Section 3 Step 4
Check Rules
Run the NWBC and check that the rules are loaded.
The Web browser launches.
58
Check that the Access Risks, Functions, and Rule Set exists. See next three screens.
59 Check that the Access Risks exist.
Check that the Functions exist.
60 Check that the Rule Set exists. What is the Rule Set Name?
If any of the above screens are empty, contact the instructor in the room immediately! This needs to be correct before proceeding.
61
Steps Steps to be performed
Section 3 Step 5
Sync Jobs
We need to run the Synchronization jobs to get the user, role, profile, and authorizations data from the source systems. In our case, the source system is also the same GRC system. This is fine for learning purposes, such as this training. We run two jobs.
In IMG go to Access Control Synchronization Jobs and run Authorization Synch (program GRAC_PFCG_AUTHORIZATION_SYNC). It is recommended you run it in the background, but we will run it in foreground during this lab exercise. This program contains three jobs: Org. Value sync, Transaction Sync, and Objects sync.
1st Job to run = Authorization Data Synchronization
62
Fill in the Connector name and click Execute. We run this in the foreground.
NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and SE38 to create the varients to store the values in the fields so they can be used over and over again.
The result screen comes up in about three to five minutes. It should not take that long for these systems.
Note: Larger ERP systems may take 30-40 minutes to run. That is why background processing is usually preferred.
(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200)
63
In the same path go to Repository Object Synch (program GRAC_REPOSITORY_OBJECT_SYNC).
Be sure to select the Full Sync Mode.
This job runs in one to three minutes.
NOTE: On larger systems with many users and roles, this job may take 10-20 minutes to run.
64
NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and SE38 to create the varients to store the values in the fields so they can be used over and over again. Usually a full sync is done weekly and an incremental sync is done daily. More frequent jobs can be scheduled to allow new users and roles to be used in the GRC analysis jobs, reports, and ad-hoc analysis.
(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200) Completed job output above.
65
Steps Steps to be performed
Section 3 Step 6
Run Risk Analysis
Now you should be able to run a risk analysis. Go to Access Management Workcenter and run a User Level Risk Risk Analysis on a specific user.
Let’s test this. Go to the main menu of the system and run the NWBC transaction.
Run the NWBC again.
In the NWBC Browser window, Click the Access Management sub-menu.
66
Run the User Level anaylsis first. Use system GRDCLNT200 and user GRCTRAIN1. Fill out as shown below. Use the minus button to remove unwanted items from the query screen.
Fill in the screen. Run in foreground. Check the settings carefully.
67 View the results. Example below:
68
Run the same Risk Analysis – User Level, change the Report Options for REMEDIATION VIEW only.
69
After choosing Remediatation view, it will look like the above. It may take longer to come up.
(Note – screen above shows system GRDCLNT100 in this example, your screen will be actual system GRDCLNT200)
70
Perform the same steps for the Role Level analysis. Use role SAP_GRC_SPC_SETUP for this analysis test.
71 Results of ROLE analysis above.
72
Steps Steps to be performed
Section 3 Step 7
Setup Parallel Jobs
Set up Parallel Jobs capability. This is in preparation of running the full batch risk analysis.
Run RZ12 transaction (not in the IMG menu). Check if the Login Group parallel_generators exists. If so, verify the settings as shown below. Otherwise, click the white paper icon to create the group assignment. The name must be “parallel_generators” to be used in the applications.
73
Click Save. A message will appear at bottom in yellow. You must press enter to save and get past this screen! INGORE WARNING and press enter to save it.
Go in and check the entry again to make sure it saved.
74
Steps Steps to be performed
Section 3
To run the Full Batch Risk Analysis, go into the SPRO transaction again and click on the Execute Batch Risk Analysis menu item.
Fill out the screen as shown and execute the job. It will take about 10-15 minutes to complete it. You will monitor the job during this time. After running this job, move immediately to the next step on how to monitor the job.
NOTE: It is possible to also run using a transaction GRAC_BATCH_RA (or program GRAC_BATCH_RISK_ANALYSIS) as an alternative.
75 Fill out the Batch Risk Analysis screen as shown above and execute it.
76
Steps Steps to be performed
Section 3
Monitoring the Batch Risk Analysis.
Using SPRO (IMG) go to the menu Access Risk Analysis and run Monitor Batch Risk Analysis.
Change the dates so the start date is one day earlier. We have noticed some time issues with the system time not matching the time in Vegas. With time out of sync, you may miss picking up the jobs in the search. Making the date range larger will help to pick up the jobs.
77
Note: You can monitor the batch risk analysis job with transaction GRACRABATCH_MONITOR.
Click the box in front of the job row and click Show Details. Drill into the details to see the detailed status.
78 You can see what is going on while it is running.
For large systems, this job can take a long time.
79
Check that the job is using parallel processes. Use transaction SM50 while the job is executing in the background to see the two batch work processes running the job. Below is SM50 screen.
80
81
Steps Steps to be performed
Section 3 Step 10
View Dash Boards
View the Risk Analysis dashboards. The data in the dashboards are only visible after running the batch risk analysis jobs.
In the NWBC screen, go to the Reports and Analytics menu. We will run the Risk Violations, User Analysis, and Role Analysis dashboards. These pop up in another window. Run each one, one at a time. See below screens for examples.
82
The Risk Violations screen is interactive. You can click into the pie chart or bar chart items to see the detail below them. Try this for both the pie chart HIGH and MEDIUM and BS00 in the bar chart. Be sure to drill down in the next screens that open. Check out the details. Try changing the Analysis Type from User to Role.
83 Check the User Analysis dashboard too. Explore the details.
84
Find the GRC roles in the Role Analysis dashboard. They begin with SAP_GRC.
The data in the dashboards is based on the Batch Risk Analysis job. This job needs to be scheduled nightly to get the data updated.
85
Steps Steps to be performed
Section 3 Step 11
SLG1 Appl Errors
Check the Application logs for errors. Run transaction SLG1 in the GRD system. Fill the screens as shown below and execute.
86
See examples of log output below. This is a very useful tool for GRC applications when problems are occurring.
87