,009,010

 Based on the parameter value the provisioning action is set for roles/profiles/FFID from existing assignments and My Profile as indicatedin the screen shots below.

Page 52: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 52/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 47

100

 Access Request Role Selection 2046Field type for business process andsystem fields, in access request rolesearch

0

This parameter allows you to choose the field type for theBusiness Process and System search criteria on the Acc ess Requ est Ro leSearch screen. You can choose the field types as aText fi eld with F4 help or a dropdown list.

Set the value to 0 to display the field types for both Business Process and System as a text field. (See example below.)

Set the value to 1 to display the Business Process field as a dropdown list, and the System field as a text field. Set the value to 2 to display the Business Process field as a text field, and the System field as a dropdown list.

Set the value to 3 to display both the Business Process and System fields as a dropdown list.

101

Performance 2050 Enable Realtime LDAP Search for  Access Request User.

NO

If set to YES, the application searches for the access request user on the specified LDAP source and in real time.

Prerequisite: You have specified the data source as LDAP, or else the application ignores this parameter.

Note: Be aware that because the search is performed in real time, it impacts performance.

102

Workflow 2051Enable User ID Validation in AccessRequest against Search DataSources

NO

If set to YES, the application validates the UserID exists on the specified source system. If the user does not exist, the application does notallow the request to continue.

The validation is performed when you chooseSubmit or press Enter .

Page 53: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 53/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 48

# Parameter Group Parameter ID Descript ion Default Value

103

LDAP 2052 Use LDAP domain forest NO

The available values areYes and No.

The effect on the user experience is based on the value set in configuration. If the value is Yes, users can search from multiple domainswhen the user data source is LDAP.

104

Role Management 3000 Default Business Process <empty>

Select the business process the app lication displays by default on theRole Import screen. Use F4 help to display the available businessprocesses.

You maintain the list of business processes in the Customizing activityMaintain Business Processes and Subprocesses under Governance, Risk and Compliance > Acc ess Control.

105

Role Management 3001 Default Subprocess <empty>

Select the subprocess the application displays by default on theRole Import screen. Use F4 help to display the available subprocesses.

You maintain the list of subprocesses in the Customizing activityMaintain Business Processes and Subprocesses under Governance,Risk and Compliance > Access Control.

106

Role Management 3002 Default Criticality Level <empty>

Select the criticality level the application displays by default on theRole Import screen. Use F4 help to display the available criticalitylevels.

You maintain the list of subprocesses in the Customizing activitySpecify Criticality Level under Governance, Risk and Compliance > Acc ess Cont rol > Role Management.

107

Role Management 3003 Default Project Release <empty>

Select the project release the application displays by default on theRole Import screen. Use F4 help to display the available projectreleases.

You maintain the list of project releases in the Customizing activityMaintain Project and Product Release Name under Governance,Risk and Compliance > Access Control > Role Management.

108

Role Management 3004 Default Role Status <empty>

Select the role status the application displays by default on theRole Import screen. Use F4 help to display the available role status.

You maintain the list of project releases in the Customizing activityMaintain Role Status under Governance, Risk and Compliance > Acc ess Cont rol > Role Management.

109

Role Management3005

Reset Role Methodology whenChanging Role Attributes NO

This parameter determines whether the role methodology step is reset to the first step (Definition) after a mass update. It is particularly

useful to avoid creating mass approval requests. When approvals are not required, we recommend that you set the parameter toNo toleave the role methodology intact at the current step. Setting it toYes causes the system to create one approval request per each roleupdated.

Page 54: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 54/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 49

# Parameter Group Parameter ID Descript ion Default Value

110

Role Management 3006 Allow add functions to anauthorization

YES

Set the value to YES to display the Add /Delete Func tio n button on the Maintain Authorizations tab of the Role Maintenance screen.

111

Role Management 3007 Allow editing organizational levelvalues for derived roles

NO

The maintenance screen for derived roles displays organizational levels from the parent role.

Set the value to YES to allow the derived roles to change the values for the organizational levels.

112

Role Management 3008 A ticket number is required after authorization data changes

YES

Set the value to YES to require a ticket number when role authorizations are modified in PFCG and the user chooses theSynch withPFCG button.

Note: The Ticket Number  field is a free text entry field. The application only provides the field and does not have any specificrequirements. You can enter information appropriate for your company’s change request processes.

Page 55: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 55/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 50

# Parameter Group Parameter ID Descript ion Default Value

113

Role Management 3009 Allow Role Deletion from back-endsystem

YES

Set the value to YES to allow users the option to roles from both Access Control and relevant plug-in systems. Setting this value toYesdeletes the roles in each of the systems the role resided individually. For example, the role is DELETED directly from PRD instead of having a delete request transported through CTS.

Set the value to NO to allow users to delete roles only from Access Control.

114

Role Management 3010 Allow attaching files to the roledefinition

YES

Set the value to YES to allow users to attach files by displaying the Att achments tab on the Role Maintenance screen.

Page 56: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 56/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 51

# Parameter Group Parameter ID Descript ion Default Value

115

Role Management 3011Conduct Risk Analysis before RoleGeneration

YES

Set the value to YES to automatically perform risk analysis when the user generates roles.

116

Role Management 3012 Allow Role Generation on MultipleSystems

NO

Set the value to YES to allow users to select multiple systems when generating roles. The application displays systems in the landscapewhich are available for role generation action.

Page 57: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 57/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 52

# Parameter Group Parameter ID Descript ion Default Value

117

Role Management 3013Use logged-on user credentials for role generation

NO

When generating a role, the application connects to back-end systems to push the authorization data. The application needs ausername/password to open the connection to the back-end ERP system. You can use this parameter to specify whether the applicationuses a generic username/password for all role generation connections to the ERP system, or the username/password of the persongenerating the role.

Set the value to NO to use a generic username/password for the connection to the ERP system.You maintain the generic username/password for the connector in the Customizing activityCreate Connectors under Governance,Risk, and Compliance > Common Component Settings > Integration Framework.

Set the value to YES to allow the application to use the username/password of the person who is generating the role.

The advantage of setting this parameter toYes is that when someone opens a role in the ERP system, they can view exactly whogenerated it. If the parameter is set toNo they can see only that the connector, with the generic username/password, has generated it.

118

Role Management 3014 Allow role generation withPermission Level violations

NO

Set the value to YES to allow the application to generate roles even if Permission Level violations are present.

Set the value to NO to prohibit role generation if permission level violations are present.

119

Role Management 3015 Allow role generation with CriticalPermission violations

NO

Set the value to YES to allow the application to generate roles even if permission level violations are present.

Set the value to NO to prohibit role generation if permission level violations are present.

120

Role Management 3016 Allow role generation with ActionLevel violations

NO

Set the value to YES to allow the application to generate roles even if action level violations are present.

Set the value to NO to prohibit role generation if action level violations are present.

121

Role Management 3017  Allow role generation with Critical Action violations

NO

Set the value to YES to allow the application to generate roles even if critical action violations are present.

Set the value to NO to prohibit role generation if critical action violations are present.

122

Role Management 3018 Allow role generation with CriticalRole/Profile violations

NO

Set the value to YES to allow the application to generate roles even if critical role/profile violations are present.

Set the value to NO to prohibit role generation if critical role/profile violations are present.

Page 58: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 58/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 53

# Parameter Group Parameter ID Descript ion Default Value

123

Role Management 3019Overwrite individual role Risk

 Analysis results for Mass Risk Analysis

NO

The application allows you to perform ad hoc risk analysis for multiple roles under  Access Managemen t > Role Mass Maintenance >Run Risk Analysis. The application stores the results of the analysis. (See also parameters 1052, 1053). When you next perform mass

risk analysis, the application searches the stored data to determine if there are previous risk analysis results for each role. You can choosewhether or not the application overwrites the risk analysis results.

Set the parameter value toYES to overwrite previous results.

Set the parameter value toNO to not overwrite previous results.

Note: This is done per individual role; it does not automatically overwrite the results for all roles.

Page 59: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 59/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 54

# Parameter Group Parameter ID Descript ion Default Value

124

Role Management 3020Role certification reminder notification

10

You use this parameter to set how many days prior to theNext Certification date the application sends a reminder to the role owner.

For example, if the next certification is June 15, xxxx, and this parameter value is 10, then the application sends the reminder notification to

the role owner on June 5, xxxx.You set the Certification Period in Days and Next Certification date in the Define Role phase, on the Properties tab.

Note – Additional information about Certification Notif ications:

You can use the following Customizing activities to maintain custom notification e-mails under Governance, Risks, and Compliance > Acc ess Cont rol > Work flo w f or Access Co ntrol:

Maintain Custom Notification Messages

Maintain Text for Custom Notification Messages

Maintain Background Job for E-mail Reminders

The following is an example of a notification e-mail:

The application provides notification templates. You can choose to assign your own custom notification templates in the Customizingactivity Maintain Custom Notif ication Messages under Governance, Risk, and Compliance > Access Control > Workflow for 

 Acc ess Cont rol .

You can customize the notification text by using the Customizing activityMaintain Text for Custom Noti fication Messages under Governance, Risks, and Compliance > Access Contr ol > Workflow f or Access Control .

Page 60: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 60/71

Page 61: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 61/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 56

Parameter Group Parameter ID Descript ion Default Value

128

Role Management 3024Enforce methodology process for derived roles during generation

YES

You use this parameter to determine the derived roles displayed in the role generation phase of the master role.

Set the value to YES to display only the derived roles that reach the role generation phase of the methodology process.Set the value to NO to display all derived roles, regardless of their phase in the methodology process.

In the following example,Figure A shows five derived roles available; two of the roles are inRole Generation phase.

Figure B shows that if the value is set toYES, only the two roles in Role Generation phase are displayed.

Page 62: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 62/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 57

# Parameter Group Parameter ID Descript ion Default Value

129

Role Management 3025 Allow selection of Org. Value Mapswithout leading org.

NO

You use this parameter to determine if users may derive roles by using Org Value Maps that do not contain a leading organization.

Set the value to YES to allow role derivation using Org Value Maps thatdo not contain a leading organization.Set the value to NO to require that role derivation is performed using Org Value Maps thatdo  contain a leading organization.

Single Role Derivation

Choose Access Management  Role Management   Role Search   Search and open any role.

Go to the role derivation phase and chooseDerive.

If the AC Configuration parameter 3025 = YES, the screen appears as below:

If the AC Configuration parameter 3025 = NO, the screen appears as below:

Page 63: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 63/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 58

Mass Role Derivation

Choose Access Management  Role Mass Maintenance  Role Derivation.

Search and select any map and choose Next to go to the Select Master Role screen.

If the AC Configuration parameter 3025 = YES, the screen appears as below:

If the AC Configuration parameter 3025 = NO, the screen appears as below:

Page 64: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 64/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 59

# Parameter Group Parameter ID Descript ion Default Value

130

Role Management 3026Save Role Provisioning Details WhileCopying Role

Yes

You use this parameter to specify whether or not you wish to copy the role details such as the system validity period when copying roles.The default value is YES – copy the details when creating a new role.

131

Emergency Access Management 4000 Application type 1

You use this parameter to set the firefighting configuration: Choose 1 for ID-based firefighting.

Choose 2 for Role-based firefighting.

132

Emergency Access Management 4001Default Firefighter Validity Period(Days)

<empty>

Set the default validity period (in days) of Firefighter ID assignments to a Firefighter.

Note: This is only the default period. You can override the validity period for each assignment as needed in the front-end.

Page 65: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 65/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 60

# Parameter Group Parameter ID Descript ion Default Value

133

Emergency Access Management 4002 Send E-mail Immediately YES

The application sends e-mail notifications to the controller. Set the value to YES to send the e-mail notifications immediately.

Set the value to NO and the application sends notifications only when the user chooses theUpdate Firefighter Log button or runs

the program GRAC_SPM_LOG_SYNC_UPDATE.The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access ManagementReports.

134

Emergency Access Management 4003 Retrieve Change Log YES

If set to YES then the application fetches the Change Log when the user chooses theUpdate Firefighter Log button or runs the programGRAC_SPM_LOG_SYNC_UPDATE.

The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access Management Reports.

(See also parameter 4002.)

Note: Plug-in system must have the O/S time and R/3 time zone matched for the logs to be properly collected. This is because STADstores the logs in O/S files.

135

Emergency Access Management 4004 Retrieve System Log YES

If set to YES then the application fetches the System Log (debug changes) when the user chooses theUpdate Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.

The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access Management Reports.

(See also parameter 4002.)

136

Emergency Access Management 4005 Retrieve Audit Log YES

If set to YES then the application fetches the audit (security) logs when the user chooses theUpdate Firefighter Log button or runs the

program GRAC_SPM_LOG_SYNC_UPDATE.

The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access Management Reports.

Note: You can activate Audit Logs using the transaction SM19.

(See also parameter 4002.)

137

Emergency Access Management 4006 Retrieve O/S Command Log YES

If set to YES then the application fetches the O/S Command Log when the user chooses theUpdate Firefighter L og button or runs theprogram GRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information when O/S commands (SM49) are created,changed, or executed.

The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access Management Reports.

(See also parameter 4002.)

Page 66: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 66/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 61

# Parameter Group Parameter ID Descript ion Default Value

138

Emergency Access Management 4007Send Log Report ExecutionNotification Immediately

YES

The application can send log reports controllers. The application sends the notifications as e-mails or workflow items based on the configuration of thecontrollers. (See figure below.) Set the value to YES and the application sends notifications when the user chooses theUpdate Firefighter Log button or runs the program

GRAC_SPM_LOG_SYNC_UPDATE.The Update Firefighter Log button is available on theConsolidated Log Report under Emergency Access Management Reports.

Set the value to NO and the application only collects the logs when the user chooses theUpdate Firefighter Lo g button or runs theGRAC_SPM_LOG_SYNC_UPDATE program. The application sends the e-mail notifications when the GRAC_SPM_WORKFLOW_SYNC program isrun.

139Emergency Access Management 4008 Send FirefightID Logon Notification YES

Set to YES and the application sends notification to the controller whenever a Firefighter logs onto a system.

140Emergency Access Management 4009 Log Report Execution Notification YES

Set to YES and the application sends notification to the controller when a user runs a log report.

141

Emergency Access Management 4010 Firefighter ID Role Name ZSAP_GRAC_SMP_FFID

Enter the name of the role assigned to the Firefighter ID in the target systems. This identifies to the application that the user who is logging on to the target

system is a Firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.

142

 Access Request Business Role 4011 Allow deletion of technical roles if part of business role

YES

Business roles are logical roles that exist only in the access control application. They allow you to by create relationships with multiple technical roles, andthereby granting the authorizations from multiple roles by assigning a single business role.Use this parameter to set whether to allow the deletion of technical roles if they are assigned to a user as part of business role.

Set the value to No to prohibit the deletion of such technical roles. The application displays an error message:Role TechRole01 cannot be deleted; it is part of BusinessRole_AB.

Set the value to Yes to allow the application to delete the technical roles.

Page 67: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 67/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 62

# Parameter Group Parameter ID Description Default Value

143

Emergency Access Management 4012Default users for forwarding the

 Audit Log workflow 2

Configuration parameter 4012 is used to restrict the users to whom the EAM log workflow can be forwarded.

If it is set to 1 then workflow can be forwarded to any user who is assigned the Role SAP_GRC_FN_BUSINESS_USER in the GRC

system.If it is set to 2 then it can only be forwarded to users who are designated as controllers in owner administration.

144

Emergency Access Management 4013Firefighter ID owner can submitrequest for Firefighter ID owned YES

The available values areYes and No.

Based on the parameter value the firefighter ID owner can submit request for himself (Yes) or not (No).

145Emergency Access Management 4014

Firefighter ID controller can submitrequest for Firefighter ID controller YES

The available values areYes and No.

Based on the parameter value the firefighter ID controller can submit request for himself (Yes) or not (No).

146

Emergency Access Management 4015 Enable decentralized firefighting NO

The available values areYes and No.

Based on the parameter value, you can enable the EAM Launchpad on non-GRC systems (Yes) or not (No). .

147

Emergency Access Management 4017Enable CUP request not to be shownin Firefighter - Firefighter ID/Roleassignment screen

YES

Firefighter ID is requested to be assigned to the Firefighter User through Access Request. However, after Access Request provisioning(formerly CUP), the request number is not populating in the description field of the Firefighter User.

See SAP Note 1840064 for more information. If your Support Pack is less than SP13, then apply the note and its prerequisites.

148

 Access Request Business Role 4019Do not copy manual role assignmentchanges during repositor y s ync. NO

This parameter controls the behavior of repository sync job.

If you want manual role or profile changes that are done in SU01 or SU10 to be synchronized to the GRC box, set the parameter to NO.If you do not want manual role or profile changes to be synchronized to the GRC repository, set the parameter to YES.

Background

Prior to implementing SAP Note 1874160 or SP13 of GRCFND_A V1000, problems with the repository synchronization causedinconsistencies and data loss in existing assignments related to business roles. SAP Note 1874160 introduced configuration parameter 4019 that is used to control the behavior of the synchronization job and prevent the loss of existing assignment data if you are usingbusiness roles.See SAP Note 1874160 for more information.

149

 Access Request Validations 5021Validate the manager ID for thespecified user ID YES

The application allows you to choose whether or not to validate the manager ID against the specified user ID when submitting an accessrequest. The application takes the value from theManager field on the Access Request > User Details page, and checks it against theinformation from table USR01 in the current system.

Set the value to Yes to enable the validation.Set the value to No to disable the validation.

Page 68: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 68/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 63

Page 69: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 69/71

Maintaining Configuration Settings in Access Control 10.0

October 2014 64

# Parameter Group Parameter ID Description Default Value

150

 Access Request Validations 5022Consider the password changein access request YES

On the Access Request screen, users can change their account information including their password. When the request is created andapproved, the application sends a notification e-mail to the user.Set the value to YES to include the generated password in the notification.

Set the value to NO and the application does not include the generated password in the notification.

151

 Access Request Validations 5023

Consider details from multiple datasources for missing user details inaccess requests NO

Set the value to NO and on creation of an access request, the application pulls the user details from the first connector (data source) for which the user exists. It does not check if the user exists in any additional connectors.

Set the value to YES and on creation of an access request, the application goes through all available datasources and pulls data for the

user on all datasources for which the user exists. For example, if the application finds only partial data for the user on the first datasource,it continues to retrieve data from subsequent datasources until either there are no more datasources or the data for the user is complete.

152

 Access Request Validation 5024Enable in-line editing for User groupand Parameter in Access request. NO

This parameter applies to the Access Request screen. It enables you to choose whether or not users may freely enter values on the User Group and Parameter tabs or whether they must choose from predetermined values.

Set the value to Yes to allow users to enter any value on the screen.Set the value to No to force users to choose from predetermined values

Page 70: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 70/71

Maintaining Configuration Settings in Access Control 10.0

2. Copyright© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software

components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,

System z10, z10, z/VM, z/OS, OS390, zEnterprise, PowerVM, Power Architecture, Power Systems,

POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System

Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX,

Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered

trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

 Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle and Java are registered trademarks of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are

trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

 Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari,

Siri, and XCode are registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch,

BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are registered

trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile

 Ads, Google Mobile Updated, Google Mobile, Google Store, Google Sync, Google Updater, Google

Voice, Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or registered trademarks of 

Google Inc.

Intermec is a registered trademark of Intermec Technologies Corporation.Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Explorer, StreamWork, SAP HANA,

and other SAP products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of Business Objects

Software Ltd. Business Objects is an SAP company.

Page 71: AC10 Config Settings SP17

8/10/2019 AC10 Config Settings SP17

http://slidepdf.com/reader/full/ac10-config-settings-sp17 71/71

Maintaining Configuration Settings in Access Control 10.0

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products

and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Sybase, Inc. Sybase is an SAP company.

Crossgate, m@gic, EDDY, B2B 360° Services are registered trademarks of Crossgate AG in

Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies.

Data contained in this document serves informational purposes only. National product specifications

may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and

its affiliated companies ("SAP Group") for informational purposes only, without representation or 

warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the

materials. The only warranties for SAP Group products and services are those that are set forth in the

express warranty statements accompanying such products and services, if any. Nothing herein should

be construed as constituting an additional warranty.


Recommended